fabookie | a3b251a139324a6df006eb9733c30199edf41dffe994ca0140296605613c2132

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
Size

7.0MB
MD5

a763081fbd0df59db9afcfdcd544c70c
SHA1

76df12d98b8dadab8358394efd7a656cc07e48a1
SHA256

66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c
SHA512

ed1982e8911445db959ff07f5c4d9b43ed997a2a7690fed88dc6bff23fe1fc2abf7bfea8f4ab94a70e9491681b74da1a458e63bd6cdb15ec7647b2612ce0d694
SSDEEP

196608:4jLiXXL2mBhLXpB8xxYiUbSmk/qIhAsAl5rq:478LfiUbS7Z2rq

Score

10^/10

fabookie ffdroider redline jameshook discovery evasion infostealer persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Extracted

Family

redline

Botnet

JamesHook

185.241.54.156:35200

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d1d-145.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Ffdroider family
ffdroider
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral1/memory/2892-917-0x0000000000400000-0x000000000042A000-memory.dmp	family_redline

Redline family
redline

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2152-299-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1868-354-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral1/memory/1868-366-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	per.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	per.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	per.exe

Executes dropped EXE 16 IoCs

pid	Process
3056	file_clu.exe
2672	md3_3kvm.exe
3024	asj.exe
2960	secd.exe
2932	cld.exe
468	quv.exe
2452	ubisoftant.exe
400	piz.exe
1884	RwJ2xhfygvdE.exe
1696	per.exe
1872	update_b1f99b.exe
1412	setup.exe
2152	jfiag3g_gg.exe
1132	Process not Found
1868	jfiag3g_gg.exe
2892	quv.exe

Loads dropped DLL 46 IoCs

pid	Process
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2960	secd.exe
2960	secd.exe
2960	secd.exe
2960	secd.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2716	cmd.exe
2932	cld.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
1872	update_b1f99b.exe
1872	update_b1f99b.exe
1872	update_b1f99b.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
2036	regsvr32.exe
1872	update_b1f99b.exe
400	piz.exe
400	piz.exe
400	piz.exe
400	piz.exe
468	quv.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0006000000018781-166.dat	themida
behavioral1/memory/2932-150-0x0000000003BD0000-0x0000000004362000-memory.dmp	themida
behavioral1/memory/1696-340-0x0000000140000000-0x0000000140792000-memory.dmp	themida
behavioral1/memory/1696-358-0x0000000140000000-0x0000000140792000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng."	piz.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	per.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cld.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	secd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
43	iplogger.org
44	iplogger.org
15	iplogger.org
17	bitbucket.org
18	bitbucket.org
19	iplogger.org
23	iplogger.org
30	iplogger.org
66	iplogger.org
14	iplogger.org
26	iplogger.org
31	iplogger.org
67	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2036	regsvr32.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1696	per.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 2892	468	quv.exe	64

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001686c-33.dat	upx
behavioral1/memory/2672-51-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral1/memory/2672-167-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral1/memory/2152-299-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x00050000000194ad-296.dat	upx
behavioral1/files/0x00060000000194ad-350.dat	upx
behavioral1/memory/1868-354-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2672-355-0x0000000000400000-0x0000000000580000-memory.dmp	upx
behavioral1/memory/1868-366-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral1/memory/2672-842-0x0000000000400000-0x0000000000580000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RwJ2xhfygvdE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	asj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file_clu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubisoftant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	md3_3kvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	secd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update_b1f99b.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1044	taskkill.exe
1212	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000f512686b6d97716c781d45a82d226ea381302566bab72bd9c30f871612abe6a0000000000e8000000002000020000000936f64b179328a24976fa0ab3d976228a97a13f063632d953545e7079f2707ea20000000404c84347f79aeafe9ffcaf1999aed374a70c2da32a110aec92177c88432d1fd400000005cb2fd77362aa8cac07e34232e2d1900d0a5f4207325a72913a9705173451146bc0ad801ba03fcc958cdfaaa3ef54d5fba9b30cbedd0b04c18486404c831eea0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 1027108ce532db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000055f17cac5198bfbc4890fe9aad38855ce94007b62515b2eb1b047264a08f2b35000000000e80000000020000200000006c6cd7fc4fdc7d68ddb6bc8cfaf6443a7f7b100ebebd960a2c975a3110f6763e90000000aa7a858f679b16def07ebc672c37e9194bf7fa95bdcff1e770142957e9d2efaa50a13f6219b843601c0b41f03a8dfb161fc969aa8642e55e15cd9de1df799704819d3bd23406cd6aa7afc48a593f7b7bcfb03f5be6c918156bb256d480335ce03deeb13905c0d52e28d23f64b2b2a77dd1b934f7a651ca486693937c0125d06e5e311ce6b2ebd130718b0303925d781a400000009ba29515f8ef774b4cff43a8002fd799461af5fd955ba9275cae66ec90b5091ed4490c5cb5202509c95c50e50ef7fcb94a6f214c2f006e4bd8fff14c3b0a5f46	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437345791"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BED705B1-9ED8-11EF-B984-5A85C185DB3E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	asj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	piz.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	piz.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	asj.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	asj.exe

NTFS ADS 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\www57F2.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Shakmp.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwE4D5.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX2\ins.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www1B23.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX1\jul.url:favicon	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1868	jfiag3g_gg.exe
1760	iexplore.exe
2036	regsvr32.exe
1760	iexplore.exe
1760	iexplore.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	468	quv.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	2892	quv.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1760	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2452	ubisoftant.exe
2452	ubisoftant.exe
1760	iexplore.exe
1760	iexplore.exe
756	IEXPLORE.EXE
756	IEXPLORE.EXE
756	IEXPLORE.EXE
756	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 3056	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	31
PID 2092 wrote to memory of 2672	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	32
PID 2092 wrote to memory of 2672	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	32
PID 2092 wrote to memory of 2672	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	32
PID 2092 wrote to memory of 2672	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	32
PID 2092 wrote to memory of 3024	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	33
PID 2092 wrote to memory of 3024	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	33
PID 2092 wrote to memory of 3024	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	33
PID 2092 wrote to memory of 3024	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	33
PID 2092 wrote to memory of 2960	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	34
PID 2092 wrote to memory of 2960	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	34
PID 2092 wrote to memory of 2960	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	34
PID 2092 wrote to memory of 2960	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	34
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 3056 wrote to memory of 2716	3056	file_clu.exe	35
PID 2092 wrote to memory of 2932	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	37
PID 2092 wrote to memory of 2932	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	37
PID 2092 wrote to memory of 2932	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	37
PID 2092 wrote to memory of 2932	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	37
PID 2960 wrote to memory of 468	2960	secd.exe	38
PID 2960 wrote to memory of 468	2960	secd.exe	38
PID 2960 wrote to memory of 468	2960	secd.exe	38
PID 2960 wrote to memory of 468	2960	secd.exe	38
PID 2092 wrote to memory of 2452	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	39
PID 2092 wrote to memory of 2452	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	39
PID 2092 wrote to memory of 2452	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	39
PID 2092 wrote to memory of 2452	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	39
PID 2092 wrote to memory of 400	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	40
PID 2092 wrote to memory of 400	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	40
PID 2092 wrote to memory of 400	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	40
PID 2092 wrote to memory of 400	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	40
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2716 wrote to memory of 1884	2716	cmd.exe	41
PID 2932 wrote to memory of 1696	2932	cld.exe	42
PID 2932 wrote to memory of 1696	2932	cld.exe	42
PID 2932 wrote to memory of 1696	2932	cld.exe	42
PID 2932 wrote to memory of 1696	2932	cld.exe	42
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 2092 wrote to memory of 1872	2092	66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe	43
PID 1884 wrote to memory of 2792	1884	RwJ2xhfygvdE.exe	44
PID 1884 wrote to memory of 2792	1884	RwJ2xhfygvdE.exe	44
PID 1884 wrote to memory of 2792	1884	RwJ2xhfygvdE.exe	44
PID 1884 wrote to memory of 2792	1884	RwJ2xhfygvdE.exe	44

C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe
"C:\Users\Admin\AppData\Local\Temp\66dc47363eed7c1f7528e1859a32037020450756eb0ce8950df397a64058481c.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\file_clu.exe
  "C:\Users\Admin\AppData\Local\Temp\file_clu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "" == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\file_clu.exe" ) do taskkill /iM "%~nxH" /F
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe
      ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C copy /Y "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ..\RwJ2xhfygvdE.exe&& stArt ..\RwJ2xhfygvdE.exe /Pxcee7dXhg1LR & If "/Pxcee7dXhg1LR " == "" for %H In ( "C:\Users\Admin\AppData\Local\Temp\RwJ2xhfygvdE.exe" ) do taskkill /iM "%~nxH" /F
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /C eCho| SEt /p ="MZ"> wUAR.VX & cOPy /Y /B wUAr.vX+~TED1E2.CFH + G62c.4+ H7__2BUr.8I + 3O0QMRE.5K + C1SM1U.Qa0 +s77950_.98+MzfNNq.QI +W8Te.Qm7 + ALXC.kJM + 18CHh.JB + gWp3M.DH + 2CmT.ZW ..\_MORBZV.~5 &sTaRT regsvr32 -s ..\_MOrBZV.~5 -U&DEl /q *
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCho"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p ="MZ" 1>wUAR.VX"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
      - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 -s ..\_MOrBZV.~5 -U
        6⤵
        Loads dropped DLL
        Suspicious use of NtCreateThreadExHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /iM "file_clu.exe" /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1044
- C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe
  "C:\Users\Admin\AppData\Local\Temp\md3_3kvm.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\asj.exe
  "C:\Users\Admin\AppData\Local\Temp\asj.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1212
- C:\Users\Admin\AppData\Local\Temp\secd.exe
  "C:\Users\Admin\AppData\Local\Temp\secd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:468
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe
      "{path}"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2892
- C:\Users\Admin\AppData\Local\Temp\cld.exe
  "C:\Users\Admin\AppData\Local\Temp\cld.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    PID:1696
- C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe
  "C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\piz.exe
  "C:\Users\Admin\AppData\Local\Temp\piz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:400
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1868
- C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe
  "C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1872
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1412

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:4076562 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:3814416 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
0322d6f8fda94a9ea502d17ad1b94e22

SHA1
32e7211a9d0fbacc20f9accbdb35569ae6e0c801

SHA256
f49de1a0bc6eb09ce41aeb689379ba8401da8c3b656546a59ccbfb3bb77b725f

SHA512
471d4a12fe7967fa8582aa0e22ed338aa046db980db20f583d35ebbd95b45871b1538e270e35be5c0348242a3947f1e46d7a0141b4432449ce324af016071a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee4c40d5f7c738ea4557aec6064b7018

SHA1
0900eff559ee237c907019bf13559ea23261d12e

SHA256
a0e2c09e18c558cd249f5c9aacecd2824de68bf05ead4fc1207cfe69acbd030e

SHA512
a3e13465cab2d9cb0ce415baf0802b44f437058dfd96b47d39bf12caec162900fb6973f9f9e9a113b00f920b45cc27d44b1cf3c3afb550e2ab42886a8f638fd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
608c4166c98416463c8292ed5b4279d9

SHA1
fc2a343ce7a38e63857c7f8f1176f7a79b70ee88

SHA256
73ec26e9a4369f5958249d760172f57a7ab0fc268deffc43fdb65a3f80d79889

SHA512
86ac044bfb45b31c515983652a087c39789f71ef3b62d628f427e15db74a09da614f92445b985a7084a6868f75f6adfb5203cc47e929fcb8105ec8d2842c9df0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69a9cf8103c918e3c4315911d382be3e

SHA1
878bde2a4a0aea5e408120ad412fb66c203ad3aa

SHA256
319146aabe0532ac6f4bfbb703ed349901dcdc0676b4c9afbdf74f6d8754e537

SHA512
3b14e6a896837185b392346c9151c312055724a70c121999791e46576c15ef6109531daa5113d973556a3a3eec4aea6d42663ac22f68bb20b47a7382d480a919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a014754f6306c09bbc34f67d286ea22c

SHA1
7cf31d404f33b6b1fb002bfd5da654af89f5c3b1

SHA256
c27cb3a937a60056b5995badda4917dc9104f5ec06f85a6ade7cd780e460b0be

SHA512
27b090f2baf3870644214e83577129ccaaa3e04142cfbc250c6026ebb4850e3be004b8a6f0a9702111223a6c97d9d1634e0c92e6f298ea67e40477acc1f25361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d7ece5ccccbc4034ad5ef14bb404c89

SHA1
3c0b5647b4441395165185dfa0f1614570e42187

SHA256
a86520586c4dc8141585aee07585aa2ecbb50690420cc4a97971f6331129dca7

SHA512
5d4f7598d13cc6df22575004d930fbb2f9a98480e40bcee38d5d6915449cde35704a6b0b61d24ea4dc6b1fd576de675d74f5ed8c6d9c742fb820a2c46a1f09bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c98ed569ae2445d3c6331ce80e821dd5

SHA1
3efd0079d58d99343c1046951784fa935ab30b63

SHA256
b27b6118826fe610c29899c4f398fb04a421a776254c45042663e479690a730f

SHA512
e4480e2b067a3045745f92dbb3d8f64d790d14cfb718b4b08a41a1e7e6eb3a94881521e8f2c18ec2708eb8c977675bcbbf797c2efb78be59e52569136abb1c85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23da953f78d6f973a17af1220ed04520

SHA1
251d08cde3b33bdea61f6edda660e4913a58d8e3

SHA256
d391ed5216e84056fe271a426a58afc2ef6318e155dac472dc04a84c4a921a68

SHA512
6a4b98ab90bc35affbcf044e2c7fc9c79d901dd5a6d46f4de803e08f50bec22f245a74b7f95a2cf0cb991765ff97238196be65c7692d0ba33dc4e0edd069d81a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba1b799e2d2064ed0979446af16ee808

SHA1
8a01758ee89c2a205265f338d30b018496dd73d8

SHA256
5c17a70a0d529e7533d6f47af8a632771977d800b7889e13a6dc3a1c647862ea

SHA512
bc895e204e9778d5f5e6413cf40fee4dd481b6744aae3673ee40d08f441dfcf66b1fc881d529a69e2c032de75c69d901074bff39335c2e24ba823c3336c7d235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37d5ff4964fdc0aeceb6febaa0b0a676

SHA1
85230eec2546b788d1d9d457ecee2a60e275f84d

SHA256
4168b3170ba5f623f1acc4179d95e9e2de4cc45eacb6a44854b248f02be56db6

SHA512
ae3e1622e5ac17a58bd5be7215508b137480c365a490690f09574afd2452b77ee9d3889b3e222526e8b82703ed5966319dbdd4b9190729cc2d17f5e724a4808a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
497ff7e7096901403b6dbd27fb87c289

SHA1
95c7128bba261a859aa2b1a6b2892c6adbdb98e0

SHA256
f451cd75f5cd2fb2c6f83b46f1c2fa8ac6aca02b1b231e895465f53e6e4dc715

SHA512
f6de574ef1900947352b67c6edb3b6ff41493747fbf1e4bc9a2a8edefa8db407572a2e672507e5f97b7863afd42ff45e0e0bde4157489c9b3d0406b7546ea2c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ff25e6448c06c9ab47652ae598b9ef9

SHA1
d4e02815f6c59d773ea73e8aea772d25bfbc0809

SHA256
7985f6b5c8b8b8374397b5a6dd6ed46139ffea33c48f57b8fd88142c5a89c877

SHA512
d0e5b5150a988bb2a9b80aea3b6687216ed6f89561dd7c8e7386546eadc817502e79538c73fad4cf198e589ccda4a0a16915318a7264e8b2888884623f2e425d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fdb48136d975325019bb7fe35161b22

SHA1
0bfe67af5d929e0164a08a6281aa89d57cc311f4

SHA256
fd9fc898378ae351cd1b27c249266c5468581177eb968c988af245c9cb90a325

SHA512
739140bcba8750f89805cf69fe7abb3154243599ebc6858cd11a1a750a5de812c168f1b26ab79685c951841b59daaadebfa607e08dc3d1bd9203f28f8c65271b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0333b47282e6641dd3f3c322441bdbd9

SHA1
01134d3aa471c6d0ed7abb786eb0395679ec0ef0

SHA256
53a269a50f1dbc874930e5d9aa9feac6aee71ba8a246369a5bd55dbf6033bf76

SHA512
9511db51b4afb0eb69514bf81d267f775faf257b7e45b1f9dcc3f03470ab34288270e45c1157f1684799a47dbe6feae19d74609be8fc0cd6da256644f6b83d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3343eeea374a1f6c4c23be821cc01d61

SHA1
ce329c13bf7a2663fbcd572403364d5950e7c20d

SHA256
e87fc29a93677a0041e7854f052a4ce0b762dfed56edcb96ec1de41156b65db8

SHA512
8ecc788dea82ce64fc7237d2c798de5150550b840195624ab6eca9c0bd95a2d13451257a6ae17041420c8377b75f340644dbda037c5a2d098d9514d5c9e3acdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83d8ed3fdfb62d2f57b24ecb45c9c3e3

SHA1
efabfe5be241a61918a9f46277d6abc1d8307db4

SHA256
5c24409f659fa8c4e3f18474ad29fe41c04a7160fcb6c10c14264b44d10188fe

SHA512
2bc1bf0e343a5f4758de66c350daa381b589013b89e25e7ab90548938044269e2484090c8b93c8f13c3b77a4201e600d799253538fa0f402f1d8695e11a71faa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0d621336e73855b0c7014fd375761ca

SHA1
8c2857694e4c655c4681b67524046b0d346f442b

SHA256
37ba4288f76b7baad1499c08130116ba939c58ad46da028581b5c7522b9908f2

SHA512
be09c030d048dedd3da4cbde6066ca00c56d4ca5db758ea03066c3c9ace59117cfadb49f10bc3cd03b6799550fa8ae90612ac57330bfebea7477439efe48e268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3148f59a8b9926b6dec95844b3dd5402

SHA1
ed6fc9cf35046e76b8dedb797874b92d5e29ae5a

SHA256
92afd202d1f99094d68526f9abc50edf41b629e39bad288c612ab5bafb781a31

SHA512
bc2e363c0a8320e78e681200d66ed5bba10ff3e21c70b52b25c21be0b2b0ce80ec48168f56ad687e317d7868d31d602b277012e1c9237e085b6069e2979ef0fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54e8063424365579057d20e372272447

SHA1
8a987853ebffdf45316eb0f3ecf6445e169cab14

SHA256
be95cf48e593ef35e5f3777f5b7c11de129f8a8f8be9eda18bf88ba1fb464440

SHA512
ff1600b33e5bd9d81f6d0fd7568dba9f828490d45e39b75165a6ecac5cbc064fb2d2d36f74ed49a942e6d05ba30ddc3f10a28007f70a9995f9b379283220fced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7CNUR30T\1rxTe7[1].png

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD8D4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jul.url

Filesize
117B

MD5
86c2d12cf59713392ee1f00f4ae7d400

SHA1
3ce715154197578c0be76a25566d5d03423f5d3a

SHA256
411c1d3a748c98a45613bd73ac9a04d6069f6db64bf34b0c4e99dc4852159abe

SHA512
f7daa632eb6d5e11a4571af36fa3bf370781d58b1141fab5df6de8a07bfcb16b481d295ca8fe1fc43101c87cf65fa1beadc1c9478071d030172c41ed6a569ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\ins.url

Filesize
117B

MD5
eb257f27de7df09999ce97322e76aed0

SHA1
a9d1b7c50ef40c2fdb0a1e3204247817ae859c08

SHA256
375a74de5452d2a16e17d1161eb77e0a54f1eaa80034e6e22f1084fcb9c5ba35

SHA512
257d16f8d1153febaa500e4ee925544120101e5d3195aa77637448471e0a55560b145e8130ab420ddd289f5999a1663eec306da82b50b136a20f29906dd009dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\per.exe

Filesize
2.5MB

MD5
051e0cb61c4ef9db71b28dceefca1898

SHA1
bc1e5e91ea898e304c9e6d64d1d92bb56e0c2d8d

SHA256
1913bf1290328462ddca77ae02828a130f810e3ae32f3c2051fe916c22d686a8

SHA512
7575cdc0a78fe9d59032c4e2b70c4f275e0aebaa0e864cbdc6be057dc44256ff3c5f0031be1b164631850b68043ad6ef220d0865be59398acd080aa58ad43858

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\3O0QMRE.5k

Filesize
85KB

MD5
a320eea9b374af8f33c7259bff834f36

SHA1
847232ba91a0edbf2ec601b32a14b7acca207188

SHA256
2630401d8832e0c7becfe172eec94f682fe9538bda72959dc0a34a89b062d32a

SHA512
1143ed8801ca2bdce3fd9fbaf9cfb9b62d358a70eda0bb8e60c46020acd85c05818f21eb927707220cdaae8bcac09af68d7c48e3de530e6ecc95bc193d5f0afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\C1SM1U.Qa0

Filesize
135KB

MD5
672b1ee78c936158ba4efffb83282ebf

SHA1
61d2965dc650bf886ec87406392b227c97325b74

SHA256
fc65dbb28a0612c2fe1308d9ee4bed10ce7ba5feffc735389b30a883b4941e50

SHA512
eb4156e00f4bfe33668f7e13dec400d8bc70c21fed3719a600f64e19b5bf232f54df05aadd5df215a0bfd247b77c9122c484850d3c81002995fd46ea8322c505

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\G62c.4

Filesize
18KB

MD5
0f2c1adba7cd67cd15dc63dc0eda814b

SHA1
de7ac87e1b684c80a5c1ef3a6b91b19c6ad27d84

SHA256
89a89138143c1ff9f168d3c2cf7a6ca8573dea820b97b3700746a0f47ec11a38

SHA512
b5fe77451429eaa7a1cb99cf71508128ab3a132576251978e82ebea037e819527400ad78ee3b8567cc305171268b0de9e055e146b60b3afcff00cda28c4527bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\h7__2bUr.8I

Filesize
56KB

MD5
680507e4bdb04f52bac3bbfdb730515b

SHA1
6737a09197fe16f7de7e249c7a3a84b0f06ad9f0

SHA256
50bdfa225eda4001957ddc29ed093bdd20bc170a0ead6f619d2a47d9f701d90b

SHA512
b496d5566ad68021d8418d31de06b012e5ce1f346f118506a95348966e6ed25d98f79fb76dac91e9d361c3cfee66d974154119a4da5a6f583265fcb2db2f7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\s77950_.98

Filesize
47KB

MD5
eca5b98011451a8e5610fc3582f1cec7

SHA1
c8d4aa87d8d46840797053cf3df70e7c113cd367

SHA256
02da3610db6f9897ecdab67889e04783689cd068c9be03bf16e02b47677541a7

SHA512
ba9888e695ee2b21fd843f82232d705c883e4152b90d46532b9053619ef2d10c95187a085292940a8b580fd3bc54610bcc0258be537ce0cfdcdd3a45d450d2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\wUAR.VX

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\~Ted1E2.CfH

Filesize
13KB

MD5
6d3dff024cd32c6b6f127467ed5b3a87

SHA1
2d699353e56846b0e93e15a326a66ed69c0c2c5c

SHA256
fbbe6f094cc075ca2a972e300a492bcf501a371e966f5573d7c33e3c2098b9f8

SHA512
4199499f6acf1d13e03011f5899542383a42193501823c94349eca8a31efb0714fed1b37b31032ff5054723a3b4b44f1697c64a01b66d25674e1642681a0a0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shakmp.url

Filesize
117B

MD5
3e02b06ed8f0cc9b6ac6a40aa3ebc728

SHA1
fb038ee5203be9736cbf55c78e4c0888185012ad

SHA256
c0cbd06f9659d71c08912f27e0499f32ed929785d5c5dc1fc46d07199f5a24ea

SHA512
44cbbaee576f978deaa5d8bd9e54560e4aa972dfdd6b68389e783e838e36f0903565b0e978cf8f4f20c8b231d3879d3552ebb7a8c4e89e36692291c7c3ffcf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9C1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cld.exe

Filesize
2.6MB

MD5
749227d9d9f16b8129f3449540dda022

SHA1
9a3bb6c18ce59134671c1871172d78d7ee1947bf

SHA256
9b853f186383e7e201c978a76857d60180b279b308d633b4b078669473b7de51

SHA512
45b7f36f4e01263ba0681cae614e3ab32b12d19a816e6003a37ff6905af34e221bb42edf95cdef00357c3d83248a3cef976e22a21b01638cdd1e161ef18db3d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\piz.exe

Filesize
972KB

MD5
310e87af0b8f40379bed1095dd7372b9

SHA1
1ec32c123ddd840afe605dd737e014bd88c81729

SHA256
a030bb0e1fbe87049fc34c6ae53be0b6e3fb0176c560abddce3cfe95ac14671e

SHA512
a050d7333bca926fd2651374e81dc6dd031a88a0b60375324d5298f6e876aa8d73593089729e015ba10f14eac8375fbbac713aaf1029438240943f8b1980bc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\secd.exe

Filesize
820KB

MD5
89c7d9d506e2d2ad1e86df5dfe5d318f

SHA1
c6b59a79d5926fd3b5d7f292a134290f9d4984a9

SHA256
ba79703eaeddefc846a71a9f3fd9a65c036725f2bc8959dec4f564ed68373aca

SHA512
82220ce0d0e7df3078f299ce56afc7d8e4b24804e9bc03e4bc753619d9f2e92c34f2a3d492f9fd22428ecac3358be2853c92f1ba38f57dfc5c063ac2e38f151b

Download Submit
C:\Users\Admin\AppData\Local\Temp\update_b1f99b.exe

Filesize
107KB

MD5
62b0362a4fc3a80879781d59186c0d98

SHA1
a121775fa01f85b84f8c2cddc8002272fb4dedb9

SHA256
77f7155b68c505ffc34d80a20bc5e68292017f1a04e39eec1ca75931d32ae02a

SHA512
5cdff373b7d03dd0774c739f692f211595b950a2f3345acea5575345331f01221e42265451b5d642f74d384b66cb55d15643e390928fce6b3cfd189b42320393

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF28A0F8F5BF2EF861.TMP

Filesize
16KB

MD5
bdd9803d5ed64de9f02e2072a95e5026

SHA1
ec74b54457e12bfd849283f6d692e9fe8a537334

SHA256
6785a86738850e47a302aec0059542216c7d30920ecee2d90b8cc10effade603

SHA512
a3c03f096ad84854a98291445a6d84319149d25572471be2ac49703158712a7ec0f5c7b6124e0610ec76af4b5dd684fabb7e9c1066190f15bb98a7b49d11f08a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\quv.exe

Filesize
653KB

MD5
a4e461c7f3a7c8ed80168346e5f7b41c

SHA1
d618ef96903475a1c293546072fb1f80c7d5d334

SHA256
530af4a5976975c677d10507bcbe82d9a9a0b79a6576a4cfed87f08b828d756c

SHA512
82649dbbd2f003904d1b6b4f0363f3ea29113a0f95705b1346d1086ce35370976abf154043674686c90828a25e107ffd3a9c8219a643992b1337aa1282993494

Download Submit
\Users\Admin\AppData\Local\Temp\asj.exe

Filesize
523KB

MD5
4ab590bec37edc62624775803da478c4

SHA1
b8388887db2d3a1ac846107e209bfd81007c5633

SHA256
a72c59af764b96223658f375a7622a78a422af6381a5fb746e870043b0d20dda

SHA512
b686081b73c053843febdceca215ea0a11f55090af7240454919168f564a38785b5d94c8d40598e7d629b7e03e13089e24a7beb0a6748cd02ee6192b8a28f0e4

Download Submit
\Users\Admin\AppData\Local\Temp\file_clu.exe

Filesize
1.0MB

MD5
ec8866c33b44b2e1e84248220ab66d0a

SHA1
07025a834eff898dc14555ec821dcc543d9ee654

SHA256
50e87075abe81f2accb11006aacff87513b8998a8be78721257767cb3c04930c

SHA512
323279e425059c43433d29de60c07d71cc4469164e41bf5211e4787a0949955469270a1a998f60156538b943204af3fe4b5eeeadea38d2c5d655c65a52774ede

Download Submit
\Users\Admin\AppData\Local\Temp\md3_3kvm.exe

Filesize
686KB

MD5
bbe815cb088b8f5a20c6b29313b87ca3

SHA1
92cffb9ab221fd3eea757a90593d3d035de9c152

SHA256
919c8403de9b81f4ca2cd3b6aa96bc7f778d7f1472b547fcc6c6e12ff373ce69

SHA512
5849e5900f32178e55b9c234bba30d7f9c6619c80ad37b07310796807f3e7322ec10db62afebe610fc1092867921a0788d403bf4c31a15e8c650bd4cb108654f

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
704KB

MD5
9a33e86a442033fb91f30257650fa530

SHA1
fb435f8a0fa371f8cf21b856fda02783dab16ed9

SHA256
87b42afa55daa0eb8d43daa9f39fa08711aca0fddf1a1c522750611c1fa19852

SHA512
0301d143bd3584fc9dca958fa62f018438f59e0158b55e47e69f709bfdf6e4f066b2e42b8ad4c0cdc2698366a066edd0f75c78fcd68d806a88cca36885bf7176

Download Submit
\Users\Admin\AppData\Local\Temp\ubisoftant.exe

Filesize
1.2MB

MD5
fa8aff97902b0cfd09cee92a6646c442

SHA1
3d224398f7e101b578949a8cee39142e19586a2a

SHA256
b2c316e8fbbd4061a11f02ee491188eb0e7a2cf86377ae5dd629d4e49c372dcc

SHA512
a4ed99ee8b65133f95dc59fd800dca65266a5fbafe9e37024a4576382aa261f749e7f57354981c3738c3a1a0338b09188c0c031adf2c375b218942b0b02d2d76

Download Submit
memory/400-416-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/400-351-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/400-417-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/400-353-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/400-300-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/468-904-0x0000000004F70000-0x0000000004FDA000-memory.dmp

Filesize
424KB

Download
memory/468-238-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/468-197-0x0000000000D10000-0x0000000000DBA000-memory.dmp

Filesize
680KB

Download
memory/1696-358-0x0000000140000000-0x0000000140792000-memory.dmp

Filesize
7.6MB

Download
memory/1696-340-0x0000000140000000-0x0000000140792000-memory.dmp

Filesize
7.6MB

Download
memory/1868-366-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1868-354-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1872-221-0x0000000000400000-0x0000000002F94000-memory.dmp

Filesize
43.6MB

Download
memory/2036-476-0x0000000005920000-0x0000000006264000-memory.dmp

Filesize
9.3MB

Download
memory/2036-316-0x00000000006E0000-0x000000000076C000-memory.dmp

Filesize
560KB

Download
memory/2036-475-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/2036-477-0x0000000000AC0000-0x0000000000B34000-memory.dmp

Filesize
464KB

Download
memory/2036-478-0x0000000000C40000-0x0000000000CB0000-memory.dmp

Filesize
448KB

Download
memory/2036-481-0x0000000000C40000-0x0000000000CB0000-memory.dmp

Filesize
448KB

Download
memory/2036-219-0x0000000010000000-0x00000000130E5000-memory.dmp

Filesize
48.9MB

Download
memory/2036-341-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/2036-344-0x0000000000820000-0x000000000089B000-memory.dmp

Filesize
492KB

Download
memory/2036-846-0x0000000000C40000-0x0000000000CB0000-memory.dmp

Filesize
448KB

Download
memory/2036-844-0x0000000000C40000-0x0000000000CB0000-memory.dmp

Filesize
448KB

Download
memory/2036-843-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2036-352-0x0000000010000000-0x00000000130E5000-memory.dmp

Filesize
48.9MB

Download
memory/2092-222-0x00000000033D0000-0x00000000033D2000-memory.dmp

Filesize
8KB

Download
memory/2092-107-0x0000000003760000-0x0000000003A1F000-memory.dmp

Filesize
2.7MB

Download
memory/2092-248-0x0000000003760000-0x0000000003A1F000-memory.dmp

Filesize
2.7MB

Download
memory/2092-46-0x0000000003760000-0x00000000038E0000-memory.dmp

Filesize
1.5MB

Download
memory/2092-125-0x0000000003760000-0x0000000003A1F000-memory.dmp

Filesize
2.7MB

Download
memory/2092-54-0x0000000003350000-0x00000000033DA000-memory.dmp

Filesize
552KB

Download
memory/2092-126-0x0000000003760000-0x0000000003A1F000-memory.dmp

Filesize
2.7MB

Download
memory/2092-122-0x0000000003760000-0x0000000003A1F000-memory.dmp

Filesize
2.7MB

Download
memory/2092-45-0x0000000003760000-0x00000000038E0000-memory.dmp

Filesize
1.5MB

Download
memory/2152-299-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2452-142-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2452-247-0x0000000000400000-0x00000000006BF000-memory.dmp

Filesize
2.7MB

Download
memory/2672-167-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2672-51-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2672-355-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2672-842-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/2892-917-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-150-0x0000000003BD0000-0x0000000004362000-memory.dmp

Filesize
7.6MB

Download
memory/2932-367-0x00000000036D0000-0x00000000036D2000-memory.dmp

Filesize
8KB

Download
memory/3024-63-0x0000000001290000-0x000000000131A000-memory.dmp

Filesize
552KB

Download
memory/3024-345-0x0000000001290000-0x000000000131A000-memory.dmp

Filesize
552KB

Download