Malware analysis 0422d000-f76f-40aa-8285-d3afaf818b2c Malicious activity

Add for printing

File name:	0422d000-f76f-40aa-8285-d3afaf818b2c
Full analysis:	https://app.any.run/tasks/c9f0d62f-6386-4689-9aae-061043836d87
Verdict:	Malicious activity
Analysis date:	August 16, 2024, 18:58:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	02A8CBCC407D9D37ECCA84EA687BD128
SHA1:	9934FF1457FB354B30444FEB0F3681307DB0B08B
SHA256:	D16B1B54A74B79BC0FA3791D8B04850E34D9DE40A31480FA89CE902394047DCE
SSDEEP:	98304:pFpdYkE+y94O9EMBNlsmqVlDFmFqjUTwFWfE5lNC9Gy6KfIjnrnCNy5mWI8CLYu0:hsVTBJLWALYrYsZg2Dt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - FGA64.exe (PID: 6928)
SUSPICIOUS
- Executable content was dropped or overwritten
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6492)
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FGA64.exe (PID: 6928)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 7088)
  - FG64.exe (PID: 6356)
- Drops the executable file immediately after the start
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
- Drops a system driver (possible attempt to evade defenses)
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
- Reads the date of Windows installation
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FG64.exe (PID: 7088)
  - FG64.exe (PID: 6356)
- Searches for installed software
  - Setup64.exe (PID: 6276)
  - dllhost.exe (PID: 6948)
- Executes as Windows Service
  - VSSVC.exe (PID: 6888)
  - FG64.exe (PID: 2080)
- Creates a software uninstall entry
  - Setup64.exe (PID: 6276)
- Creates/Modifies COM task schedule object
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- Creates file in the systems drive root
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Application launched itself
  - FG64.exe (PID: 7088)
INFO
- Create files in a temporary directory
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6492)
- Checks supported languages
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FGA64.exe (PID: 6928)
  - FG64.exe (PID: 2080)
  - TextInputHost.exe (PID: 7032)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - FG64.exe (PID: 7088)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 644)
  - FG64.exe (PID: 6356)
  - FGA64.exe (PID: 4672)
  - FG64.exe (PID: 4424)
- Manual execution by a user
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - FG64.exe (PID: 7088)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 5944)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 2340)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Reads the computer name
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FGA64.exe (PID: 6928)
  - FG64.exe (PID: 2080)
  - FG64.exe (PID: 7088)
  - TextInputHost.exe (PID: 7032)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 4424)
  - FG64.exe (PID: 6356)
  - FG64.exe (PID: 644)
  - FGA64.exe (PID: 4672)
- Process checks computer location settings
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FG64.exe (PID: 7088)
  - FG64.exe (PID: 6356)
- UPX packer has been detected
  - FolderGuard-23.5-setup.exe (PID: 7092)
- Creates files in the program directory
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- Creates files or folders in the user directory
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- Reads the machine GUID from the registry
  - FGA64.exe (PID: 6928)
- Reads Microsoft Office registry keys
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Program Files\Folder Guard\FG64.exe"

C:\Program Files\Folder Guard\FG64.exe

—

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

MEDIUM

Description:

Folder Guard

Exit code:

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\program files\folder guard\fgh64.dll

2080

"C:\Program Files\Folder Guard\FG64.exe" /service

C:\Program Files\Folder Guard\FG64.exe

—

services.exe

User:

SYSTEM

Company:

WinAbility® Software Corporation

Integrity Level:

SYSTEM

Description:

Folder Guard

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2340

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x32-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2932

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x64-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll

4424

"C:\Program Files\Folder Guard\FG64.exe"

C:\Program Files\Folder Guard\FG64.exe

—

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

MEDIUM

Description:

Folder Guard

Exit code:

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\program files\folder guard\fguard64.dll
c:\windows\system32\gdi32full.dll

4672

"C:\Program Files\Folder Guard\FGA64.exe"

C:\Program Files\Folder Guard\FGA64.exe

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

HIGH

Description:

Folder Guard Application

Version:

23.5

Modules

Images
c:\program files\folder guard\fga64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\program files\folder guard\fguard64.dll

5196

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5944

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x64-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5988

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x32-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll

6180

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12

C:\Windows\System32\SrTasks.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

50 412

Read events

49 379

Write events

909

Delete events

124

Modification events


(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\0422d000-f76f-40aa-8285-d3afaf818b2c.rar
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\ieframe.dll,-10046
Value: Internet Shortcut
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6492.854\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe		executable
		MD5:378DB0133E8261739808774EE28A2E15	SHA256:1CAA706D35268C1C999DCE3063B211C8C2F123198124C2999B581DB66E8CA6E5
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FG_ERU64.exe		executable
		MD5:7EDC9A3E58016AF2E8CD9ACFE92EF08E	SHA256:BB40A43172DD55A91BA5C68E7400930BA372EE00C446D5E9D8187664A28DC4E1
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGREMU.EXE		executable
		MD5:F65233D3B9E539BAD67695EA29F619C9	SHA256:30485233E2D0DC7374E15E149FCCFB2A74A90F784D7D509E5E1EDA7427AD5037
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\Setup64.exe		executable
		MD5:246626E06F9774088EF8C6FD8315C5AD	SHA256:56B505077A432E27A5E74EBB89C22BAF4CD2C0FE41CCA6C2694148FB46786E36
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGUARD64.dll		executable
		MD5:5F07C9921ADF4E3336285F51CE8A9B60	SHA256:886C6525101EFD64DB15FFF25C74FC67A1697AE4E1164CE08F80AF135D0157EF
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGH64.dll		executable
		MD5:9026BD30BB531C872BD7327416DADEF0	SHA256:E6C0746DB64193C5D383E845F30D7547D024F1BCBBD8A03E08ABCCB0923C8A63
6276	Setup64.exe	C:\Users\admin\AppData\Local\Temp\~DF1AEBE57E29B4ED02.TMP		binary
		MD5:17E65ADF80813DCADBF84578869C01D2	SHA256:979EE141F06B381FDC94AE23A05736D781CB9A52552235E05850E71594880380
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGA64.exe		executable
		MD5:E42CB7F71A137DC1CA5E637E5912CD3B	SHA256:65A23FA28CD1E183C880A8500FD84A443B7A9A35497C16C527BDB5DF4A965DE8
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGUARD64.sys		executable
		MD5:90289A0395E6B951C6FA7EFDEF3FC950	SHA256:98FC555F6806E3CF629FE9D1B605A1F5E528FC06A28CF2B1967475D74A52DEE9
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6492.854\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe		executable
		MD5:8C4966D30F771E0337384C557BCF684D	SHA256:2083E7629829DAB1A01BF09D032CEEFA3217EFD4FAA12716A7F444F04A05F68B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5992	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5992	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6872	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6816	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1116	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5600	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5600	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	104.126.37.160:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5992	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.142	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.bing.com	104.126.37.160 104.126.37.130 104.126.37.139 104.126.37.163 104.126.37.171 104.126.37.186 104.126.37.153 104.126.37.170 104.126.37.128 104.126.37.155 104.126.37.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.75 40.126.31.73 20.190.159.64 20.190.159.23 20.190.159.4 40.126.31.67 20.190.159.0 20.190.159.71	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
th.bing.com	104.126.37.153 104.126.37.139 104.126.37.171 104.126.37.160 104.126.37.170 104.126.37.169 104.126.37.162 104.126.37.155 104.126.37.131	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

0422d000-f76f-40aa-8285-d3afaf818b2c

02A8CBCC407D9D37ECCA84EA687BD128

9934FF1457FB354B30444FEB0F3681307DB0B08B

D16B1B54A74B79BC0FA3791D8B04850E34D9DE40A31480FA89CE902394047DCE

98304:pFpdYkE+y94O9EMBNlsmqVlDFmFqjUTwFWfE5lNC9Gy6KfIjnrnCNy5mWI8CLYu0:hsVTBJLWALYrYsZg2Dt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Drops the executable file immediately after the start

Drops a system driver (possible attempt to evade defenses)

Reads the date of Windows installation

Searches for installed software

Executes as Windows Service

Creates a software uninstall entry

Creates/Modifies COM task schedule object

Creates file in the systems drive root

Application launched itself

INFO

Create files in a temporary directory

Executable content was dropped or overwritten

Checks supported languages

Manual execution by a user

Reads the computer name

Process checks computer location settings

UPX packer has been detected

Creates files in the program directory

Creates files or folders in the user directory

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings