50f87269f0dba084992141fbe63b9f7ce0c23206925637d6a68adf2f56fd5d5e

Analysis

max time kernel
133s
max time network
146s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i42qt.html
Size

18KB
MD5

ca45f3cc48e08cba6ae573e9bc4e9a6e
SHA1

7275ddbbe1d1ec0248f4cd97c2c3732521b98a29
SHA256

50f87269f0dba084992141fbe63b9f7ce0c23206925637d6a68adf2f56fd5d5e
SHA512

458ef4ca11944f01efa1d3b713e3269cf109c56a397a0a98e95990a5f55952f794a9b55485dbb7a2fbb0b5c2aafbac92a236a94808e85d2885d4cddfb6d9a9ca
SSDEEP

192:zwF92JICf98Ftf2I0pLI0pdhgf98Ftf5JKPF5iRj/K1ljQ+mHDsiHiMi6ieFM:zwF9pFWhNFqiF0ljnYIiHiMi6iyM

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

Counter Blox Hack Pack_43099839.exesetup43099839.exesetup43099839.exeOfferInstaller.exe

pid process

1328 Counter Blox Hack Pack_43099839.exe
372 setup43099839.exe
2588 setup43099839.exe
1688 OfferInstaller.exe

Loads dropped DLL 64 IoCs

Processes:

Counter Blox Hack Pack_43099839.exesetup43099839.exesetup43099839.exe

pid	process
1328	Counter Blox Hack Pack_43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe
2588	setup43099839.exe

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

setup43099839.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup43099839.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup43099839.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

2196 timeout.exe
2552 timeout.exe
1016 timeout.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2300 tasklist.exe
748 tasklist.exe
2492 tasklist.exe

pid	process
2196	timeout.exe
2552	timeout.exe
1016	timeout.exe

pid	process
2300	tasklist.exe
748	tasklist.exe
2492	tasklist.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 38136c39b8acda01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000f7985f6b874228a299cdf0c535ab56e5c1552c7aef19b3cd9652a5b901249ea4000000000e80000000020000200000006ecdd708fc6ae410d2d43d7c518ac23d3efe06a2a9c781b5b11e08b9d30fe348200000000ae5f9ebf5d39946c61c506263a544dc305c2e03b90b5ae0f1da3e6c11006f35400000008cf3e02cdb6451b94be87d2148b32208342535f529c933ff1b7357fa5ce59fc7553069b4146023b7113ed430573aafca26cb32885287bb0b37125316383f89f0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e9361000000000200000000001066000000010000200000002c3ef86a988555573e54bc883640068465de77820d4f1859731231ae514b7590000000000e80000000020000200000000ee9ee61a1fe29f0b207d0f5ee6203d54edcc6a4c2761466250a73153538cc7890000000acb0aa5106894d1d0b9854620ebdbe60987e2ddfc4c7e55bcc82b76b81f1cf2a5cc13d34e6612f7766dd45eb56849a8f6cabe4f246b25239420f5469c0940382097f61581b3247655674d6d144fcc750f6e250e47503aff214ae4b2279155c72a1dee26da75d3ffd1b09525a35c0cd8b27648d6e764981347854878560e07d8f0d743fe2fbbe15f16921abb5f3afa143400000003364f5476cba065aa9caf7e8c7f8b87cff3d2e8cdee75a5f340415224c4e5b9a30193c77c01cec1d2c8ce9e2005eaecd0f24ab5b1f189281980d788341af06cf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422592876"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50d81238b8acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{70DA4E21-18AB-11EF-917C-6A2211F10352} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 2 IoCs

Processes:

Counter Blox Hack Pack_43099839.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000_CLASSES\Opera GXStable	Counter Blox Hack Pack_43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Counter Blox Hack Pack_43099839.exe

Modifies system certificate store 2 TTPs 21 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Counter Blox Hack Pack_43099839.exesetup43099839.exeOfferInstaller.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Counter Blox Hack Pack_43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Counter Blox Hack Pack_43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	setup43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	OfferInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	setup43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Counter Blox Hack Pack_43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Counter Blox Hack Pack_43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	OfferInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Counter Blox Hack Pack_43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Counter Blox Hack Pack_43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	setup43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	setup43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Counter Blox Hack Pack_43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	setup43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	setup43099839.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	setup43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	OfferInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Counter Blox Hack Pack_43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	setup43099839.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Counter Blox Hack Pack_43099839.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1536 NOTEPAD.EXE

pid	process
1536	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

setup43099839.exeCounter Blox Hack Pack_43099839.exeOfferInstaller.exe

pid	process
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
372	setup43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe
1688	OfferInstaller.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

setup43099839.exeOfferInstaller.exetasklist.exetasklist.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	372	setup43099839.exe
Token: SeDebugPrivilege	1688	OfferInstaller.exe
Token: SeDebugPrivilege	2492	tasklist.exe
Token: SeDebugPrivilege	2300	tasklist.exe
Token: SeDebugPrivilege	748	tasklist.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2616 iexplore.exe
2616 iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXECounter Blox Hack Pack_43099839.exesetup43099839.exe

pid	process
2616	iexplore.exe
2616	iexplore.exe
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
1328	Counter Blox Hack Pack_43099839.exe
1328	Counter Blox Hack Pack_43099839.exe
372	setup43099839.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeCounter Blox Hack Pack_43099839.exesetup43099839.execmd.exeOfferInstaller.execmd.exe

description	pid	process	target process
PID 2616 wrote to memory of 2344	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2344	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2344	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 2344	2616	iexplore.exe	IEXPLORE.EXE
PID 2616 wrote to memory of 1328	2616	iexplore.exe	Counter Blox Hack Pack_43099839.exe
PID 2616 wrote to memory of 1328	2616	iexplore.exe	Counter Blox Hack Pack_43099839.exe
PID 2616 wrote to memory of 1328	2616	iexplore.exe	Counter Blox Hack Pack_43099839.exe
PID 2616 wrote to memory of 1328	2616	iexplore.exe	Counter Blox Hack Pack_43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 372	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 1328 wrote to memory of 2588	1328	Counter Blox Hack Pack_43099839.exe	setup43099839.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1688	372	setup43099839.exe	OfferInstaller.exe
PID 372 wrote to memory of 1600	372	setup43099839.exe	cmd.exe
PID 372 wrote to memory of 1600	372	setup43099839.exe	cmd.exe
PID 372 wrote to memory of 1600	372	setup43099839.exe	cmd.exe
PID 372 wrote to memory of 1600	372	setup43099839.exe	cmd.exe
PID 1600 wrote to memory of 2492	1600	cmd.exe	tasklist.exe
PID 1600 wrote to memory of 2492	1600	cmd.exe	tasklist.exe
PID 1600 wrote to memory of 2492	1600	cmd.exe	tasklist.exe
PID 1600 wrote to memory of 2492	1600	cmd.exe	tasklist.exe
PID 1600 wrote to memory of 2088	1600	cmd.exe	find.exe
PID 1600 wrote to memory of 2088	1600	cmd.exe	find.exe
PID 1600 wrote to memory of 2088	1600	cmd.exe	find.exe
PID 1600 wrote to memory of 2088	1600	cmd.exe	find.exe
PID 1600 wrote to memory of 2552	1600	cmd.exe	timeout.exe
PID 1600 wrote to memory of 2552	1600	cmd.exe	timeout.exe
PID 1600 wrote to memory of 2552	1600	cmd.exe	timeout.exe
PID 1600 wrote to memory of 2552	1600	cmd.exe	timeout.exe
PID 1688 wrote to memory of 2104	1688	OfferInstaller.exe	cmd.exe
PID 1688 wrote to memory of 2104	1688	OfferInstaller.exe	cmd.exe
PID 1688 wrote to memory of 2104	1688	OfferInstaller.exe	cmd.exe
PID 1688 wrote to memory of 2104	1688	OfferInstaller.exe	cmd.exe
PID 2104 wrote to memory of 2300	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 2300	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 2300	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 2300	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 320	2104	cmd.exe	find.exe
PID 2104 wrote to memory of 320	2104	cmd.exe	find.exe
PID 2104 wrote to memory of 320	2104	cmd.exe	find.exe
PID 2104 wrote to memory of 320	2104	cmd.exe	find.exe
PID 2104 wrote to memory of 1016	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 1016	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 1016	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 1016	2104	cmd.exe	timeout.exe
PID 2104 wrote to memory of 748	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 748	2104	cmd.exe	tasklist.exe
PID 2104 wrote to memory of 748	2104	cmd.exe	tasklist.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\i42qt.html
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2344

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\Counter Blox Hack Pack_43099839.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\Counter Blox Hack Pack_43099839.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328

C:\Users\Admin\AppData\Local\setup43099839.exe
C:\Users\Admin\AppData\Local\setup43099839.exe hhwnd=328152 hreturntoinstaller hextras=id:d8d090d10951db6-AU-i42qt
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:372

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
4⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
5⤵
- Suspicious use of WriteProcessMemory
PID:2104

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 1688" /fo csv
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\find.exe
find /I "1688"
6⤵
PID:320

C:\Windows\SysWOW64\timeout.exe
timeout 1
6⤵
- Delays execution with timeout.exe
PID:1016

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 1688" /fo csv
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\find.exe
find /I "1688"
6⤵
PID:2124

C:\Windows\SysWOW64\timeout.exe
timeout 5
6⤵
- Delays execution with timeout.exe
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 372" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Windows\SysWOW64\find.exe
find /I "372"
5⤵
PID:2088

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:2552

C:\Users\Admin\AppData\Local\setup43099839.exe
C:\Users\Admin\AppData\Local\setup43099839.exe hready
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
3⤵
- Opens file in notepad (likely ransom note)
PID:1536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Software Discovery

T1518

Security Software Discovery

T1518.001

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
1KB

MD5
7575c39a544943a68ce6e709c586005a

SHA1
4874b30bd1d455b28a95c4e21c5aecd1ea043d7a

SHA256
4737de49245ace1ca1fdeaacd5feee9bbda88bc6f42c84a1ea7d316383792cf8

SHA512
abf3d85393725113e720cbe8980b369236511e3984e8cbfa795f19bb5d6e39822e80a835caeb498581797a74b349765ba1a27f26586a17a66ae1c88bd066a3d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
e8246b5ec5d0a4f247a98d01015039ff

SHA1
0dc15aa573abdce63360db47fa18a179efefbb86

SHA256
b0c28e8997c95a47c06c02c14908ccda7f39100b188439f6ec89160eacf10f8f

SHA512
a700392f59796c72aab81a1f7ee71a14ba67b936e3a336567d34d102c362f9588d779762838f8db65ab9ecc9bded0dc06ba63427e78ea91c0460e6a9a1de6cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
054c886489660a53e12875a8001a2788

SHA1
0dfe062251f162f6b05849291b66d5cf84481bdb

SHA256
71a0503eae9e0311fb33cb39a98e534a3b759502ba0fa90f89cc551a0a728021

SHA512
a7cc59a009e3e7eb3e30a9e6cb97a20b4d0e3bec407833f012aac9f0aa6edae0c996908106710358c433b4a40ed3d657697d6815370ffeb31e3e6c0a137cc64e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
a30a70979e4a5baa6f7749a5f9e4206b

SHA1
0d06fb79ba1c2b0bdad245dc39a2de2277a842ab

SHA256
1660517a503e875640081e4dbd6c03d24fbadb8ff7df489ec84f1000e8832466

SHA512
1021d584da5808bbea38193563db62b22817415ac0166b55b41e5f8d468c7808b8813c739ad5dae1793c73141af3bbb3c117de76d117ca57eec91da055e1fdab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
746666e3ef1b55269a098cd40b2c59de

SHA1
b2a97cc7a5f8508869ab34c71e77d9060ba2a1a3

SHA256
96f7fa7f5f378223404e71f6419af916b66845ca17af1df5dc12d4c3644fc1d9

SHA512
ade83a22306f8ee5038892227d057831d4bab8e810d29f1fd74827b945df0d60e9202050ed43b8f32f8035588969946509a7b906c1c6b2f505250382940e3d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
69de1552d44a254eeb2eb49ac17a9a2d

SHA1
17b9cecdee3ea99ca0a1810d83a9067b06ac5761

SHA256
9d79a69e5a0e697dcc42e057fcf4c2d3fc00d77660a0f226f180183634c38c25

SHA512
858133f227e8391d443e41d4b62d98ed7785365e7e414839cf859399e246fceb9979d47e85c781880582aee0b29e5d52df4a2908cf7661ecfd27540b70513e24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
808464584f79afded395692d23d94ef1

SHA1
5b17a6ba99f1823aa7c7ed55e8e5883c1b79234e

SHA256
099883c7be24a1950f3a75e4a59a6e86752bcaf3b759c35bd99f70436b4f45fe

SHA512
6f45d000ac5dc5975a9f88038ae85341015acc6ec30fef59ad3a03d66fe0524aa87cd43e2ef9588bc0bf83870f30f90b3ccc5965b76904f9189fd118df855bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
37209fe08861d84a7946be5f0098b9ab

SHA1
b8595edf8ca76ecb1faf2b23865352e2ba933445

SHA256
bd68acb9a1e46f9c44f201a46a1d94c354af4b77d7a67a54fa5518134954fde2

SHA512
a26071cf111a314a9fbbcadf16c47b6f5c763fdc35fa59c2e9c1a6c06c198602d5c7a81a1c45dc247a6aa71d632bdbab6572e66287f1d8bba6fa5da6c355d6f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
11ec69e87626a5d3bf061e6b19a605f0

SHA1
21467e718b70fc649d095236e152f9775ad0f6af

SHA256
d331cdd01047ae03707beb79a573430bec166af2a29906dcc551f69679466bcd

SHA512
52003c8537940bdd3c739735d2aa65dc59445617de3e461ab0c24ddfe426045b2b0d2cebe3a75eab9fa550bc00a605ceee589a9d6b1927bf967eda15d09bb1c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
f11fd98e55cc65c829217331e484c51f

SHA1
2ce52afb00221d37195547c3bab0676ebebbbdab

SHA256
11129385e122bf8cc5300a75d8bc2016a37d55955dd912ac17786ef02c3ce31f

SHA512
c813a5dfac6bf967c632a3d8ada180f46d9bdecffd3847aa54315efcf1abe071b6c3452b7fea8773ed9c2bf6f38073a64c7a9f35785b46cd4449228676ab965b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
241c569bf02f1caeccf2185fa3e40769

SHA1
28f03ef7b03e5ed582e0abde938b5c223c07c849

SHA256
2ca5aea0fb45550911af948bd913c9a8f83784d9b7ab4d0c0657742f7f1ef3a7

SHA512
e79b23e45a9763e3eba9df3feb24c69eb376ef58056585febfa571d2de0b0936151f2a9c83d2dc5a0b2146a42ca61376c8b8546e95c4c414debc02e21fc5e537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d65e9f6b1e841d6b612eecb161682194

SHA1
f2fbff77cef20ef65402f06377a12d6c27ad14fb

SHA256
e0d8bd94edd659e75425e907f43c6a08c0a20736c756d416adf639106c6aba75

SHA512
0c001fb99071a2c2d072742e9e6db2b2af45654b52a62579c2a963508fdd15576fb7b401c552ea6ce93a5e405bb53647cf5a77ae9b71779531414b2ee270a619

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
e5a73cbe09df4b81ed53df72305c7049

SHA1
42e3e0d847572830b1f43af25f43d90a2d786b4c

SHA256
05ad1c9f7c3404022d3aa72b5da4951affb523e4bb1adb131136b641d6f53cd6

SHA512
1f1d323d9ea1f4ff4e5507e1865a8072d8f3e0254f96b841c18030501e2a1fec899a6ad4a82db3dac069005046ec13d31dedd3797854b571097533a9df8b30ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
80b80787ae3d9009cbea1b593e758ea5

SHA1
7c68cf1977ae7fbad6b31a06480ab926fb289250

SHA256
d1e81a960d4d913c99a897c67ae986d2087e8f25fda69b5d4c3fba2d07c1bd55

SHA512
eb185c04e8a7551973ad0d976644fdd6b7bd0aa7f6c9f4b5762c0850d462c776c1b1a19409dcd8d53ecee5671f013548428807a7338c2ef6d96f5c6eb7d4bc59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
8d6b06bbecc27c3c9cd40629598e22c6

SHA1
eba4bf936aa1b9ef802ab9ce1b7ea7954f72ddea

SHA256
f0ca2ca57634bb1abb53bc18a4dd4d985e3fd38f2e92dd1874cae5f0fdb6edd5

SHA512
0ceee7a2d4657668eb619e439499607407a852e9ac32e773dec83d7bc961282690690bb6fad3d1d2afc99f5786579e3c0fad29772d68d65ae28e8083ced67ce7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
421a2c798575b16c3612efd4c2fb5d87

SHA1
cf7c6862fab8d3d933f506203e7979dd5b71e5a1

SHA256
7e2396eef2e5a9ba91cbe9b357ed9644ceac955708af0e9edafa518a83f6a339

SHA512
1f68edd5aebee06e2da59a0f3bef9a827f4c68c1e0753f26881edb2f83206cd6092c423862ed37035a8d4c9fd7d936f50988d2bc8d266f7ee94b24d233afdbd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
225fc09289a514337ab8855fe1186aaf

SHA1
b2cea8516f1ee24ebd5a60daf8cd77b679d3765b

SHA256
bd86c69e427d3cff8a51eafbca37c4a15fef1a9b5289e63f586c52dd17ffcec8

SHA512
f2c9fe046a72c258fd6889f9c673d33ee9643b6d2fed413ffb524d386aea5b31d0c3bbf67bb9c6b1aa513034ed521dd7b69654283b7ea8e3fad43f7e8d1fedf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
30a4ea959230313c40bc4f3699241dc9

SHA1
11a0f0a234466b89594d163eb8a02a50014fb287

SHA256
a93b7bb4f59d66c9676eedfd2096e2742ce15f761558d7f5885340b0eca90bb2

SHA512
78aa15afb66750719b897867e4c6466d3f7432610aab06b24f56d3fe38abb4c451492d1d92d2dc014637a74d630a7fc61a504bda8c2e7db476dee74c1b85990d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
9b8566d6f04cce68568c9f89b39db428

SHA1
82502effe2429b08e60545765cb9a33f119efbd3

SHA256
34d948f5d5e55b5fee0ff8febad06c939f960ed501310000d90773648271c8a0

SHA512
d53b543a9bbb95a3a434339dbe6bc17e5913f626494b7cf0f410bcd0db3ea69f50bc22bb75e8b779ef83395d8376cfedcc9ce473625f36f0b1f489618730b244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
cbc4f6da3ce6c869f35ebc0d77b47858

SHA1
850dccaa7e136b87fb93a11d10896ba049d47d65

SHA256
f1eea0641dbcb2b1ca96aaf06eecb2ced2adc17965df7b52089b5382a420e3df

SHA512
582e30d0c9427364361d7ead0e330bc71e83d198961dda918580fe53dfcc9880a7376d49c99f90120fa7d070f918618b1cf3bdb3d20ed2e7281452c4c657455a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
53112a270aaedec2f52c6596766f2829

SHA1
e267aa6887ef4ede1c3cae7eb3cf1f9e2970467a

SHA256
8689eb7f3e59e3dfd6038f4aef9be4277c2ed2d5a3923728ea5dab202a290902

SHA512
3d31f2c52fb8a0f184310860032abcb5642a4bbd28eaa9133a124edfe9302c03c9b0df48ed733f9b3d6e5fc939db2301857d7871dfbec95664ecbca05cf46ff1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
1acbd251764f642a54e1634b4d85e340

SHA1
e5b5c959c057a259805a6416ae8fed51b99f4c79

SHA256
eba9026318485419c6cc136eb5f298f5774419624085cfbe62b5b38affc2a9f5

SHA512
0910bab47435b2d7b2fc7ab7e63ef91ccab32c3eca31f63137d3d23ffe08ce662a6e83220e68241c469c605a58d38896a4e6004a4df4ceb095f146bb7d995dff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d79eb3c44cec6c95178ac163dca23ae0

SHA1
6913a6557d55b8dacf1d654f19b27a028c18880a

SHA256
722be59d067ec27bb18ab8cdb7291a2954413a74deca2239f98fdc2fd6c32a8c

SHA512
76410c9a91f9497610065bf17f64b2ebcea58745af539c4df1d18e823f468b10b28848a0f3b518c4946271175e82dc28706406cfa4d03273bf0a90dfae039a0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
d8ff8dd7e812c472f4171b4d1377615f

SHA1
c9e51018a17b3269cd63171191097f9ebdd48ba0

SHA256
dd1a94b450208b2218f9ebec4f9d7214ca734f2782e098c7c60e4539f58a907c

SHA512
cbaba5b0b11ca47567684d27d497d4c2ee1d9a3e55b1c940b6969f6b797ca43bd278cf2fb4165338dd4b8faaf76a3e03b7805e2c7a4a20bafe31155d20e7a8a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
764e9d45a6db710e0391c84195695ef7

SHA1
1a186775cc8dd82e58f411d2ee11649b29287462

SHA256
e492509e9305a7592a402b611be85c7dc5f998e7d37b088dced7268f5a41f99b

SHA512
1d320e2341ac7278f8ac29826ecf8547a1db081a8ac95c9c6bed826893d07a4cb6030e3fefe589aebfdd4d1ed011e5b650fc74282502fa5a821c7f76b9fcfa3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
7685c29e32e91308a3ad3ed99e504382

SHA1
055d3dbb5588db5bdfd872914f0a9ff4ec3ce0b0

SHA256
9734a1b42f7956cf5ad9fc2782fd3a9a42115d4d9372e93a3e8c6024c19c3779

SHA512
aa2807d5f9f51f1bfc0d9e325aa1b9ca11d0742227160c72bfbc9d0eb9be0a95d6d0416dfdc21849dd95be1ccfe8ac9a8ddd9207ed460255697b87f25c417c03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
4e3e830a0fce83c1cc599078e1fe2c12

SHA1
2eedd9331c6d08755a24187d8df831789663bab8

SHA256
8f6afbbfd70898634541cff2094515033e599a9e2924d5ee6dd21483d99654fa

SHA512
48c41076d1af02b7ce0e980f7961a0cddbcc8bf4a48d8335e40c2e8e387a4dc36d6c86462d83e04345e698f94df526dce0f323c70b4168cd5fc4f65bbde3d44c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
342333ca635a5f45ab503c99c068840f

SHA1
463f7177e5d7888a2bf518b412e6452a6409df99

SHA256
b6549e76d8358bd075f9a7ddb6fe0ce687983e96a1d0ee24639c1a68370bab7e

SHA512
5dc97405d1f60ac9d09ac8785131d71044c46d352bc36a5e0ed283790d65601e1d9198281ccffe0511c7899e63433a1781af7766b2bfea87a011fbd3334f9a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ffa3ccf2fda3ed4d41fc32955ee80b4a

SHA1
cea9e5c251f268692c28ccb0255bd4fe281c5dcc

SHA256
ca3c767ba2224560ad1a55adc4d519c049ee15321e96f039d513f7b4afc5507c

SHA512
aceb8ae623ca82f475bb06f3deaaea1a5bf1cf66fb6607105f7fbced4430e41b694d60bd85b4696489733389a9428077a4a75d4abece8dcb7a0cb4d99461148a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
90866e851e5a230b9a90c21569ef5ae9

SHA1
076c88431892b14f3f465e396d465e13029b0a0f

SHA256
fd6260ede942392cfb77370704e00234d7fde1944644564f3a3a2b1146e79a0b

SHA512
030e4b2862a1a39cfb50ff76a2090ec88b63407087cde49a944b2158c14bdd1cce1eb3f25e4d16a30f2f6923eef1e67cd01a5969f1efb88317866a88334e1e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MNCIS1YI\Counter Blox Hack Pack_43099839[1].exe
Filesize
9.5MB

MD5
3d50042e3e3991be509f56a2951a2183

SHA1
f027790afe9d7ce2ddf17973f0778fb9e983ded1

SHA256
76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

SHA512
120c6a7778bd9f65f469d3335987b780e736bd895ed944d0988372f891b48f9ba09b50ed9dcffd0bf1fa23a12e215ed1f1ffe75d11c925ff4c08d3e48259a873

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab395B.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat
Filesize
302B

MD5
1624b6590c5ac0acf4289dc85b8a46c2

SHA1
66259280c254c45d4f6637f1b1f9c67e04a65c44

SHA256
23eb19291f535e2e9692c577e75a5766c094964c29f68c40bd8674e9ff1e0dba

SHA512
79e33e77229f6b8c68674fb91090da3a1fd32301f75b20de61d9af49eba94924ed2ae86c062f9a04e35f6a4a56888f4c136f183f1e891546b363c6927327ca70

Download Submit
C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat
Filesize
304B

MD5
6e2d4891323ae82e73d637f153063438

SHA1
5072142c057480d76cef402f3460754017d6ef3c

SHA256
9aaf87d7f93c3af5e7f68f2d042df0257e4292968fb6b6da317b99caba7a8329

SHA512
d79dee5787b47eeac1abaf8a877f570890ea64e06879f8b3cbce7ae4a549cbf328fd5046614bc5ffc74b8828898cdd0dfa7242eac9b84d1ad390eb136e5ecbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar395A.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html
Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis
Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico
Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll
Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
\Users\Admin\AppData\Local\setup43099839.exe
Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
memory/372-635-0x0000000002340000-0x0000000002372000-memory.dmp

Filesize
200KB

Download
memory/372-798-0x0000000004D90000-0x0000000004D9A000-memory.dmp

Filesize
40KB

Download
memory/372-659-0x00000000023C0000-0x00000000023CA000-memory.dmp

Filesize
40KB

Download
memory/372-651-0x0000000002410000-0x0000000002434000-memory.dmp

Filesize
144KB

Download
memory/372-643-0x0000000002380000-0x000000000239A000-memory.dmp

Filesize
104KB

Download
memory/372-812-0x0000000006BD0000-0x0000000007184000-memory.dmp

Filesize
5.7MB

Download
memory/372-667-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/372-804-0x00000000055E0000-0x00000000055EC000-memory.dmp

Filesize
48KB

Download
memory/372-1236-0x000000007120E000-0x000000007120F000-memory.dmp

Filesize
4KB

Download
memory/372-1237-0x0000000071200000-0x00000000718EE000-memory.dmp

Filesize
6.9MB

Download
memory/372-627-0x0000000002310000-0x0000000002338000-memory.dmp

Filesize
160KB

Download
memory/372-619-0x00000000009E0000-0x0000000000A0E000-memory.dmp

Filesize
184KB

Download
memory/372-687-0x00000000046F0000-0x000000000470D000-memory.dmp

Filesize
116KB

Download
memory/372-885-0x0000000005960000-0x000000000598E000-memory.dmp

Filesize
184KB

Download
memory/372-1262-0x0000000071200000-0x00000000718EE000-memory.dmp

Filesize
6.9MB

Download
memory/372-611-0x00000000009B0000-0x00000000009D8000-memory.dmp

Filesize
160KB

Download
memory/372-603-0x0000000000640000-0x0000000000664000-memory.dmp

Filesize
144KB

Download
memory/372-595-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/372-791-0x0000000006040000-0x00000000060CC000-memory.dmp

Filesize
560KB

Download
memory/372-587-0x0000000071200000-0x00000000718EE000-memory.dmp

Filesize
6.9MB

Download
memory/372-675-0x00000000046C0000-0x00000000046EC000-memory.dmp

Filesize
176KB

Download
memory/372-703-0x00000000048E0000-0x00000000048F2000-memory.dmp

Filesize
72KB

Download
memory/372-575-0x0000000000A10000-0x0000000000DE8000-memory.dmp

Filesize
3.8MB

Download
memory/372-574-0x000000007120E000-0x000000007120F000-memory.dmp

Filesize
4KB

Download
memory/1688-1254-0x0000000000110000-0x000000000011C000-memory.dmp

Filesize
48KB

Download