fabookie | 35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6

Analysis

max time kernel
60s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
Size

3.0MB
MD5

c76c6e7e74912b92f4be08b80eac3f30
SHA1

2bbcb41d29a4e37e0e4e59ab5cbb41a7945624d2
SHA256

35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6
SHA512

17dcb414adecdc4f3f444773e8fd36bdb02f589215c711a5124992217c7e20875466bb65d33b9f1e68ff6b3a3b3559940b5cf324fc804903f018935311d6203c
SSDEEP

98304:Pb/M9bRZDpjdWAVq4t7LobX7cj5smjW5vnmN:PDM9bRrk85JLobLWxme

Score

10^/10

fabookie privateloader redline socelars faker pablicher discovery evasion execution infostealer loader persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

Pablicher

45.9.20.253:11452

Attributes

auth_value
d98cb5afc65a5d402a2e09ebd09bb93d

Extracted

Family

socelars

http://www.yarchworkshop.com/

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Extracted

Family

redline

Botnet

Faker

51.79.188.112:7110

Attributes

auth_value
fec424fa9c2b5dd3642344ee728bc32e

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 36 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-39-0x00000000003D0000-0x0000000000404000-memory.dmp	family_redline
behavioral1/memory/2060-40-0x0000000002170000-0x00000000021A2000-memory.dmp	family_redline
behavioral1/memory/2060-60-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-80-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-94-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-92-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-90-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-88-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-86-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-84-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-82-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-78-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-76-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-74-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-72-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-70-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-68-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-66-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-64-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-62-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-58-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-56-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-54-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-52-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-50-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-48-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-46-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-44-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-42-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-41-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-100-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-102-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-98-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/2060-96-0x0000000002170000-0x000000000219D000-memory.dmp	family_redline
behavioral1/memory/5592-1226-0x0000000000B10000-0x0000000000B30000-memory.dmp	family_redline
behavioral1/memory/5028-1247-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\askinstall492.exe	family_socelars

UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Processes.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Processes.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Processes.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe = "0"	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe = "0"	Processes.exe

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe	Nirsoft
C:\Users\Admin\AppData\Local\Temp\11111.exe	Nirsoft

NirSoft WebBrowserPassView 2 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe	WebBrowserPassView
C:\Users\Admin\AppData\Local\Temp\11111.exe	WebBrowserPassView

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3952 powershell.exe
4252 powershell.exe
3804 powershell.exe
3900 powershell.exe

pid	process
3952	powershell.exe
4252	powershell.exe
3804	powershell.exe
3900	powershell.exe

Executes dropped EXE 11 IoCs

Processes:

Proxypub.exeProcess.exeProcesses.exeFolder.exeRobCleanerInstlSo22812.exeaskinstall492.exeFolder.exeFile.exeFiles.exefrlzd.exe11111.exe

pid	process
2060	Proxypub.exe
5440	Process.exe
5592	Processes.exe
5708	Folder.exe
5780	RobCleanerInstlSo22812.exe
5916	askinstall492.exe
5992	Folder.exe
6020	File.exe
6116	Files.exe
2280	frlzd.exe
5324	11111.exe

Loads dropped DLL 42 IoCs

Processes:

35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exeProcess.exeFolder.exeFiles.exeWerFault.exeWerFault.exe

pid	process
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
5440	Process.exe
5440	Process.exe
5440	Process.exe
5440	Process.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
5708	Folder.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
6116	Files.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
1828	WerFault.exe
5212	WerFault.exe
5212	WerFault.exe
5212	WerFault.exe
5212	WerFault.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Processes.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	Processes.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe = "0"	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe = "0"	Processes.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Processes.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zaikais = "C:\\Windows\\Microsoft.NET\\Framework\\mirzas\\svchost.exe"	Processes.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Files.exe35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exeProcesses.exeProcess.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Files.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Processes.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Process.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

Processes:

flow	ioc
28	iplogger.org
29	iplogger.org
39	iplogger.org
50	pastebin.com
6	iplogger.org
12	iplogger.org
27	iplogger.org
38	iplogger.org
49	pastebin.com
7	iplogger.org
8	iplogger.org
11	iplogger.org

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

18 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Processes.exe

description pid process target process

PID 5592 set thread context of 5028 5592 Processes.exe jsc.exe

flow	ioc
18	ip-api.com

description	pid	process	target process
PID 5592 set thread context of 5028	5592	Processes.exe	jsc.exe

Drops file in Windows directory 2 IoCs

Processes:

Processes.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe	Processes.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe	Processes.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1828 5780 WerFault.exe RobCleanerInstlSo22812.exe

pid	pid_target	process	target process
1828	5780	WerFault.exe	RobCleanerInstlSo22812.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Files.exepowershell.execmd.exeProcess.exeIEXPLORE.EXEFolder.exeFolder.exejsc.exetaskkill.exeIEXPLORE.EXEProcesses.exeaskinstall492.exepowershell.exepowershell.exeProxypub.exeRobCleanerInstlSo22812.exeFile.exe11111.exe35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exeIEXPLORE.EXEpowershell.exeIEXPLORE.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Files.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Processes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askinstall492.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxypub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobCleanerInstlSo22812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	File.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3316 taskkill.exe

pid	process
3316	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{28EC9091-9E5D-11EF-81BB-F2BBDB1F0DCB} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000ccb888af7689714dceeb322290aa6817b8c935cfdbfc6ba9b9239b5b66a5a52d000000000e80000000020000200000004a673e4815e2429fea0caca0399b9bc34a0ca7859ced19cb4afe3374fc0080fb200000006b9b1d94897f3edbacb21b9015398da7c8ecfb8563983af0dd1adf91558cdfec400000008dd87483ca0802a0c29daa7b805e16c6c0bab12f3915955e121192d1cba5473c2dcdfbbc923d7030dfe0e136e0f11aff3a030209cc68e58eb8263d012ac50d41	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000abf0d38f51d57aae597fb745b39a0c88cce21ebcfd0479e71793cd581b28f146000000000e80000000020000200000000683b0d4d07e94980bed4c67bfdd4d5aa2da80c79ac16690402ad8e2d50bf49a90000000a2e8e06f83695a28249878cae87c604a3102d18b2e584c160286f1e41a9d833fdc9dade1480e7418b2a876dcb3d850b05a3c22c930281810b8a4d338ed661948c3c00483326f29ec146db9ccae5ee9665efc8e6ad4dc70b036e618927797429784ffd5305a11a1e1555dcaa5b0ae160df044de46bfd0cf775f55d7f61f237014f40ab56e52128d46a50972f83881e164400000006eb8ceb82aa25477cef7fb32ad5a778a7722e77c1e39d97e3ccfbf6dc0772aec8392ac613d5443a20aaba1b81ae082742dfbb9e889a5d2f3109e6a587aa6107d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30dd53ee6932db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

NTFS ADS 6 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\wwwE506.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltt.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwF626.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX1\aprt.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www1FB3.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\lzst.url:favicon	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe11111.exeProcesses.exeiexplore.exe

pid	process
4252	powershell.exe
3952	powershell.exe
3900	powershell.exe
3804	powershell.exe
5324	11111.exe
5592	Processes.exe
5592	Processes.exe
5324	11111.exe
2760	iexplore.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

Proxypub.exeaskinstall492.exeRobCleanerInstlSo22812.exepowershell.exepowershell.exepowershell.exepowershell.exeProcesses.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2060	Proxypub.exe
Token: SeCreateTokenPrivilege	5916	askinstall492.exe
Token: SeAssignPrimaryTokenPrivilege	5916	askinstall492.exe
Token: SeLockMemoryPrivilege	5916	askinstall492.exe
Token: SeIncreaseQuotaPrivilege	5916	askinstall492.exe
Token: SeMachineAccountPrivilege	5916	askinstall492.exe
Token: SeTcbPrivilege	5916	askinstall492.exe
Token: SeSecurityPrivilege	5916	askinstall492.exe
Token: SeTakeOwnershipPrivilege	5916	askinstall492.exe
Token: SeLoadDriverPrivilege	5916	askinstall492.exe
Token: SeSystemProfilePrivilege	5916	askinstall492.exe
Token: SeSystemtimePrivilege	5916	askinstall492.exe
Token: SeProfSingleProcessPrivilege	5916	askinstall492.exe
Token: SeIncBasePriorityPrivilege	5916	askinstall492.exe
Token: SeCreatePagefilePrivilege	5916	askinstall492.exe
Token: SeCreatePermanentPrivilege	5916	askinstall492.exe
Token: SeBackupPrivilege	5916	askinstall492.exe
Token: SeRestorePrivilege	5916	askinstall492.exe
Token: SeShutdownPrivilege	5916	askinstall492.exe
Token: SeDebugPrivilege	5916	askinstall492.exe
Token: SeAuditPrivilege	5916	askinstall492.exe
Token: SeSystemEnvironmentPrivilege	5916	askinstall492.exe
Token: SeChangeNotifyPrivilege	5916	askinstall492.exe
Token: SeRemoteShutdownPrivilege	5916	askinstall492.exe
Token: SeUndockPrivilege	5916	askinstall492.exe
Token: SeSyncAgentPrivilege	5916	askinstall492.exe
Token: SeEnableDelegationPrivilege	5916	askinstall492.exe
Token: SeManageVolumePrivilege	5916	askinstall492.exe
Token: SeImpersonatePrivilege	5916	askinstall492.exe
Token: SeCreateGlobalPrivilege	5916	askinstall492.exe
Token: 31	5916	askinstall492.exe
Token: 32	5916	askinstall492.exe
Token: 33	5916	askinstall492.exe
Token: 34	5916	askinstall492.exe
Token: 35	5916	askinstall492.exe
Token: SeDebugPrivilege	5780	RobCleanerInstlSo22812.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	3900	powershell.exe
Token: SeDebugPrivilege	3804	powershell.exe
Token: SeDebugPrivilege	5592	Processes.exe
Token: SeDebugPrivilege	3316	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

2760 iexplore.exe
2760 iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

iexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

pid	process
2760	iexplore.exe
2760	iexplore.exe
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2760	iexplore.exe
2760	iexplore.exe
5520	IEXPLORE.EXE
5520	IEXPLORE.EXE
4576	IEXPLORE.EXE
4576	IEXPLORE.EXE
4576	IEXPLORE.EXE
4576	IEXPLORE.EXE
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE
5356	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exeiexplore.exeProcess.exeFolder.exeFiles.exeProcesses.exe

description	pid	process	target process
PID 2072 wrote to memory of 2060	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Proxypub.exe
PID 2072 wrote to memory of 2060	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Proxypub.exe
PID 2072 wrote to memory of 2060	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Proxypub.exe
PID 2072 wrote to memory of 2060	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Proxypub.exe
PID 2760 wrote to memory of 2776	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2776	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2776	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 2776	2760	iexplore.exe	IEXPLORE.EXE
PID 2072 wrote to memory of 5440	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Process.exe
PID 2072 wrote to memory of 5440	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Process.exe
PID 2072 wrote to memory of 5440	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Process.exe
PID 2072 wrote to memory of 5440	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Process.exe
PID 2760 wrote to memory of 5520	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 5520	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 5520	2760	iexplore.exe	IEXPLORE.EXE
PID 2760 wrote to memory of 5520	2760	iexplore.exe	IEXPLORE.EXE
PID 5440 wrote to memory of 5592	5440	Process.exe	Processes.exe
PID 5440 wrote to memory of 5592	5440	Process.exe	Processes.exe
PID 5440 wrote to memory of 5592	5440	Process.exe	Processes.exe
PID 5440 wrote to memory of 5592	5440	Process.exe	Processes.exe
PID 2072 wrote to memory of 5708	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Folder.exe
PID 2072 wrote to memory of 5708	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Folder.exe
PID 2072 wrote to memory of 5708	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Folder.exe
PID 2072 wrote to memory of 5708	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Folder.exe
PID 2072 wrote to memory of 5780	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	RobCleanerInstlSo22812.exe
PID 2072 wrote to memory of 5780	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	RobCleanerInstlSo22812.exe
PID 2072 wrote to memory of 5780	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	RobCleanerInstlSo22812.exe
PID 2072 wrote to memory of 5780	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	RobCleanerInstlSo22812.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 2072 wrote to memory of 5916	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	askinstall492.exe
PID 5708 wrote to memory of 5992	5708	Folder.exe	Folder.exe
PID 5708 wrote to memory of 5992	5708	Folder.exe	Folder.exe
PID 5708 wrote to memory of 5992	5708	Folder.exe	Folder.exe
PID 5708 wrote to memory of 5992	5708	Folder.exe	Folder.exe
PID 2072 wrote to memory of 6020	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	File.exe
PID 2072 wrote to memory of 6020	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	File.exe
PID 2072 wrote to memory of 6020	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	File.exe
PID 2072 wrote to memory of 6020	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	File.exe
PID 2072 wrote to memory of 6116	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Files.exe
PID 2072 wrote to memory of 6116	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Files.exe
PID 2072 wrote to memory of 6116	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Files.exe
PID 2072 wrote to memory of 6116	2072	35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe	Files.exe
PID 6116 wrote to memory of 2280	6116	Files.exe	frlzd.exe
PID 6116 wrote to memory of 2280	6116	Files.exe	frlzd.exe
PID 6116 wrote to memory of 2280	6116	Files.exe	frlzd.exe
PID 6116 wrote to memory of 2280	6116	Files.exe	frlzd.exe
PID 5592 wrote to memory of 3804	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3804	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3804	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3804	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3900	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3900	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3900	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3900	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3952	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3952	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3952	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 3952	5592	Processes.exe	powershell.exe
PID 5592 wrote to memory of 4252	5592	Processes.exe	powershell.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

Processes.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Processes.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Processes.exe

C:\Users\Admin\AppData\Local\Temp\35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe
"C:\Users\Admin\AppData\Local\Temp\35993f126e2e49df8f6c7c50c33b2529e8c4b9c90987ebf5bc52dc05e5d5dcb6.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Proxypub.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxypub.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Users\Admin\AppData\Local\Temp\Process.exe
  "C:\Users\Admin\AppData\Local\Temp\Process.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe"
    3⤵
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:5592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3804
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3900
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\mirzas\svchost.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:4820
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:4868
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
      4⤵
      PID:4900
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
      4⤵
      PID:4928
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"
      4⤵
      PID:4948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe"
      4⤵
      PID:4968
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5028
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5708
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5992
- C:\Users\Admin\AppData\Local\Temp\RobCleanerInstlSo22812.exe
  "C:\Users\Admin\AppData\Local\Temp\RobCleanerInstlSo22812.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5780
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5780 -s 948
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1828
- C:\Users\Admin\AppData\Local\Temp\askinstall492.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall492.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5916
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3316
- C:\Users\Admin\AppData\Local\Temp\File.exe
  "C:\Users\Admin\AppData\Local\Temp\File.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6116
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe"
    3⤵
    - Executes dropped EXE
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\11111.exe
      C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5324
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2280 -s 380
      4⤵
      Loads dropped DLL
      PID:5212

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2776
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:4011013 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:5520
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:2962441 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:4576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2760 CREDAT:3814429 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:5356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
ddc20d2a5fa0619ad1d5b109d517121e

SHA1
5fc65d9f425737f534fa1549180f85fb7d85b562

SHA256
17a9241c03eb95b4bd4137adf2a28f1d51283f1314c15e94c9c3fa0d481da372

SHA512
7074bfcf29ad2bfd3b97e20addb8f1150016277bbffb177256a74077864fd7979a84759b38cd6832df339f3fbe9151cb9896d587c157602e714bf57ca4724dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
fcc28487939a12bdbc5c524a4c3beca7

SHA1
7d9fb496e7be31dc9f977a9bc9bcfa72dd33b054

SHA256
a99bb6f1a62138941594b31d19a00078a2c172ec0668e0b80ed6aaecbf201c00

SHA512
bb0224d715d721291bc67c4936eeb8d176863b3f67f690e160d6bcc98992ba12d8a43ffb080b4aca6fe41883922cfd2a8bef3a08b74722e925962027e7aa0824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da74cb0ff0add743c3f539ec4b87793d

SHA1
6e609e2c5bf65845db9e7b421fe2b6e32668d14c

SHA256
019306bea3082d96ccd295f40bf4a58af0f073da40f9583352d855b848b90bfd

SHA512
ab8bc770d0173d0afa5e35bef96a61f4d78339bf27aed88ec0e655095d68f6689a695282fa367e9824b2fc38dc9d6d3abe88f1f2dd638cf1582b7ebd1d59cbe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56bdfd661467fb3a7a4b860821d895fd

SHA1
6fe36f1ccff5d406b19fcb84dec7e0935b8d9b82

SHA256
ffb02bfab196ae0f6e3301484fb8fd82660ada3e455b98ee77b2716f8a7dbd32

SHA512
434f892a5bae3e805038522864a907bcbe6c4ec1d7b532422525ae5c102693a10d242d1406b67ed037afed441904817a64731dcc0ea2e89ba950cf24781f2ba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
776bd9632c82bcc0030c36183fefb2d0

SHA1
9d0be402358ccf4e04b0694848f8eed696ae7e5c

SHA256
c88f1fb12a15af81008464e9cfdecd33b8452b60e99e279ca25a7a3c6c993a4a

SHA512
28f556d9bf2e812aa963b5a21e2b0cad6d7fbc30dc19b4d61677fd4d0979cdb5bb175be5a6f7343b7fb7df6850a3ebee49010d4c42c47fe0095025526022d5c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79737bd54487fceace865e49393224f2

SHA1
5114ea54708aaefb01d7bd1fa91f1f55cd768956

SHA256
1b29df65e9947229970f2bce19093b828d74ce7bfd35cdb1246b35b24833117d

SHA512
10a42a59b950ef1a1854243f218f946f47f872aa502da21a11b8c00eeed175ecc4b54c1b3a24378a89c63b0d30199d44775e413d3c31d66690c916ba2bc966ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f382f960cdc83fc2db61199b7d120e3e

SHA1
65fc87abdbc4324fb1ca0a4249e983126d0e3926

SHA256
800d626ab1e2a70d19a79c72b81cc688788abf091d21affc7c0f76954fd967f9

SHA512
6d6a15559dc8704bcaf709a6b147f7451c1b5eae62f3b25fffcb2a86727f2185d296abf724b1ab35a47ae6408c07844e7e57ba9aef5466b36296528c83039f79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
109fa5530c99d27a44bfeca0c371bb35

SHA1
1a132ba410b52b0583ee16650a8a4068dcf134d0

SHA256
2536b31d49b77dfa2735db3ef6101544dd180c23a0f1a9c06bbd560d14121f68

SHA512
cc4a33cc5ae13ea9b854e3ecb879ce7c6f89f5a4036ecc44364aac47816b16eeeaa98109330509c8f8254c13300c6f6a16852679c12f9c0ce30c39b9824ff33f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1ededcb21566a283e3cb29187c79f0b

SHA1
51d20d18f7a8d3fd9617d019c8f05ed78ed6452a

SHA256
68dd3cfa54806bb2ea0547fd8e773243858eadebbbfd4848ab9d8118059dc97a

SHA512
cdb8d8355bbc09a50bf337a590eccdd45d375ac17450ddb9aa96a72962a9d018441a407b1d6893346b788e0ec42c862e83061979e411eb4bd60fc07db6a1b7a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f293a2368f31ea1bbfbb7d58b45d0d0

SHA1
d44c07933d1353c79a04150dfba3f80df42dc0bb

SHA256
cb1e8363cfe4033ba1a0063d78b212a15f72cea3df5a08ecf914b2da61b2967e

SHA512
87079ca0f99a4779301819b6178b0108b25b5316de431e0401e5f8d72a1cc3ea49001c8e8e7845f17de4fbdd4ad2531cb3f14a929578ca80e4b01aef960d1f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df000fefc420ffb9f6734cf805275ab5

SHA1
00cf3c4db19991fd3612183b8f93f5d118445a47

SHA256
f398dee2fcae57219a8f718da249a901144e564f6a75d96863205b483458103f

SHA512
fd66fa9bf1bc5f92cf635eae6d9ce996301463dc166a932012607a55457e0b3bab67929ae7980944c9cf0e2bcffe2177a99e72a3d3132f4be6ca1f92f29c4a13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fba4665018b74b5e5382a55c656f667

SHA1
de275743599d3bca302c291d64c13c03989df77e

SHA256
866d15382e8f967c8d32e8dbeb4a2c2e07e658eaa3a8d0baf92286bfed6ded5e

SHA512
2ed6f95a0a73561eaeea66dcb6cbdb8e1aa64eb1c95dd78469a116fa998c94f679b5756ca107e04fd628618a65c2843a0c9152eb981f4848654fa2b262b9ac22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f77119ee56170ca13b5c6afe334ea57f

SHA1
716975d2766e07368b0b779c9224712d3c8f3e0d

SHA256
a008ca77a0286979f389c2049b2d44b4ba035b03e79d0792f9869a713400117d

SHA512
1076683aa48c87588752c6891bd201618e67b93c56e06ea41dc8b627ccdd7af4c462c8b18d5210b9fc3ddeaf5f72ffe7d8f9907958e497ea5facee6917338706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dd981d89ae89233c29bff148d0048d8

SHA1
218cf1a04712ff265bdab553cc6798e13da654b2

SHA256
48d67ba527be792052f878efb22d31c41983cf955910fbbb2f9f19f96dac7110

SHA512
66edf1661ef3d19e8ed2557bd89376c11ac5f00790f5f93fc1b32b9438e01517310237446fe3df5814db2611c1c282306e068791f23d5b9376aac2db00db85fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13de47bb5b9b3de88333ddbf7944945

SHA1
2b9e36ece02aecdc88678f32f2dc2a7d86756183

SHA256
65febca8f0ed98d07e96ad29bdc9381ab963e9861da9302ae457e8275e18027c

SHA512
7a5890856a7f1d9e5fda5f42493e418a0380b903d718945dc20564fa94289eaf503f38074d073a4b3ae51ca97d262add5762bfce8144503cf1fc259fa0cdd472

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
254ef026b11dfee223860bf352788229

SHA1
9cb65fca4a340c5de7075cf6883e916938b09474

SHA256
600326f8f170314c0cf57077631375ee3a260c60fa87da00ed83f60914631cf1

SHA512
c661638d839ee857d6f3071320d8f164149cd7b9d9532d3b2d449501e9ec702f3d02f02b1c423e0f1690516f4b0b5ccfbfcff1665b0a6ee788951bc5beac5677

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7362179514065e5fdc13145fbcc28da3

SHA1
0f5fdbbff14a85e162368413a58adbe6301ecfa4

SHA256
e9cef36ffd436d416712376ef12f4590405ca8f8ea4db53fd45326f259b74bbe

SHA512
74f5b1170dae533af8883fe74c2698a99b8ae7db3890dec91cbc503215d288636cf7900b832a2569cb4be8810771a4ef40cb8e96ea82ec496b4c624077afa60b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
782037f620f860ba9f9410c7f716b8e3

SHA1
b3044a2e16e60518730a444c34c0699a664e2c88

SHA256
8cd00c726b67ca04ea7558409bb984cefac65ad6513028a08b2618ff7367c6f0

SHA512
12a6c93ff6345fafda8bd7945f00b20e2bfad1c83ad7bedb332414c432151700830eecaefeadaa6e6c37ebd1a5fe1abb4b6349df6ad3ec026cd6ee0192fc3388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1070f5bfb6bd9ba6316af8c6ba610e9b

SHA1
f7c755267a5cddbdb5a049f08aaf3eed14e367db

SHA256
6f164078c8e25cf19f20c0508ffa10032c141e53801aaf46f27ab37b493f91fd

SHA512
7287f401d1e78164ad58495d93d0d8f0b3f3eeb0f624e8a6e7df4836f87848f2bc7438a17c54806008f8cb2c7c406ae18465a3608f888db7593695024df3d1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f09f6b77c88bc9a418b02ed45be405d

SHA1
ed907d1d4d428d0daebed7a5f119c6872a0114bb

SHA256
9fb3bd1f91cd45b69d9ec0a131d921d6b1c2332882480a131d5946490e8a0f3d

SHA512
d9d233c65819759cb92c57f278d82b668b720b3b3c32fb4d9221cdcdc6de0e4a3a950e9429eaa4153d03a1983278063490d2954cf6290deeb6cd894e843fec38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
085da1d19a71cc38fb61231c3ccf4322

SHA1
d11a7a4f3a6b560b33ffd1c9c7e5477490fb0ca9

SHA256
fb2271fefd6f2e2db6da39de8cb2512e43866561dec09213a33ee40cc112e0ec

SHA512
a5234b9da2e0d75b5c51ec3ec6adcf78ab2ee8209130e287e9c3c3be7dd211011e763f38e842d3534bbfa67a74c5772b01bc76ba97889f951ae14faf45291c13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
aceefe8ccc62c51d212ae69fb39c0d35

SHA1
5073beb25b720c039ff6c9fe628796e15ebfe6db

SHA256
347f7f69c2fe0881cfecb8da31b65dd2cad0c40f6dde053763b63e4ff28eef5e

SHA512
eead7b7ec01dbe20c3b0325d59fbd8a088c8251fbc31f18cff0934eea184280b506ca3909d2718732bf95fc3d1ce1985086b92f80ff8765ca3ae87c9006abb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
5KB

MD5
db70dea2c7233e25de2d41a03b44f414

SHA1
1830318ac464c4b4960557fc249ca66b69071f1c

SHA256
f2b9d7c8c779013eb51752d3e32bc50569b4a7edf7b3b775b52e3c7603d1f606

SHA512
5f834209d96a63f4b31801420f3944635a05cc272b166aa28e1accb631521510b6c1aa4e0db4be24eeac7ddc0ccb024ac8839784cb6645d60c43ff221349c728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE1E6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
1.3MB

MD5
cab647efcbaa4d2a81e3bfd8122a2a67

SHA1
8783a13798a427cef74baee553c2dec8f123e52a

SHA256
8b682d2e77e42f985975b4d77fd8e94136a45850b5b5f5633c2b6b51f2cd4c99

SHA512
5d3549a7eb1ee7f56478cb810ce867b48cfa624e8ea9726406b87e692e24dbb09be61edb5081a7ed80196c78199b254173ea08144ad21046a220c960c56d95c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ltt.url

Filesize
117B

MD5
44264182fbb802b9671f6abb7faa6a53

SHA1
ccc380eaca3c618f54fdb3d907f50a5f039469da

SHA256
62aad2b0d832421b890138182a25ed331fa39765d0700b84fd6c1c580ea3f0fc

SHA512
43d24f86dd04c479e534fad83efefa2f70bb298ab9e9ea2f737a9adcb79bc330f235d3ff6ae8d413a973968e4951a93a07718a908510f4a0a48017c2b03b824f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\aprt.url

Filesize
117B

MD5
e8d2bf8df88d0ea7314b1a256e37a7a9

SHA1
eaca56a92db16117702fde7bb8d44ff805fe4a9a

SHA256
57fa081cc5827a774e0768c5c1f6e4d98c9b91174ad658640bea59a17546752b

SHA512
a728e6ef3e9a8dc2234fe84de7c0b15d42d72886745a4e97a08cf3dc5e8c7619c5e517f3f23fe1a5c9868360d0e89c8b72d52b7ee6012bd07c1589c6a78402b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\frlzd.exe

Filesize
1.9MB

MD5
57d626d8e6951c2b6d1a883a73b998bb

SHA1
59ccbfce02af3628ef9e34f6d41c1ef9e34e0808

SHA256
c93e60e1b3a6ceb63ce7cbf2e7757763f3fe79fb094e5725759f9b8ecafef1ca

SHA512
2745485dc7fd2da9ac1b81eb4058b32e2fc5c3f990bfab6321a3ef876a14d8a70d66bbe8c392bf18579a80eea3c9272e8cdde63f40ad44a050d5a0db66e71663

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE218.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\prxza.url

Filesize
117B

MD5
3e507ecaac6710d93c101c67ae45fdab

SHA1
0f7509702c29f205da48a1d8fc3ef346fcbf5197

SHA256
083f728d22bc6f1ed6bfa9ecaeb68528a9eb433c0e8e67a52426047ec3e41488

SHA512
865d48b26a5cd771cb0407e106da3c4a7b5cbb43a6002f5b70fb4dcdfd55498392bc42b31c054420f295b75807134c6c26574669e435087260a68ef497277531

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwwE4F6.tmp

Filesize
173B

MD5
e2dcc0fddb76276849e5ebcc43485744

SHA1
111142b03e1fe9e9d3b13adcde91d312925fd272

SHA256
304952d6cb3fc235528f4331173f85450df4eedefe8df4e055fc0d15b7b5d8ce

SHA512
59dda6f39f26b761b774ce3daeb3b7e43b4bdd6dabfedd4827d213677c4308fbdc8fbd5c410e295307c0ae4edb5e5297cbdf751fd5cba4deb2c9f3ad3bfb0840

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HJ3D9OBI.txt

Filesize
169B

MD5
a7095326766478d132cab1d8f040b4df

SHA1
810e88a6adb74906c07225c88702478a82c22101

SHA256
1759acb27505e710270b70d121e9e0e5cf5998bddd991cadf65bf38a2b83e9c0

SHA512
96c7909dbe442183e79d40b4e381e3ff53dd7fcdaa73c02e65cfb4e2e5a637532f7379aa8607a34c9a98e0b88e7afe73bbd59b040ca0e81f827301a7da2786fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a39180095a024698de4ae14db2b6c029

SHA1
50c884a46d0ea1290d235c11de0ac60793916e3d

SHA256
d9a6b1b29be073c4d3b15cb4ef0958aca3fa89dc33b3dc95f4882b174047eec4

SHA512
eac0722c5f87818a90367e5752c70e711d29dfffeffe8c98cd8cff319aaded2621bca7bade92862d1f2af46ccfb72349f3ee925cb93aa6032dda7b61d0ebfbb4

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe

Filesize
136KB

MD5
90c7efe55fff3704de712084227e84a6

SHA1
b60983bec0346c6fdc0569f641e9091b7f201a5b

SHA256
6bb5f93524d19c19ad102c9577107b7761e1ce94ea2229594fab55fdb98a7e34

SHA512
64556f35c8a13cbe7ff7087bc88e19faaac64091bd1f2ad6251651ab0caabc70c2e388420528893193811a387039e1bfb906c4d2e5f2f8e5deb3d8931b78e65f

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
124KB

MD5
4538da85464e576893aec470fc71229a

SHA1
c47826fd48cc1ea12a1ef57818f820ef1da084b5

SHA256
8aff0e13328a2129ca13284d80bed1f72100a78a2c4fa696b2aa95a6152f2983

SHA512
9f62882a237a3619253aa9283303c91d0cb0f18117dc5b86b4a58cfdd7eabc4a389d4c43f93e84315d97fae49345013fbb43eccce29bc381d780a37a9d98f431

Download Submit
\Users\Admin\AppData\Local\Temp\Process.exe

Filesize
662KB

MD5
532603329a655dc6812c790fdaccf378

SHA1
464b251e62f67f346b262df8eaae7d0bbf0f4b52

SHA256
ab681e11dd1ba868c78016fe08c507b130304a1a1ac4d84a9fa0f00a15a00dca

SHA512
5067268797fa6752bafd9069447d3fa0cb6116ce594d4419f9d8e0891706cac684ad6af425569ec83f404d461b07661f74502918d92e3735d79c427e353000ca

Download Submit
\Users\Admin\AppData\Local\Temp\Proxypub.exe

Filesize
443KB

MD5
a6ff722fe5cb9ea9444a79e38343241f

SHA1
c297a99afd248fa076654e42ae84b7ca9e1ca59a

SHA256
791999c706f021b4d8eadd56a130dec270b4b366a96b6164abf7a72125d27209

SHA512
8fa87affee6086fa6888a2159dd0a14f122a79c5bb7fb04471dc91c50338feac085e6506e7948270e4c6a1e2610efedc3d56b647ddc7109e9adffb869c335b7a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Processes.exe

Filesize
478KB

MD5
9a20c492f91287895ae49de71f479376

SHA1
376afa85c761170a89cdfa2241498ddc8f9bea1a

SHA256
9504d1a7c7ed4d2ea4b88b1ffc80f19c0efddc4c5964e6f906e70e6089764cdf

SHA512
d502900170e65f22c8e031c8186998428f6a95213c19425d7bb2d0f96a0484522b596e811d0aae791ae1b7e739e85a3687cde83a3c61adba55f3e83f09a6bd4d

Download Submit
\Users\Admin\AppData\Local\Temp\RobCleanerInstlSo22812.exe

Filesize
66KB

MD5
2f02d5af8f2ad1917f8fc5fe17127da1

SHA1
1bb680702a52dc9046984b87f1e3387530009222

SHA256
bccb32358a54efc1e9f62859c3c6aeb1da93b4e4159a76972f38f8737b0dd69d

SHA512
8aa125a1db54314047066058d051259f56efbf3a20998f12fdafc20418ff12e249d5c1aab4b01e8cc859e3166377d05c217dbd47ae0817c5836333b1b82def67

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall492.exe

Filesize
1.4MB

MD5
5a9ed91a1c2467ae921d52f6df3cd4c6

SHA1
0c0c7cbae68b09c2da22c68dbbf3bf2f27f60545

SHA256
b4a5844e6ed96e04782b9f64f5393509119f2c984d20b74edbcf8b03269f1479

SHA512
f07980049deacffded94a697878649394a95e321e527c88baa608ffd05830ad35c86d5d3ac976a813c0fa2c75304633ec2738b765cda5c128348709ca4260956

Download Submit
memory/2060-62-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-84-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2060-96-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-98-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-102-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-100-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-41-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-42-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-44-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-46-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-48-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-35-0x0000000000220000-0x0000000000259000-memory.dmp

Filesize
228KB

Download
memory/2060-50-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-52-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-34-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2060-54-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-39-0x00000000003D0000-0x0000000000404000-memory.dmp

Filesize
208KB

Download
memory/2060-56-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-40-0x0000000002170000-0x00000000021A2000-memory.dmp

Filesize
200KB

Download
memory/2060-60-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-80-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-94-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-92-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-90-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-88-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-86-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-82-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-78-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-58-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-1294-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/2060-64-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-66-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-68-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-70-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-72-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-74-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2060-76-0x0000000002170000-0x000000000219D000-memory.dmp

Filesize
180KB

Download
memory/2072-37-0x0000000003430000-0x0000000003432000-memory.dmp

Filesize
8KB

Download
memory/5028-1247-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5592-1232-0x0000000004E90000-0x0000000004EC8000-memory.dmp

Filesize
224KB

Download
memory/5592-1227-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/5592-1027-0x0000000000F90000-0x000000000100C000-memory.dmp

Filesize
496KB

Download
memory/5592-1231-0x0000000004B90000-0x0000000004BAA000-memory.dmp

Filesize
104KB

Download
memory/5592-1230-0x0000000004430000-0x000000000444A000-memory.dmp

Filesize
104KB

Download
memory/5592-1229-0x0000000000E20000-0x0000000000E39000-memory.dmp

Filesize
100KB

Download
memory/5592-1228-0x0000000005040000-0x0000000005254000-memory.dmp

Filesize
2.1MB

Download
memory/5592-1233-0x0000000004E90000-0x0000000004E9E000-memory.dmp

Filesize
56KB

Download
memory/5592-1226-0x0000000000B10000-0x0000000000B30000-memory.dmp

Filesize
128KB

Download
memory/5592-1210-0x0000000000A60000-0x0000000000AC4000-memory.dmp

Filesize
400KB

Download
memory/5592-1234-0x00000000051D0000-0x000000000528A000-memory.dmp

Filesize
744KB

Download
memory/5592-1209-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/5780-1078-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/5780-1059-0x0000000001390000-0x00000000013AA000-memory.dmp

Filesize
104KB

Download