Malware analysis 0422d000-f76f-40aa-8285-d3afaf818b2c Malicious activity

Add for printing

File name:	0422d000-f76f-40aa-8285-d3afaf818b2c
Full analysis:	https://app.any.run/tasks/c9f0d62f-6386-4689-9aae-061043836d87
Verdict:	Malicious activity
Analysis date:	August 16, 2024, 18:58:02
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	02A8CBCC407D9D37ECCA84EA687BD128
SHA1:	9934FF1457FB354B30444FEB0F3681307DB0B08B
SHA256:	D16B1B54A74B79BC0FA3791D8B04850E34D9DE40A31480FA89CE902394047DCE
SSDEEP:	98304:pFpdYkE+y94O9EMBNlsmqVlDFmFqjUTwFWfE5lNC9Gy6KfIjnrnCNy5mWI8CLYu0:hsVTBJLWALYrYsZg2Dt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes the autorun value in the registry
  - FGA64.exe (PID: 6928)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 6492)
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FGA64.exe (PID: 6928)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 7088)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - FG64.exe (PID: 6356)
- Drops a system driver (possible attempt to evade defenses)
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
- Executable content was dropped or overwritten
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Drops the executable file immediately after the start
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Reads the date of Windows installation
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FG64.exe (PID: 7088)
  - FG64.exe (PID: 6356)
- Creates/Modifies COM task schedule object
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- Creates a software uninstall entry
  - Setup64.exe (PID: 6276)
- Searches for installed software
  - dllhost.exe (PID: 6948)
  - Setup64.exe (PID: 6276)
- Executes as Windows Service
  - VSSVC.exe (PID: 6888)
  - FG64.exe (PID: 2080)
- Creates file in the systems drive root
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
- Application launched itself
  - FG64.exe (PID: 7088)
INFO
- Manual execution by a user
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - FG64.exe (PID: 7088)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 5944)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 2340)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Checks supported languages
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FGA64.exe (PID: 6928)
  - FG64.exe (PID: 2080)
  - FG64.exe (PID: 7088)
  - TextInputHost.exe (PID: 7032)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - FG64.exe (PID: 4424)
  - FG64.exe (PID: 644)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 6356)
  - FGA64.exe (PID: 4672)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 6492)
- Create files in a temporary directory
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
- Reads the computer name
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
  - TextInputHost.exe (PID: 7032)
  - FG64.exe (PID: 2080)
  - FG64.exe (PID: 7088)
  - FG64.exe (PID: 6484)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 6700)
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)
  - FG64.exe (PID: 4424)
  - folderguard.pro.x64-patch-20.10+.exe (PID: 2932)
  - FG64.exe (PID: 6356)
  - FGA64.exe (PID: 4672)
  - FG64.exe (PID: 644)
- Process checks computer location settings
  - FolderGuard-23.5-setup.exe (PID: 7092)
  - Setup64.exe (PID: 6276)
  - FG64.exe (PID: 6484)
  - FG64.exe (PID: 6356)
  - FG64.exe (PID: 7088)
- Creates files in the program directory
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- Creates files or folders in the user directory
  - Setup64.exe (PID: 6276)
  - FGA64.exe (PID: 6928)
- UPX packer has been detected
  - FolderGuard-23.5-setup.exe (PID: 7092)
- Reads the machine GUID from the registry
  - FGA64.exe (PID: 6928)
- Reads Microsoft Office registry keys
  - folderguard.pro.x32-patch-20.10+.exe (PID: 5988)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Program Files\Folder Guard\FG64.exe"

C:\Program Files\Folder Guard\FG64.exe

—

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

MEDIUM

Description:

Folder Guard

Exit code:

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\program files\folder guard\fgh64.dll

2080

"C:\Program Files\Folder Guard\FG64.exe" /service

C:\Program Files\Folder Guard\FG64.exe

—

services.exe

User:

SYSTEM

Company:

WinAbility® Software Corporation

Integrity Level:

SYSTEM

Description:

Folder Guard

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

2340

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x32-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

2932

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x64-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll

4424

"C:\Program Files\Folder Guard\FG64.exe"

C:\Program Files\Folder Guard\FG64.exe

—

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

MEDIUM

Description:

Folder Guard

Exit code:

Version:

23.5

Modules

Images
c:\program files\folder guard\fg64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\program files\folder guard\fguard64.dll
c:\windows\system32\gdi32full.dll

4672

"C:\Program Files\Folder Guard\FGA64.exe"

C:\Program Files\Folder Guard\FGA64.exe

FG64.exe

User:

admin

Company:

WinAbility® Software Corporation

Integrity Level:

HIGH

Description:

Folder Guard Application

Version:

23.5

Modules

Images
c:\program files\folder guard\fga64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\combase.dll
c:\program files\folder guard\fguard64.dll

5196

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

SrTasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5944

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x64-patch-20.10+.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x64-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

5988

"C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe"

C:\Users\admin\Desktop\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\folder guard 23.5 multilingual [pesktop.com]\fix\folderguard.pro.x32-patch-20.10+.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\users\admin\appdata\local\temp\dup2patcher.dll

6180

C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:12

C:\Windows\System32\SrTasks.exe

—

dllhost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Windows System Protection background tasks.

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\srtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

50 412

Read events

49 379

Write events

909

Delete events

124

Modification events


(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtBMP
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes
Operation:	write	Name:	ShellExtIcon
Value:
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\0422d000-f76f-40aa-8285-d3afaf818b2c.rar
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:	write	Name:	@C:\Windows\System32\ieframe.dll,-10046
Value: Internet Shortcut
(PID) Process:	(6492) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6492.854\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\folderguard.pro.x32-patch-20.10+.exe		executable
		MD5:8C4966D30F771E0337384C557BCF684D	SHA256:2083E7629829DAB1A01BF09D032CEEFA3217EFD4FAA12716A7F444F04A05F68B
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGH64.dll		executable
		MD5:9026BD30BB531C872BD7327416DADEF0	SHA256:E6C0746DB64193C5D383E845F30D7547D024F1BCBBD8A03E08ABCCB0923C8A63
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6492.854\Folder Guard 23.5 Multilingual [PeskTop.com]\FolderGuard-23.5-setup.exe		executable
		MD5:B15FE755A333A619572B73C418455E39	SHA256:9CE1233A498965E3C1A658922CC8447E2AD3F899B10107CC95B3C971AFFC8DAF
6492	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb6492.854\Folder Guard 23.5 Multilingual [PeskTop.com]\fix\keygen.exe		executable
		MD5:88210A0094BD1051DCDEFFD9CE59665F	SHA256:AF0326224E6B65A402FE202E225FEFC72241055946D93ABCAC61A24316C47889
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\Setup64.exe		executable
		MD5:246626E06F9774088EF8C6FD8315C5AD	SHA256:56B505077A432E27A5E74EBB89C22BAF4CD2C0FE41CCA6C2694148FB46786E36
6276	Setup64.exe	C:\Users\admin\AppData\Local\Temp\~DFE02942E8A621D2EB.TMP		binary
		MD5:CA13F76F0B45C414200CF734EF2CA0F8	SHA256:46618E9BC7A70E9CF7425C438889A90CD33E05437EBEE7A7B360F5760BD39925
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FG64.exe		executable
		MD5:D18CBF5CFAEC9FAEFAE70829061FCCF8	SHA256:FFA354AA02B81BA862FD34E5A35B4C52E71FE4EE187ADFD75CD362369F523016
7092	FolderGuard-23.5-setup.exe	C:\Users\admin\AppData\Local\Temp\~FG.TMP\FGUARD64.dll		executable
		MD5:5F07C9921ADF4E3336285F51CE8A9B60	SHA256:886C6525101EFD64DB15FFF25C74FC67A1697AE4E1164CE08F80AF135D0157EF
6276	Setup64.exe	C:\Users\admin\AppData\Local\Temp\~DF694A16CAB9E8F6C1.TMP		binary
		MD5:8A64200BE1B7CFE18DA4AEB1B8892B9C	SHA256:36448F1F69617F3FDD1CBB2A2B36D2685CC79BC86E6A542A2F37F3C44757CFC9
6276	Setup64.exe	C:\Users\admin\AppData\Local\Temp\~DFFCD82DD6613436BF.TMP		binary
		MD5:4479BE9CF6AEB0019EFDE9B0B2869F78	SHA256:8A1251EB01D1F4B89D2FA9A5D9DA2E259558306FFBC67F3AF6FC3852910DD9F9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5992	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6816	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5992	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6872	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1116	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5600	svchost.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5600	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	104.126.37.160:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5992	svchost.exe	20.190.159.75:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.185.142	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
www.bing.com	104.126.37.160 104.126.37.130 104.126.37.139 104.126.37.163 104.126.37.171 104.126.37.186 104.126.37.153 104.126.37.170 104.126.37.128 104.126.37.155 104.126.37.131	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.75 40.126.31.73 20.190.159.64 20.190.159.23 20.190.159.4 40.126.31.67 20.190.159.0 20.190.159.71	whitelisted
client.wns.windows.com	40.115.3.253 40.113.110.67	whitelisted
th.bing.com	104.126.37.153 104.126.37.139 104.126.37.171 104.126.37.160 104.126.37.170 104.126.37.169 104.126.37.162 104.126.37.155 104.126.37.131	whitelisted
arc.msn.com	20.103.156.88	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

0422d000-f76f-40aa-8285-d3afaf818b2c

02A8CBCC407D9D37ECCA84EA687BD128

9934FF1457FB354B30444FEB0F3681307DB0B08B

D16B1B54A74B79BC0FA3791D8B04850E34D9DE40A31480FA89CE902394047DCE

98304:pFpdYkE+y94O9EMBNlsmqVlDFmFqjUTwFWfE5lNC9Gy6KfIjnrnCNy5mWI8CLYu0:hsVTBJLWALYrYsZg2Dt

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Reads security settings of Internet Explorer

Drops a system driver (possible attempt to evade defenses)

Executable content was dropped or overwritten

Drops the executable file immediately after the start

Reads the date of Windows installation

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Searches for installed software

Executes as Windows Service

Creates file in the systems drive root

Application launched itself

INFO

Manual execution by a user

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Creates files in the program directory

Creates files or folders in the user directory

UPX packer has been detected

Reads the machine GUID from the registry

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings