djvu | ad0a24464f71c6c7fe084cb5452427e1254ba47ca1346fe4a9f32226f49c8849

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
Size

292KB
MD5

76433c7640e0aaee3cce8dacb5d3828c
SHA1

8586af8b2dc370f53bebf0007abd15368b5e6ab6
SHA256

099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f
SHA512

2f877b7fd34e89e091207f64775159f0f1a797c69926936fb694a0c35adfb63e5f2b9e87f4ccd65a5de99c0bd6151f47ae3a0964730cd3fd7390171a32d2b13d
SSDEEP

6144:oUL/bVEdQYVEWgD/BcPPxIuIls3fu8HVlTV7:oU7bIQYVEx/BcmuIlofuOzV

Score

10^/10

djvu smokeloader up3 backdoor google collection discovery evasion persistence phishing ransomware spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Botnet

up3

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

rc4.i32

Extracted

Family

djvu

http://zexeq.com/test1/get.php

Attributes

extension
.cdqw
offline_id
mMsRxMUuXypapZbGOAfxD9pczHmW8zVRP7Pgjwt1
payload_url
http://brusuax.com/dl/build2.exe

http://zexeq.com/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-99MNqXMrdS Price of private key and decrypt software is $1999. Discount 50% available if you contact us first 72 hours, that's price for you is $999. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0840ASdw

rsa_pubkey.plain

Signatures

Detected Djvu ransomware 14 IoCs

resource	yara_rule
behavioral1/memory/1716-45-0x0000000002240000-0x000000000235B000-memory.dmp	family_djvu
behavioral1/memory/1440-47-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1440-51-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1440-52-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1440-75-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-85-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-86-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-101-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-102-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-115-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-1196-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-1198-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-1199-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral1/memory/1428-1246-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Detected google phishing page
phishing google
Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5is7Is2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5is7Is2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5is7Is2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5is7Is2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5is7Is2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	5is7Is2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5is7Is2.exe

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1240	Process not Found

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5is7Is2.exe

Executes dropped EXE 11 IoCs

pid	Process
1716	1A56.exe
1440	1A56.exe
1544	1A56.exe
1428	1A56.exe
2500	build2.exe
2260	build2.exe
804	6896.exe
1928	sz7Zf80.exe
2012	KK9kH49.exe
1708	2Ei0134.exe
2800	5is7Is2.exe

Loads dropped DLL 26 IoCs

pid	Process
1716	1A56.exe
1440	1A56.exe
1440	1A56.exe
1544	1A56.exe
1428	1A56.exe
1428	1A56.exe
804	6896.exe
804	6896.exe
1928	sz7Zf80.exe
1928	sz7Zf80.exe
2012	KK9kH49.exe
2012	KK9kH49.exe
1708	2Ei0134.exe
2012	KK9kH49.exe
2800	5is7Is2.exe
2800	5is7Is2.exe
2800	5is7Is2.exe
1944	WerFault.exe
1944	WerFault.exe
1944	WerFault.exe
1944	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe
1184	WerFault.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
800	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5is7Is2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	5is7Is2.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5is7Is2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5is7Is2.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5is7Is2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sz7Zf80.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	KK9kH49.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5is7Is2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\05a7d307-90b0-433f-a523-c3639f69386d\\1A56.exe\" --AutoStart"	1A56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6896.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
144	ipinfo.io
10	api.2ip.ua
11	api.2ip.ua
19	api.2ip.ua
143	ipinfo.io

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x0006000000019564-191.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2800	5is7Is2.exe
2800	5is7Is2.exe
2800	5is7Is2.exe
2800	5is7Is2.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2212 set thread context of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 1716 set thread context of 1440	1716	1A56.exe	38
PID 1544 set thread context of 1428	1544	1A56.exe	42
PID 2500 set thread context of 2260	2500	build2.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1944	2260	WerFault.exe	45
1184	2800	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3020	schtasks.exe
696	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B632011-A6B4-11EE-88F9-76B33C18F4CF} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7B655A61-A6B4-11EE-88F9-76B33C18F4CF} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0cebb52c13ada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5is7Is2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5is7Is2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5is7Is2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5is7Is2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5is7Is2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5is7Is2.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
2072	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2072	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeDebugPrivilege	2800	5is7Is2.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found
Token: SeShutdownPrivilege	1240	Process not Found

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1708	2Ei0134.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found
1708	2Ei0134.exe
1708	2Ei0134.exe
1240	Process not Found
1240	Process not Found
2248	iexplore.exe
1216	iexplore.exe
2076	iexplore.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1708	2Ei0134.exe
1708	2Ei0134.exe
1708	2Ei0134.exe
1240	Process not Found
1240	Process not Found
1240	Process not Found

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1216	iexplore.exe
1216	iexplore.exe
2248	iexplore.exe
2248	iexplore.exe
2076	iexplore.exe
2076	iexplore.exe
2800	5is7Is2.exe
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE
2060	IEXPLORE.EXE
2060	IEXPLORE.EXE
2672	IEXPLORE.EXE
2672	IEXPLORE.EXE
2000	IEXPLORE.EXE
2000	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 2212 wrote to memory of 2072	2212	099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe	28
PID 1240 wrote to memory of 2952	1240	Process not Found	31
PID 1240 wrote to memory of 2952	1240	Process not Found	31
PID 1240 wrote to memory of 2952	1240	Process not Found	31
PID 2952 wrote to memory of 2728	2952	cmd.exe	33
PID 2952 wrote to memory of 2728	2952	cmd.exe	33
PID 2952 wrote to memory of 2728	2952	cmd.exe	33
PID 1240 wrote to memory of 2600	1240	Process not Found	34
PID 1240 wrote to memory of 2600	1240	Process not Found	34
PID 1240 wrote to memory of 2600	1240	Process not Found	34
PID 2600 wrote to memory of 2504	2600	cmd.exe	36
PID 2600 wrote to memory of 2504	2600	cmd.exe	36
PID 2600 wrote to memory of 2504	2600	cmd.exe	36
PID 1240 wrote to memory of 1716	1240	Process not Found	37
PID 1240 wrote to memory of 1716	1240	Process not Found	37
PID 1240 wrote to memory of 1716	1240	Process not Found	37
PID 1240 wrote to memory of 1716	1240	Process not Found	37
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1716 wrote to memory of 1440	1716	1A56.exe	38
PID 1440 wrote to memory of 800	1440	1A56.exe	40
PID 1440 wrote to memory of 800	1440	1A56.exe	40
PID 1440 wrote to memory of 800	1440	1A56.exe	40
PID 1440 wrote to memory of 800	1440	1A56.exe	40
PID 1440 wrote to memory of 1544	1440	1A56.exe	41
PID 1440 wrote to memory of 1544	1440	1A56.exe	41
PID 1440 wrote to memory of 1544	1440	1A56.exe	41
PID 1440 wrote to memory of 1544	1440	1A56.exe	41
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1544 wrote to memory of 1428	1544	1A56.exe	42
PID 1428 wrote to memory of 2500	1428	1A56.exe	44
PID 1428 wrote to memory of 2500	1428	1A56.exe	44
PID 1428 wrote to memory of 2500	1428	1A56.exe	44
PID 1428 wrote to memory of 2500	1428	1A56.exe	44
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45
PID 2500 wrote to memory of 2260	2500	build2.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5is7Is2.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5is7Is2.exe

C:\Users\Admin\AppData\Local\Temp\099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
"C:\Users\Admin\AppData\Local\Temp\099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe
  "C:\Users\Admin\AppData\Local\Temp\099ef99582cb2da5e520888d90b4171d6987ac87d7fc00e8219b25f1c4e6884f.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2072

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AC.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2728

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2FE.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\reg.exe
  reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
  2⤵
  PID:2504

C:\Users\Admin\AppData\Local\Temp\1A56.exe
C:\Users\Admin\AppData\Local\Temp\1A56.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\1A56.exe
  C:\Users\Admin\AppData\Local\Temp\1A56.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\icacls.exe
    icacls "C:\Users\Admin\AppData\Local\05a7d307-90b0-433f-a523-c3639f69386d" /deny *S-1-1-0:(OI)(CI)(DE,DC)
    3⤵
    - Modifies file permissions
    PID:800
- - C:\Users\Admin\AppData\Local\Temp\1A56.exe
    "C:\Users\Admin\AppData\Local\Temp\1A56.exe" --Admin IsNotAutoStart IsNotTask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\Users\Admin\AppData\Local\Temp\1A56.exe
      "C:\Users\Admin\AppData\Local\Temp\1A56.exe" --Admin IsNotAutoStart IsNotTask
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe
        
        "C:\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe
        
        "C:\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe"
        6⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1460
        7⤵
        Loads dropped DLL
        Program crash
        
        PID:1944

C:\Users\Admin\AppData\Local\Temp\6896.exe
C:\Users\Admin\AppData\Local\Temp\6896.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz7Zf80.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz7Zf80.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KK9kH49.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\KK9kH49.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ei0134.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ei0134.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1708
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1216
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1216 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2060
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2248
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2248 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2000
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:2076
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2076 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5is7Is2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5is7Is2.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Accesses Microsoft Outlook profiles
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_office_path
      outlook_win_path
      PID:2800
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:2936
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:768
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3020
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 2464
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
16fffd0e6d70bece262b80ec1e01136d

SHA1
a85cd7bf91876cc1677188a48f655fafd4ef3ad3

SHA256
e42b8f1401f2b649334ceedca8cadb9da203734b036fa9c858074741400663d0

SHA512
1a9da5d91c794f029b6aae6bfee67735497c991ac7fb0c8227f0c9b3e63c25e3c5c838839d2f03744114c7f07aadbe5220c553a89f792ff0ee369ee98567dc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

Filesize
472B

MD5
3a03d31c0d72895a743a5b3da0960e1a

SHA1
dc6f14a68f2f36f0dbbdf9e48526e2ba3da34bb8

SHA256
a359a47aea123f2d6a7e3b090bbc69fe268c5532da8864d2d6387eed150714ec

SHA512
a5714b9d94f16b38edc2a7d389a0f13f5344f129499e29c4f680a008f05d4ace267ae52e127f55efc5142fb3c3f110388ab713367c5e04180bcf5dc0861034d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96

Filesize
471B

MD5
1904977116539dc6b5e5548dba0ee208

SHA1
f63812d400027ccbaf53d9e04e1606b61fa1516f

SHA256
caf7d9aaf861969d69745c08b00bff17763cb073918e7747d487cdb6070ca268

SHA512
e9bd3e5a34a62d90acb4bd604f43ea7dc08c694c31343477d547a1500c7baf50bfc0ca0a9eaaed8aa839c8e982921903033ca73556aa7d8b49d6a3bd1ebb76d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a57e355ea007a2f8e81d989562e86f78

SHA1
ecc3b64c50e92f34b77f53ae60c4fc19e7236bf8

SHA256
a16778dba3210f2af2bd239d72f6538c19a61f693609f89c316011dc4b70a800

SHA512
592fe520fda24b484117f6bd29192a3f598e3fc1fb003beca83de3a9f2d225b6500d9274c8ad1d56091e07f6062af9ba770be2bfc0aac91d4671856565f93d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d657d38a97da650f5520ba90c42c591

SHA1
88ec8eb711d36cbb7dced6340433bdcd4344c16c

SHA256
3ba22ed3d9372e00721964077e56d937c25b6e4fb3c83b64fff084eb3d3300d8

SHA512
b16de8ae7fcc7934d456f721672320931b52532e918fbe91a1b5a085cd35706b6a531a287cd579c75e3d61fc794880324794e01526437027f39a13d714f173a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d3991fb222da102d7794407130c9de8

SHA1
b2840ee7b1bba4c1b4aee8abd7e674f09b9629dd

SHA256
a0fce4c67927d33169cd30e7afe3af78756bed66730320f2e35580c1966be936

SHA512
38cdcd61aaef7eb5da3a3a68eaf729ce312ce005c71f341cff910412bebe852ec1f705a7c648af8ff25e4c4622712c80261febdad26d9091b6d091ea34e1f4b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a6b159fe3eb9d6424916961ad2d36bee

SHA1
54c840133d29bb6ff51cb3387da54ee2a63c4ddb

SHA256
2c0969659936d9d4a027a7f6da31098f7b9ed4f8717934d0fda0657dc0895ad4

SHA512
7708a7cf1b17e96280b1584ec890bf89422065f5b93a157c792ce36bc58ae2faf4ef1d9faf2eb674f6f5e474c9aab4fb2947196363055d7c5fa7870edef19ec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a0deb0cb393aa044135e21f98dad5312

SHA1
813ade83ce53b7efda6094b227254ad73d2e4142

SHA256
1fa2c90d0c6206c3296543c70c5b8700bcfd939fe17591db76617c5105074bbc

SHA512
5a97071b1519506675f5f6e75b67312d69b336e2ef15219e751f8215ea9b1dc5ac9f97aea514cb2717dcd1118bafed37aa2b527ee6aec70c0161340046b99c61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
725c287f243b58dadeef1454292eb9c9

SHA1
9add733b692c9ff29307d62f02ca66d63fa8ed29

SHA256
21fff5ac4a07bc38ec7117121a1e04cb78c60c800a0db6d0c6aa0040fa3f0ca4

SHA512
466c620df95b5034d40fe1e3910f602020714da98d9e98dd944a49dd29c4af21e68a8716e74db55afe4e8d61cf395bf49d1cca9eed279de5afbda0c7a1e4eca3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
03092a79f8bbce08ef696f5d4f84cbb0

SHA1
5b73aa359de57a1070617a4e9d785b5a8241f5ae

SHA256
4c33eb49d9ffda9b63438e63b4803ac76ecfd32c57c2e9ce97528c4860222abe

SHA512
64fa0f33a6543b819cf7b98551da6c71dc45fb4c55391275bdfa02b1832e3d39cd64a4d5480275f4435297d57fd05146f70ad7a918edcb230d4b3cc409d91feb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4ff4589ccdc82a6779f4bdd3f522ea4a

SHA1
b86a6bd83aa588166239eb3d80accc0f78f1d62c

SHA256
67f1950a8d8a831283b47c31e45eaa4fd512ab78076fa3b25210f493190a5edb

SHA512
7cd91fed797217ceb69cb39633e83980f66d716a550f96842bc5a7af57c6ed452a3ac701c97063789e4d7134d60d523cd1af9b618d449a5c8d945dba9f79556b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebaa97db2fb629945af16c59f8ce20d0

SHA1
fefbd873fb81e7cef467c255dc0204899eecb705

SHA256
9d64e7781746630d1e1e65dcac9495374aaa8973f5344d00a8b2f6a9f0b467f1

SHA512
e180734ec76a3668331763753fa16de8f9c72160aff452724b73c98b6bf91e4e87a1938a15a1d0b413c933b3973331d19f0e0025493f6643fd904cf1ffd5c1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3962a1ca1e915e66b62cc05e81e46647

SHA1
4974bfe2b14a9b061d1032997069f05527d6d10c

SHA256
4aad2fae9352564b2f24bf0b4d709803ef80fb38ef88fa5e253a10f49d6f40b9

SHA512
dd36ca419cdbeb41d2caf3825f39162b544ef56ce9cadc9b53d59281c76097b48ea6b723b92f5fa46b394948a7bcf656308ee7d61dcc75265b1f8cddc01ceb3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
0b5faff4cfad5ef226672334ec6f87c4

SHA1
76b98f385ccf29da28c3c14fb34978474dc74aff

SHA256
c6d3d1f1d1ed8dae4b0724b445b23520b7b79ffcc3a6cb124ac38e31be1ba291

SHA512
c3aa92b63995a70208a4ee246201f4e9f0e3cdbfb84226cf096ece4c028d27d4de891e63a94d528d3fbf56f786289636087ef76676d9096ea784b7e71ba7f677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
7b36a468b423bbbfa3e1ed3bfc35f312

SHA1
90f9f70810a9ef4615d725e15b330b25079eac8b

SHA256
a486d8bce54cf0497930c555316155950e911b71aad89fd574712a5c31a040b4

SHA512
9f9223f66b09f95652e289513319923e63a41bf40a067673ef078bfe607b20d7b7f5a66d2ac8f119de3ed80ef239b6438b3718bcc9dec7cf586d43b7957aab90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

Filesize
406B

MD5
7dbecf15ee4ba287568acb6829d705af

SHA1
81ef2c953d2b6500a7bfc24156ea6f7aa8e9fdc9

SHA256
18059ad8e8de7947b4d557cac05adf5eaabcea10a9a118a4dcfc26ee7e09fd87

SHA512
8855b2c4d0cd9c645d1f89ec55878cb425b81a2afdaa1759923513d9a74ff76417cd6b5639fcc6c7facdda39837e7093fd0d25f7c41e8d239b9911e49731e58b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9FBD3BA6168F3C4317F2AAB1E548FE96

Filesize
406B

MD5
98c217630f06bb564a5f4feea99338e5

SHA1
6f635b9734c85f268e1b8bb5f18c97a573865b08

SHA256
e9e97f1fa84fdd5e188449da787640427b22980723141e7f01e6b64662b53f94

SHA512
e5c72fcb9b18f8d923ed7d066cf8edc198cd8cb5155a50931b37c5a935c954e96f593938673656c997eba0f98d3d540470f9a8dcb3c42d5239df93294975e96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B62F901-A6B4-11EE-88F9-76B33C18F4CF}.dat

Filesize
5KB

MD5
53e6973afa16c53ee9f55c85bbc21e64

SHA1
9ad774973ed873c9022397f7625a722ce49fc32d

SHA256
70b8e289c47f043c4179105d7529641d07a882370614a4c52e87ecba87770103

SHA512
40e92ceb61859808b9000b3540c6d35ca6f21efc58c2215be734f7eec534582c581bf5e77a6067c2914a5de06e90508bd6ad7d3fd1467b7e5d66dec87778a0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7B632011-A6B4-11EE-88F9-76B33C18F4CF}.dat

Filesize
5KB

MD5
82d3e04e80e518fde673c476de40ca17

SHA1
17c2e91e59038f865be064366fbee64674305bad

SHA256
23befc24263120d64537bc6060b0b6e89477c9f775f1b7d97e2367773b4c1edf

SHA512
6f62913c59d3b16925fe5d45a2054ada3f1704a52b4ceb8ee8b6570cf67bce009d51f4a103288acd32392298ff98e3f48cdda6e9ca77f00bbab48bf18dc5d49b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

Filesize
1KB

MD5
3f85f5ce52df31670f128dfe73438f30

SHA1
d2e39f7162365b7e57aac93d6d1df85132097912

SHA256
d36d8c0899ab0d76b0dd21ecc6594479c399c0185b9dc777c9abbd9b75cb1b18

SHA512
81a84834f97890f041a0e74644889071e7c48cb9acb064df2abf44c60a23f1d923e666e498fca878fca89476ddaf9c7065a705394f84ce04514de79ed80d9091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

Filesize
6KB

MD5
79c6d53dbf28d521c25dd504aa982d2d

SHA1
e75f2737e1558b6943a01b05aecb04678da2c5b4

SHA256
1c9987416778308e6428e2a19dd5753c61c8cb27904062aa493e72be8b5b1d40

SHA512
1a0248e8b045b90caf4d79e5c93ba78e6c0731d4e9e1cbcb249e4b9cebe154b5d39e86a6a5267352d05e4bdbb9fa74824057ea9476bbab368d825ebd0e8f6c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

Filesize
11KB

MD5
c0f49a3e8aebbedfa4a66763457dd657

SHA1
4c45dacc0d69ff1c863d144b5664cb31b05e9d35

SHA256
142e1b4806967f9f4c29269cb75f2cf37c5af89ada1bc763e7fefc948ec727df

SHA512
09660d38d250311f7938701687b64c983387f98cbcb769d9f0cf110b525cad5815c8038a085d9ab0bf464a0dbd3352dbf433f7efdbfb80272d50d4b0a6b3016b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\favicon[2].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\favicon[3].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\hLRJ1GG_y0J[1].ico

Filesize
4KB

MD5
8cddca427dae9b925e73432f8733e05a

SHA1
1999a6f624a25cfd938eef6492d34fdc4f55dedc

SHA256
89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62

SHA512
20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

Download Submit
C:\Users\Admin\AppData\Local\Temp\1A56.exe

Filesize
700KB

MD5
4de3ef13b59a390161bf02b8d7314f7c

SHA1
08b3e1cca45cff01fb8047554dd7385161aa0ea0

SHA256
2376ca42c79dbfa2ad332a0563b25a4b6ed12b4eb25bdc110983e2833758fe27

SHA512
d6df885efbf08e42a00a6204c05a809bd5e288318695c07bd86799fefd8399d950c71630df793b2e12a2b6cece2e9fe34670ad23ef374c622e8bb51741b7df0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6896.exe

Filesize
2.5MB

MD5
36bc86e96766763a249142938504aa1c

SHA1
442eeacab7364eca415e4d7b7d4739bc5dd1c202

SHA256
2237f53cd4bb5e1b9a1412f473eea24075179416318125746cec120e3f2f4823

SHA512
da2d02ff70c9b7cfa0fddc1ccac791798a2c7cf058dc5afeec0b52085dd16610b5d68a4b8b03d6b5cafa4dc35716ae67344f0a9bf825cd67f4e3c28cd7bb698d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC.bat

Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CF1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sz7Zf80.exe

Filesize
2.4MB

MD5
b55d529f552613c93f46b72e501bd070

SHA1
ada2741614a42e2f7fcf224b57d030d5ad9a3380

SHA256
3f1e617ee500e18a675d1b39421afdcffdc3d89d888cd6eea29bc2a496816a3b

SHA512
cfa07d290536244ae51d1d45301c92e2f032f8ebea938752f72ec047f5066426d3ce411b9832a9afb6c957ed246636f60ef560f7fd6b53f4df80b974e39203be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar62E9.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\tempAVSe6fG8EYO7fQy\4OYInElBGrd4Web Data

Filesize
92KB

MD5
c5ab22deca134f4344148b20687651f4

SHA1
c36513b27480dc2d134cefb29a44510a00ec988d

SHA256
1e9bd8064ca87d8441e2702005ef8df9a3647d5542740737abb8a70be7ec9512

SHA512
550f45132525e967d749106b9d3b114d17b066967527bfd5c66613d61b6f3995f87b0f3c09def19eed14b5b757f2501645b5103505d126f1dd66994f50e1257e

Download Submit
C:\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe

Filesize
128KB

MD5
433cfec555d6e1bf1ace39bf17c13476

SHA1
2b9c9e85dab1338e6fb443d3ab2bd49f8e697319

SHA256
3e5e37d5763dc29bcfdac6165ffa9ec43060fa16beedfa40cf252645f7c64f81

SHA512
f6c94e23c5ab0e5767a68b916f7a5556e6420c1db4a13bd6f02039360d9df1dc39d7909e792aa11ccdc3d93d791f5843e3ad1fb07739faac48bba376004fda6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6KQO6GEU.txt

Filesize
361B

MD5
350424c62b402310e40a758f6095849f

SHA1
76be9b2e4ed21bf0f375a8b4b6e1edc820005e45

SHA256
a340867d2f7f10dad70fcee75487897f03212234c5ee8ff11bfe837f0b2d19c2

SHA512
0120646122c20e4806f3fa2422b29af2b7ecada5d03f0c93558c70be9e464883645d890f740c0edaf3c9a16e3d6d0799b919ea1e5d50ea5844a90ffe94cc1c11

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

Filesize
1KB

MD5
dac4c18ca18cc7dbd3f6207dd97b7e06

SHA1
5a1537b5caa3dcfa3c0a38f9fdc57303a5eb8612

SHA256
eaf92a51883c5f7beb9102654960d9b7a7427f54128cff14e441a467ce33b818

SHA512
02a0b20775d00df9e2a4b3f48130c51c1e7b577442182f45fb2e511bee56c33262925b9e59ea4cef3e2ae39c66a549b7db314bd3a9d5d8ea68d0acce22f67a81

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\KK9kH49.exe

Filesize
1.9MB

MD5
927d8cd77e1357676245af39f3bfb3f8

SHA1
1cfb0062499cb430fda3b625cfdac85f6cc55314

SHA256
972ccfda0660805c63022072f361b21782df2449526363e924341b7a1a402c5c

SHA512
4a8eaad798bf83c126006e5b30c44f1b259855208130ae0639b71ca9ac8866abd538537f6df65cf0efcdf2e636cbeca816cad6a031e223b752cd3ee2cea0277e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\2Ei0134.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\5is7Is2.exe

Filesize
1.5MB

MD5
5029a0767b3bb36cd7105e83778330ea

SHA1
83d56d1f28cf29b87e26917bf17b70edeef7724a

SHA256
d7dd9ecebcbb7f231089d5f387682120d46a895b652f5a9c6ee663b1922fa8b4

SHA512
c2872608b20a7b53414573c30317f1c0bca3ab4e69dd47b21900b63e7b2691c65278d03504314ff4043a33eed5bfe36cff8be13b771a5115bb6aac1691e837ed

Download Submit
\Users\Admin\AppData\Local\Temp\tempAVSe6fG8EYO7fQy\sqlite3.dll

Filesize
791KB

MD5
0fe0a178f711b623a8897e4b0bb040d1

SHA1
01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6

SHA256
0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d

SHA512
6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

Download Submit
\Users\Admin\AppData\Local\c98774e6-deca-4fa0-9f22-7459f1ea1295\build2.exe

Filesize
216KB

MD5
a187125322e7072de3196b7ae5684f65

SHA1
c2563b181c8d7a84bb9a758994d4b5fe644315ce

SHA256
69941676bb04f17207d351806d67e888a0b0e064624dd4b72330d81726ef31e3

SHA512
c46831c360acbd942a2dbdd34d400f3309525b2c22df9394ebb9f18a36a5d738471d60e15b8997eb7f8d77a4ba9947209171a796a52bdac67566a51eccd4138e

Download Submit
memory/364-308-0x000000006D480000-0x000000006DA2B000-memory.dmp

Filesize
5.7MB

Download
memory/364-464-0x000000006D480000-0x000000006DA2B000-memory.dmp

Filesize
5.7MB

Download
memory/364-309-0x0000000002730000-0x0000000002770000-memory.dmp

Filesize
256KB

Download
memory/1240-8-0x00000000021F0000-0x0000000002206000-memory.dmp

Filesize
88KB

Download
memory/1428-102-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-1196-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-85-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-1246-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-1199-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-115-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-101-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-86-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1428-1198-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1440-52-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1440-47-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1440-51-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1440-75-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/1544-76-0x0000000000340000-0x00000000003D1000-memory.dmp

Filesize
580KB

Download
memory/1544-78-0x0000000000340000-0x00000000003D1000-memory.dmp

Filesize
580KB

Download
memory/1716-50-0x00000000008D0000-0x0000000000961000-memory.dmp

Filesize
580KB

Download
memory/1716-45-0x0000000002240000-0x000000000235B000-memory.dmp

Filesize
1.1MB

Download
memory/1716-42-0x00000000008D0000-0x0000000000961000-memory.dmp

Filesize
580KB

Download
memory/1716-40-0x00000000008D0000-0x0000000000961000-memory.dmp

Filesize
580KB

Download
memory/2012-201-0x00000000028E0000-0x0000000002D3E000-memory.dmp

Filesize
4.4MB

Download
memory/2012-701-0x00000000028E0000-0x0000000002D3E000-memory.dmp

Filesize
4.4MB

Download
memory/2072-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2072-6-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2072-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2072-5-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2072-7-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2212-2-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/2212-1-0x0000000000950000-0x0000000000A50000-memory.dmp

Filesize
1024KB

Download
memory/2260-125-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2260-1133-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2260-498-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2260-195-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2260-121-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2260-124-0x0000000000400000-0x000000000063C000-memory.dmp

Filesize
2.2MB

Download
memory/2500-120-0x0000000000220000-0x0000000000248000-memory.dmp

Filesize
160KB

Download
memory/2500-118-0x00000000009E0000-0x0000000000AE0000-memory.dmp

Filesize
1024KB

Download
memory/2800-235-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-1134-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-1135-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-205-0x0000000001330000-0x000000000178E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-206-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-954-0x0000000001330000-0x000000000178E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-513-0x0000000000C40000-0x0000000000C50000-memory.dmp

Filesize
64KB

Download
memory/2800-1249-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download
memory/2800-499-0x0000000000ED0000-0x000000000132E000-memory.dmp

Filesize
4.4MB

Download