fabookie | 0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
Size

19.1MB
MD5

8ebac20b51430b0cc35cef0bb4343524
SHA1

d73890138f1bac7f87cbb0137a86b000ca1dfdc8
SHA256

0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5
SHA512

0db3f4eb3df46f9811793edd29388fe7c9a36c3c9f94f4f16caaaa70d0a28aa4e8a38ccc96fd57270dab9d23b0313f85aab0808e81c660512bc8abc7d2f90674
SSDEEP

393216:obnSY7czVZQ+jQ3o3xrcJpuEJsVLDV3EJCP2qzFMlSQbY3hyt:GOVSiQ30xrUQkoFz+qaghyt

Score

10^/10

fabookie discovery evasion persistence privilege_escalation spyware stealer vmprotect

Malware Config

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/memory/3020-69-0x0000000140000000-0x0000000140619000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	DnsService.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2948	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adblock Fast.lnk	Adblock.exe

Executes dropped EXE 13 IoCs

pid	Process
2336	Software_Tool.exe
3020	Resource.exe
2816	AdblockInstaller.exe
2588	Folder.exe
2752	AdblockInstaller.tmp
2740	Folder.exe
2088	Adblock.exe
828	crashpad_handler.exe
3004	DnsService.exe
1408	DnsService.exe
656	DnsService.exe
2248	AdblockInstaller.exe
1312	AdblockInstaller.tmp

Loads dropped DLL 37 IoCs

pid	Process
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
2336	Software_Tool.exe
2336	Software_Tool.exe
2336	Software_Tool.exe
2336	Software_Tool.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
2816	AdblockInstaller.exe
2588	Folder.exe
668	WerFault.exe
668	WerFault.exe
2752	AdblockInstaller.tmp
668	WerFault.exe
2752	AdblockInstaller.tmp
2752	AdblockInstaller.tmp
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2752	AdblockInstaller.tmp
2752	AdblockInstaller.tmp
2752	AdblockInstaller.tmp
2752	AdblockInstaller.tmp
2752	AdblockInstaller.tmp
2088	Adblock.exe
2088	Adblock.exe
3004	DnsService.exe
1408	DnsService.exe
656	DnsService.exe
2248	AdblockInstaller.exe
1312	AdblockInstaller.tmp

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0008000000018bdd-23.dat	vmprotect
behavioral1/memory/3020-69-0x0000000140000000-0x0000000140619000-memory.dmp	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	myexternalip.com
54	myexternalip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdblockInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdblockInstaller.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Software_Tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdblockInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Folder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdblockInstaller.tmp

Kills process with taskkill 2 IoCs

evasion

pid	Process
1072	taskkill.exe
1420	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	Adblock.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1876	reg.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72800f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f0000001400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191834b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a506692200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f0000001400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191834b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000180000000100000010000000fd960962ac6938e0d4b0769aa1a64e2619000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	Adblock.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e264b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f000000200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 180000000100000010000000fd960962ac6938e0d4b0769aa1a64e260f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b031400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191834b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f0000000300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab7280040000000100000010000000c6150925cfea5941ddc7ff2a0a50669219000000010000001000000014d4b19434670e6dc091d154abb20edc200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 4b0000000100000044000000420036003600320034003000420030004600360043003800340042004400340038003500370041004200410036003000430046003500430045003400410030005f00000019000000010000001000000014d4b19434670e6dc091d154abb20edc040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191830f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b03180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c	Adblock.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	Adblock.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	Adblock.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe
656	DnsService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2088	Adblock.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	1420	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2752	AdblockInstaller.tmp
2088	Adblock.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2336	Software_Tool.exe
2336	Software_Tool.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe
2088	Adblock.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2336	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	30
PID 3064 wrote to memory of 2336	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	30
PID 3064 wrote to memory of 2336	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	30
PID 3064 wrote to memory of 2336	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	30
PID 3064 wrote to memory of 3020	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	31
PID 3064 wrote to memory of 3020	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	31
PID 3064 wrote to memory of 3020	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	31
PID 3064 wrote to memory of 3020	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	31
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 2336 wrote to memory of 2816	2336	Software_Tool.exe	33
PID 3064 wrote to memory of 2588	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	32
PID 3064 wrote to memory of 2588	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	32
PID 3064 wrote to memory of 2588	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	32
PID 3064 wrote to memory of 2588	3064	0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe	32
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2816 wrote to memory of 2752	2816	AdblockInstaller.exe	35
PID 2588 wrote to memory of 2740	2588	Folder.exe	36
PID 2588 wrote to memory of 2740	2588	Folder.exe	36
PID 2588 wrote to memory of 2740	2588	Folder.exe	36
PID 2588 wrote to memory of 2740	2588	Folder.exe	36
PID 2752 wrote to memory of 2344	2752	AdblockInstaller.tmp	38
PID 2752 wrote to memory of 2344	2752	AdblockInstaller.tmp	38
PID 2752 wrote to memory of 2344	2752	AdblockInstaller.tmp	38
PID 2752 wrote to memory of 2344	2752	AdblockInstaller.tmp	38
PID 3020 wrote to memory of 668	3020	Resource.exe	39
PID 3020 wrote to memory of 668	3020	Resource.exe	39
PID 3020 wrote to memory of 668	3020	Resource.exe	39
PID 2752 wrote to memory of 1072	2752	AdblockInstaller.tmp	41
PID 2752 wrote to memory of 1072	2752	AdblockInstaller.tmp	41
PID 2752 wrote to memory of 1072	2752	AdblockInstaller.tmp	41
PID 2752 wrote to memory of 1072	2752	AdblockInstaller.tmp	41
PID 2752 wrote to memory of 2088	2752	AdblockInstaller.tmp	44
PID 2752 wrote to memory of 2088	2752	AdblockInstaller.tmp	44
PID 2752 wrote to memory of 2088	2752	AdblockInstaller.tmp	44
PID 2752 wrote to memory of 2088	2752	AdblockInstaller.tmp	44
PID 2752 wrote to memory of 284	2752	AdblockInstaller.tmp	45
PID 2752 wrote to memory of 284	2752	AdblockInstaller.tmp	45
PID 2752 wrote to memory of 284	2752	AdblockInstaller.tmp	45
PID 2752 wrote to memory of 284	2752	AdblockInstaller.tmp	45
PID 284 wrote to memory of 2512	284	cmd.exe	47
PID 284 wrote to memory of 2512	284	cmd.exe	47
PID 284 wrote to memory of 2512	284	cmd.exe	47
PID 2752 wrote to memory of 2320	2752	AdblockInstaller.tmp	48
PID 2752 wrote to memory of 2320	2752	AdblockInstaller.tmp	48
PID 2752 wrote to memory of 2320	2752	AdblockInstaller.tmp	48
PID 2752 wrote to memory of 2320	2752	AdblockInstaller.tmp	48
PID 2088 wrote to memory of 828	2088	Adblock.exe	49
PID 2088 wrote to memory of 828	2088	Adblock.exe	49
PID 2088 wrote to memory of 828	2088	Adblock.exe	49
PID 2320 wrote to memory of 1876	2320	cmd.exe	51
PID 2320 wrote to memory of 1876	2320	cmd.exe	51
PID 2320 wrote to memory of 1876	2320	cmd.exe	51
PID 2752 wrote to memory of 1420	2752	AdblockInstaller.tmp	52
PID 2752 wrote to memory of 1420	2752	AdblockInstaller.tmp	52

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe
"C:\Users\Admin\AppData\Local\Temp\0017a2f18f49ca0a4cc0a1f6a524faa5658ae033eda508906b626329c232fba5.bin.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\Software_Tool.exe
  "C:\Users\Admin\AppData\Local\Temp\Software_Tool.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\sibBBA3.tmp\0\AdblockInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\sibBBA3.tmp\0\AdblockInstaller.exe" /pid=741
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\is-LVKB2.tmp\AdblockInstaller.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LVKB2.tmp\AdblockInstaller.tmp" /SL5="$501F2,15557677,792064,C:\Users\Admin\AppData\Local\Temp\sibBBA3.tmp\0\AdblockInstaller.exe" /pid=741
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\SysWOW64\ctfmon.exe
        
        ctfmon.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im Adblock.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Users\Admin\Programs\Adblock\Adblock.exe
        
        "C:\Users\Admin\Programs\Adblock\Adblock.exe" --installerSessionId=d58f30ce1733702351 --downloadDate=2022-12-17T04:04:11 --distId=marketator --pid=741
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Modifies Internet Explorer settings
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Users\Admin\Programs\Adblock\crashpad_handler.exe
        
        C:\Users\Admin\Programs\Adblock\crashpad_handler.exe --no-rate-limit "--database=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" "--metrics-dir=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps" --url=https://o428832.ingest.sentry.io:443/api/5420194/minidump/?sentry_client=sentry.native/0.4.12&sentry_key=06798e99d7ee416faaf4e01cd2f1faaf "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\de273e67-3eb0-42a0-4724-f69f86a29584.run\__sentry-event" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\de273e67-3eb0-42a0-4724-f69f86a29584.run\__sentry-breadcrumb1" "--attachment=C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\de273e67-3eb0-42a0-4724-f69f86a29584.run\__sentry-breadcrumb2" --initial-client-data=0x1b8,0x1bc,0x1c0,0x18c,0x1c4,0x1401dbdd0,0x1401dbdf0,0x1401dbe08
        6⤵
        Executes dropped EXE
        
        PID:828
      - C:\Windows\system32\netsh.exe
        
        C:\Windows\system32\netsh.exe firewall add allowedprogram "C:\Users\Admin\Programs\Adblock\DnsService.exe" AdBlockFast ENABLE
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2948
      - C:\Users\Admin\Programs\Adblock\DnsService.exe
        
        C:\Users\Admin\Programs\Adblock\DnsService.exe -install
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3004
      - C:\Users\Admin\Programs\Adblock\DnsService.exe
        
        C:\Users\Admin\Programs\Adblock\DnsService.exe -start
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1408
      - C:\Users\Admin\AppData\Local\Temp\Update-490c9f16-0566-4867-a1dd-c9cecbab7458\AdblockInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Update-490c9f16-0566-4867-a1dd-c9cecbab7458\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\is-3DKTV.tmp\AdblockInstaller.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3DKTV.tmp\AdblockInstaller.tmp" /SL5="$70224,13644040,792064,C:\Users\Admin\AppData\Local\Temp\Update-490c9f16-0566-4867-a1dd-c9cecbab7458\AdblockInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /UPDATE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:284
      - C:\Windows\system32\reg.exe
        
        reg copy HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /s /f
        6⤵
        
        PID:2512
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c "reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\system32\reg.exe
        
        reg delete HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{bf5b0da9-8494-48d2-811b-39ea7a64d8e0}_is1 /f
        6⤵
        Modifies registry key
        
        PID:1876
    - - C:\Windows\SysWOW64\taskkill.exe
        
        "C:\Windows\System32\taskkill.exe" /f /im MassiveEngine.exe
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
- C:\Users\Admin\AppData\Local\Temp\Resource.exe
  "C:\Users\Admin\AppData\Local\Temp\Resource.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 3020 -s 56
    3⤵
    - Loads dropped DLL
    PID:668
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -h
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2740

C:\Users\Admin\Programs\Adblock\DnsService.exe
C:\Users\Admin\Programs\Adblock\DnsService.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
1KB

MD5
c6150925cfea5941ddc7ff2a0a506692

SHA1
9e99a48a9960b14926bb7f3b02e22da2b0ab7280

SHA256
28689b30e4c306aab53b027b29e36ad6dd1dcf4b953994482ca84bdc1ecac996

SHA512
b3bd41385d72148e03f453e76a45fcd2111a22eff3c7f1e78e41f6744735444e058144ed68af88654ee62b0f117949f35739daad6ad765b8cde1cff92ed2d00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
180630b050322a70c5bdd3876b171bbb

SHA1
14ec2beb859e214dce92aaf4ef238b9e60e709b4

SHA256
ba07b5ca7b543b02227a32e720b76d43be47efe2cabb46c15f56e29552908511

SHA512
bf565f881a5cb1d8c6798ec3efb072208fc55423cbb89d5befebf746cf688fceaba41c292a642734f5c6bee91b72cb6d4e7cd1cdc16bf202ca19834dec8380a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a718f9ae22ccba5a106c48a6db4658f

SHA1
1daf36736d813ea4826b9c9b7bce4ea209dea20a

SHA256
2da0da188c4d07413afefd0b3b13e795f9148d4b0a1957898c366942e5726938

SHA512
97182048d84a7d1beb4a3d77d724913805d91758f44d2152537257d7e1ba7af9fed3575fb2abaccda9dcc61e76bd633531c4bc73dca149b85fea609304bd5a76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4e78aa75a590b725b5bcbd5ce947a79

SHA1
a5b4d80d9dd2ed3088582330b6a7263f14824a87

SHA256
930531d08eb1574caec03a08745631bc9b56f27093037a2978f0ff454d28e0aa

SHA512
732b5f9842e0c07feef393a3c481f8c7f37270b5c845dd0214c38c3e8562635b922968bf29dcc4ca7e80b0af393087a3ef50dc72d2c592aeea886418bbc361e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98b7be3ced7330a6dac9bc15ab255081

SHA1
8ef5941119d8508d4b20ebdab5d06a4f2d0c6e01

SHA256
ad95d8b6845dac9a46cd54b0c3a5105fbc0c9a34aa5a5e7c07d01d4b7ead16e8

SHA512
45a865189e994f4882deca69380b3f43898f8679d6af5e36d813b8c592b1dfe6238cb217160efeb674b90c1ae627eb3373a299b74011292c4a45f809a7a2c6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17efdc396b0afaa245adc55b8abfb035

SHA1
0b2e9cef3a6c909c6920cfad17b88c87a3cb574e

SHA256
9a2dbdaa6010c1a670a1223513122e1b1316fb0fcfddb3e38a2bd57d152fa659

SHA512
4971ac59daa45f7ff78f79de32669713d1249bba1b3663cef795287a53e61b2ba179aaa47bb2a11b992bd4be2c3ed68b05f743f0e22d577edf75366cda17bf20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69072e3a25c0ff386faefcfe106c62fe

SHA1
a79daf619bab05b94aad5b96d9a215a7ab231b2a

SHA256
f84b5d6dedfa71058295c24eb03170de3890b55503a259fc1aed26745fed362c

SHA512
c7ef2198e7475534f56e25cd389664a1ceaee337c88c626656191f140c0581623b60cec7643e16efa33c1e8c600dd1d9824af5f34b38b4af5f0c2c93a10bea46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7

Filesize
276B

MD5
7de13c189a7326b37f0ce6c7d8dd2067

SHA1
5a20cbf214e35b13fb2caf936c94a112e400f3fd

SHA256
472179770c7d2f4bd937ea98137cf749962912598eb2b4dec9b4c6f039994f32

SHA512
74b642cdd05a762466ae3bd7d6f9947cbb6ceef59c5c03321e2d6d8318f17b4a21ffb3079854ca76f5ea1cac19a628767affa4c4d62f4cf0feabc877315bd690

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED60.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resource.exe

Filesize
3.5MB

MD5
10a8375392ad7ff460dbc07a627f9259

SHA1
96a5c4480a44840e4a7562afd31171f069fbc3e3

SHA256
96e2e8605a3db028029fa462712808db69520573b7a940990f5afa1a65910e46

SHA512
089f12390b182e83c775adb973275a0dff0c69c9ea6074c25638e7069ae28911fc060491fa34d6202dfa8400e718aa81dce65530f34e110aff17fbc86c07247a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE0F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update-490c9f16-0566-4867-a1dd-c9cecbab7458\AdblockInstaller.exe

Filesize
13.8MB

MD5
ef6450ab524057924408dbe29991e99e

SHA1
f3b2ccec86f8a3543d5a35729b9d0138f4cc803f

SHA256
b00ec7b6171f98639b060f25e6a0df8b5fa3507af64484ea23a03234a74a87df

SHA512
e227b4c79b99a4d145a7e2cdf738157a873b09192d9563df8c248cecf832cf81a5c369ddd25091c99cb1745ad730623b05b1ed3e08db852589550a33a1db84da

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LVKB2.tmp\AdblockInstaller.tmp

Filesize
3.0MB

MD5
1228c03ba840482eac14e25b727f65b5

SHA1
eaa92be989ff71dc2b7cf090b2a8183a3c44e655

SHA256
a048ccbd5797616ed03ea8c13ddea2ec868e0ea22ecc6f475bf7e3ba42aa77b7

SHA512
77e874dc88b428c43a72ed8ab9e00e98872e9b47c4ad18f35019aa26c89de909448d5ec83a289ed87d8ddbea6e9515c5932973cf54ea3f535d7f2e11bc2318bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyBAE7.tmp\Sibuia.dll

Filesize
527KB

MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\sibBBA3.tmp\0\AdblockInstaller.exe

Filesize
15.7MB

MD5
8d7db88f1fb9c7308f7368ae65e3f0ef

SHA1
5166ff1bb9b4b5d5f0ab460496cf7cc491f81f62

SHA256
5f81f8ee08a7460a3abd3aed1da137f2824bbdf804951477546a96300bd1e31f

SHA512
a620347b470c43f1d5d253a4899cbf89b1f9f631da35e5740d5134155e66a2c1756660ac9be21a6d9b5f830fa02461b3781db5c9cfe9d56b23e1454b198a7316

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\Massive\usage\CURRENT~RFf76e0fc.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Adblock Fast\crashdumps\settings.dat

Filesize
40B

MD5
9fa715bdca0350e3503d4a22b8565fd2

SHA1
02726a159bbaa0f63d515b15edfde56574c96cdf

SHA256
607c78d8ea95e8f65f6931c320ccd5bc173e0dcdcbbc9c74cf8217b51896846b

SHA512
d7325ffb255d5a89c820c84bcbd627304cec34aa0428cad6ab613d0e19f2b081c682f848898309e31975bebb5ab96e587b9aaf6b9841d14c02ebe6f33ef693c4

Download Submit
C:\Users\Admin\Programs\Adblock\MiningGpu.dll

Filesize
878KB

MD5
79cae1118a31818af31b388ee4808a1b

SHA1
9054393f36900ca638a6f58c31f6ed8b5e08ffb4

SHA256
8d8770fd885e0bb8a28fc96f31209f05d6b4db9b4036666bd5500d13b2faeb84

SHA512
0e320cba17c28bedc5bcd603c462bea62d658ca1aa6d8c954d1b68ae8597b8631ed20aa8754139702ae41d970458f681d4417c3caaa6e4e52a7dde4aeb6538dc

Download Submit
C:\Users\Admin\Programs\Adblock\SysGpuInfoEx.dll

Filesize
95KB

MD5
dc6723d0c1c83f6fa274d65d65a47962

SHA1
4f5147e4808ea4e7be6f6648f91089ed98ff3120

SHA256
2e27187fcd3e1216d20efab042151f4edbdc10d8cc3c2adf330c0b64ebb8cea0

SHA512
25464806174c060c4faaa23458f59d5f47d953232713238a7077f387fac97dd15dd8dcb34632131176341ae8e046d0320ed8ef87782322d623ed1f388a5e142d

Download Submit
C:\Users\Admin\Programs\Adblock\WinSparkle.dll

Filesize
2.3MB

MD5
e167dfd4bb292d7837f3c15bc8f6f7a1

SHA1
d56a8b15f1da113afda580f5b4271354bb8fa574

SHA256
1f64e24bb019f60755215e3ad1efd30926e1febe497f029a69b83cedcb0dac49

SHA512
cbd5da6ad4cd5682163b9035af56a0ca95773cd2902d7cbcef37a8c950d3a4b7df6b79864305e449dda47e48f1d4514c48da18fb2a99334269deeaf935947f35

Download Submit
C:\Users\Admin\Programs\Adblock\crashpad_handler.exe

Filesize
913KB

MD5
cd2e0167f2e1092816f04bc174c13364

SHA1
8015c003fdf94d5991902437d2e98ae2d7cbccf3

SHA256
bfb062608229199430bd5f729fde00147451c074775ee5bf0e2917f7b239df96

SHA512
2f64d56f2dd6ff3f4c334540338af223a9a05e50b58e988de112712fe429698393b0acc50ce61831e418b8d63e8029d47473777dc346135303b80ad753ccc4ab

Download Submit
C:\Users\Admin\Programs\Adblock\dns.conf

Filesize
73B

MD5
d9229b2bf6ea93565ebbeb81459025c1

SHA1
5b8af056d1a853b73ac94903edd1d6f167af8d22

SHA256
f975168980dc06d1f64400c045f73e13e4e68ab8f350aa23304924461cce1cb6

SHA512
ab8650d51b0606738001e70acb28f18a7b3a89445ba64f1264908e6d9cc6a94fa93d7b35377e817a5db98e8050c8c9942782ddccceb0c9795f3e05b5e9d4304c

Download Submit
C:\Users\Admin\Programs\Adblock\dnsService.txt

Filesize
584B

MD5
6f87824deb4d7296fff57d4c3b880b86

SHA1
b52dbb3cc246b3b5aa33735af135aa9a4c48acfd

SHA256
28fba9aecdd91a655f7576900d37d38b59f0443ee8cab12b5a3d2d4cd2bdf89d

SHA512
570c9af9033652054f7e34eb455cd7806232d3824b49cfe67401a8c214f159880f8e141bdc83ecfdbdce399b20dee58d638893728dd416b93ce3aed32b58b406

Download Submit
C:\Users\Admin\Programs\Adblock\domains\initial\adservers.conf

Filesize
1.0MB

MD5
c7183c7e129894d2634e14d86c2c9d94

SHA1
40a97a2d57daccd4ae455958be3f0c44aef12521

SHA256
1c288bd7a4bf7bf322f3c2949f65af3302019e93e7f92f211955a15c666a4a8b

SHA512
56a1add9de07eb49de8440f00772b211e382dc244a5cd9d5d4c7ae73cf56abdb2e76f3cdb1d81cc8d2cd0e21616844f20c9e24c9f3b21a46307c983a455b5e8b

Download Submit
C:\Users\Admin\Programs\Adblock\domains\initial\facebook.conf

Filesize
127KB

MD5
ba1435f50eb74c8a1ad64a75eb9d478b

SHA1
70ef49a54615637db396ddde8fb011bd62af1e4c

SHA256
5a718bc1916d74a426905484022551fa3ec4da678b0b1126f1d5cf674b42054d

SHA512
d73240e16152de66c5bd20a270528ac93d66d14e7458e753254767c37c7b292197e0fd1e3c4b4b44d91bf720c038d2df294b1ae1a5884dda45d4955b248fe9e5

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
572B

MD5
69a022e2dcca5afd5c63be2081774c0a

SHA1
c12ca961e842c924f8778fc88309e850f6c3aaf3

SHA256
6bf55d937727732d363dc7f9be78d439cb6de74a28234bbdcb38f3cbbc9c8eaa

SHA512
53dbc455724c36cb6c72d09ab2c9fd6dfed0540ba702fe7caf8d86a863c0c50ed84a7151e425b4e1adc7a3bb55d11441db8c0e90ed86d3cc2f350c37f8ddcab9

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
906B

MD5
b0a08330aeef4af175f4ff289bdd5c5f

SHA1
8bf74e9b82279c87c016aa1c5e359ff249e51976

SHA256
59c7006364a37d17c3683cab6ff285096d10e8489e3bb8e3fa2260a5356034f0

SHA512
576a26b2f05840dbcfbe5b4554b66c86fc43550ddea39123398a5cdef44c8b5e97b5520fa19814a155297dc99e864f22a84a67e9f8d93e972972c1d5cd126306

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
975B

MD5
a3f5b3b30f3971a9e20688ebfb4b2e1d

SHA1
d68a62b21e3682c629515ab7c83b8974c3715abf

SHA256
7c25a07c5dd47545c81442dc6a5f129ecf8bb90a9010a1ae8159fcf766951d2c

SHA512
fd06d0384ac399ddab4f4e22f20b4f8725c567ad2e000b1ddea4f8ca296c959be196af017f6f0bb68b5168a20b0458c214bf1d00901efef45ddb0444c56ba189

Download Submit
\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
135KB

MD5
0f2871fbf16bf9f5adc60785d8a71bd5

SHA1
3a5763edc969e9213d5cefaff6a6eb1e48132a91

SHA256
e4990a5113f348f96ac4b3d443bce8fec9f6a2c3ac70f749c86dd5b5052ab115

SHA512
82b0bc0b01eb9eef999a103ef447a25161a33445d90cd90c60e05b15f9668ff5c75335dc47e2829e4544bd7ee04a33955c83f378675531cf84110320226fad88

Download Submit
\Users\Admin\AppData\Local\Temp\Software_Tool.exe

Filesize
15.7MB

MD5
9af27765527617e9d75b5ee6b418c8d6

SHA1
0e5f46cf55abe0746e8ddf5d7980ad0a5475e8e7

SHA256
e92ee1bc7c053bfb6b65bfce216a97d3ba5fd4f09bf9fd4f530101a60bb19030

SHA512
033ae6fea1be872fbc028aa9519f558f425076b906330f6dfa2d63e9dba04bfb7efdb583cff87c16a5e4ec2c29736540b8552ec754422ee05ee97788b095bd13

Download Submit
\Users\Admin\AppData\Local\Temp\is-02H4D.tmp\PEInjector.dll

Filesize
186KB

MD5
a4cf124b21795dfd382c12422fd901ca

SHA1
7e2832f3b8b8e06ae594558d81416e96a81d3898

SHA256
9e371a745ea2c92c4ba996772557f4a66545ed5186d02bb2e73e20dc79906ec7

SHA512
3ee82d438e4a01d543791a6a17d78e148a68796e5f57d7354da36da0755369091089466e57ee9b786e7e0305a4321c281e03aeb24f6eb4dd07e7408eb3763cdd

Download Submit
\Users\Admin\AppData\Local\Temp\sibBBA3.tmp\SibClr.dll

Filesize
51KB

MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
\Users\Admin\Programs\Adblock\Adblock.exe

Filesize
5.4MB

MD5
c7119e2a05db13f4888321d28e215c07

SHA1
2040cf5a97a671e18aee7bbd78a9dce70235f8ab

SHA256
b10d464d5b329829a6ec5c5bca79d9e5e5614448bc8763cc51230a3b778b644b

SHA512
60cc31c7d054620ad2002f00d16e58728eb941ae9a8ad492d21207e916ce3e1cc4e16e9c130a084939d35ea6f2fbf9e2d5ad89f5dc31407c1e43c70a0974478a

Download Submit
\Users\Admin\Programs\Adblock\DnsService.exe

Filesize
3.0MB

MD5
97a08c6366f4589739209fdb43b4b3ec

SHA1
56b57f33d510de026207a8b37ea93db8447a11b8

SHA256
5d15b23e628be6147ea04df302b5a06ceb8420b3bfc41872e2f90b0511bc11b1

SHA512
d83e83d3c252622b13004c60bed56653c284462240553d12dfd22989fa2fdc34a06dc8b388f1fe2aded478542299356aaefc2e4691e8db396bcf7a9e65af94b1

Download Submit
\Users\Admin\Programs\Adblock\MassiveService.dll

Filesize
3.5MB

MD5
6bcbb964e1fe28513b22273f136a4b37

SHA1
fde4927b46bac2340f65fe2811c2307c798e2398

SHA256
10c027bdd8008ad62c7e3ab5abd92d2573bb9474a9ea8ffeb218b43a2efaab09

SHA512
6e587fda68bc9e9683f2bece39a5ff9357cccd12ea1e3669f8d7c675479b476f482de0e2fea20e7a0f4fec72abde7ec1b0beffa1eed79461abd006427d182fed

Download Submit
\Users\Admin\Programs\Adblock\SPCDNS.dll

Filesize
40KB

MD5
61e336dd16128398b546c70439c2bd3f

SHA1
4bb959d12c1184d64d439b3c21ffe8c4ad5ca5ae

SHA256
4f5160af8f4aa67f76613924280fb16da450c97eb657c871d9e42ec8a613acf1

SHA512
3506df990fdff07090d2f88a3aa56b8ea621dc412294b165dee532f7bbf40c4b00268f55a188e599df0d0d8151a644205104689716ebc78f40c83dab6a61a9e3

Download Submit
memory/1312-554-0x0000000000400000-0x000000000070A000-memory.dmp

Filesize
3.0MB

Download
memory/2248-542-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2248-556-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2336-42-0x000000000ECA0000-0x000000000ED5A000-memory.dmp

Filesize
744KB

Download
memory/2336-41-0x000000000EBE0000-0x000000000EBF2000-memory.dmp

Filesize
72KB

Download
memory/2752-314-0x0000000000400000-0x0000000000709000-memory.dmp

Filesize
3.0MB

Download
memory/2816-313-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2816-49-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/3020-69-0x0000000140000000-0x0000000140619000-memory.dmp

Filesize
6.1MB

Download