Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2023 01:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://anonfiles.com/zcs165y1zc/Silly_Boost_rar
Resource
win10v2004-20230621-en
General
-
Target
https://anonfiles.com/zcs165y1zc/Silly_Boost_rar
Malware Config
Extracted
stealerium
https://discord.com/api/webhooks/1122480734226096179/1Aw4ALLBbu0auTmgRUo4dv8X6p1Zh7uLpU1Rdderh9NiImTJc0TwRM1SLzpjcALcAja6
Signatures
-
Stealerium
An open source info stealer written in C# first seen in May 2022.
-
Executes dropped EXE 2 IoCs
Processes:
Silly Boost.exeSilly Boost.exepid process 1408 Silly Boost.exe 3788 Silly Boost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Silly Boost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Silly Boost.exe Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Silly Boost.exe Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Silly Boost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 112 icanhazip.com -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Silly Boost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 Silly Boost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier Silly Boost.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 24ad397b44a4d901 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{8C0CCCCA-190D-43C0-B063-800CF95A6C6F}" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "477704764" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47394882-16E2-11EE-9FB7-CE83860A346F} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "467094860" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea000000000200000000001066000000010000200000003a07990287b9bedf6d2fe6d36cbae8615bd874013cde459019458242b495a968000000000e80000000020000200000000275f78bdf5586f6f06231918b269a14827ed2dffe70b682ff3ab8f5cfcacce4200000006235ba0d35ae52f1623a65569b9d6ceb747463aa5f522ca6f87f621b873b152f40000000d86ed52bb8aa3e5940b61ab30beb1225fe9c842f00f0648fcb0c261c9d40aa8136ed07f2ef0d18c31c0bbab7b3edb06a56877df7a33f04a38ec6bff67de24b29 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\anonfiles.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bf101eefaad901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042287" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40171f1eefaad901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042287" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "467094860" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042287" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea00000000020000000000106600000001000020000000460d38667641dd5940c6432422450c4d16120cc8cc84aa00201db3804663980a000000000e8000000002000020000000192339719fc7b96ae19e9a5dd78128f576bb27e322fa2a7e6bf407b3f276443d200000004c527bceec0c33a4eb1dc37f697bd1686ccafef42f7c979eff729fdde884b1a240000000303a6985e1320e116d5f0ddd365ac229cc9a613230c2219d129f5033be47c3c78f1e0895aac9611f116210afd18800f5d52e03cb4c9b290d04636ce5061c74e8 iexplore.exe -
Modifies registry class 64 IoCs
Processes:
OpenWith.exeIEXPLORE.EXEiexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000d556903c110050524f4752417e310000740009000400efbe874fdb49d556903c2e0000003f0000000000010000000000000000004a00000000005d273d00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\.rar\ = "rar_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000d55653361000372d5a6970003c0009000400efbed5565336d55653362e00000085e7010000000800000000000000000000000000000093d98d0037002d005a0069007000000014000000 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications\7z.exe\shell\open\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open\command OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 OpenWith.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4025927695-1301755775-2607443251-1000\{D9B97E50-676A-4264-ABE5-DBF6B7420ECE} IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" OpenWith.exe Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\.rar OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Silly Boost.exetaskmgr.exepid process 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe 5076 taskmgr.exe 1408 Silly Boost.exe 1408 Silly Boost.exe 5076 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1168 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
7z.exe7zG.exeSilly Boost.exemsiexec.exeSilly Boost.exetaskmgr.exedescription pid process Token: SeRestorePrivilege 5064 7z.exe Token: 35 5064 7z.exe Token: SeRestorePrivilege 1464 7zG.exe Token: 35 1464 7zG.exe Token: SeSecurityPrivilege 1464 7zG.exe Token: SeSecurityPrivilege 1464 7zG.exe Token: SeDebugPrivilege 1408 Silly Boost.exe Token: SeSecurityPrivilege 2896 msiexec.exe Token: SeDebugPrivilege 3788 Silly Boost.exe Token: SeDebugPrivilege 5076 taskmgr.exe Token: SeSystemProfilePrivilege 5076 taskmgr.exe Token: SeCreateGlobalPrivilege 5076 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
iexplore.exe7zG.exetaskmgr.exepid process 4488 iexplore.exe 4488 iexplore.exe 1464 7zG.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe 5076 taskmgr.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
iexplore.exeIEXPLORE.EXEOpenWith.exeSilly Boost.exepid process 4488 iexplore.exe 4488 iexplore.exe 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE 2472 IEXPLORE.EXE 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1168 OpenWith.exe 1408 Silly Boost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
iexplore.exeOpenWith.exeSilly Boost.execmd.execmd.exedescription pid process target process PID 4488 wrote to memory of 2472 4488 iexplore.exe IEXPLORE.EXE PID 4488 wrote to memory of 2472 4488 iexplore.exe IEXPLORE.EXE PID 4488 wrote to memory of 2472 4488 iexplore.exe IEXPLORE.EXE PID 1168 wrote to memory of 5064 1168 OpenWith.exe 7z.exe PID 1168 wrote to memory of 5064 1168 OpenWith.exe 7z.exe PID 1408 wrote to memory of 3636 1408 Silly Boost.exe cmd.exe PID 1408 wrote to memory of 3636 1408 Silly Boost.exe cmd.exe PID 1408 wrote to memory of 3636 1408 Silly Boost.exe cmd.exe PID 3636 wrote to memory of 4688 3636 cmd.exe chcp.com PID 3636 wrote to memory of 4688 3636 cmd.exe chcp.com PID 3636 wrote to memory of 4688 3636 cmd.exe chcp.com PID 3636 wrote to memory of 1860 3636 cmd.exe netsh.exe PID 3636 wrote to memory of 1860 3636 cmd.exe netsh.exe PID 3636 wrote to memory of 1860 3636 cmd.exe netsh.exe PID 3636 wrote to memory of 2360 3636 cmd.exe findstr.exe PID 3636 wrote to memory of 2360 3636 cmd.exe findstr.exe PID 3636 wrote to memory of 2360 3636 cmd.exe findstr.exe PID 1408 wrote to memory of 4408 1408 Silly Boost.exe cmd.exe PID 1408 wrote to memory of 4408 1408 Silly Boost.exe cmd.exe PID 1408 wrote to memory of 4408 1408 Silly Boost.exe cmd.exe PID 4408 wrote to memory of 1444 4408 cmd.exe chcp.com PID 4408 wrote to memory of 1444 4408 cmd.exe chcp.com PID 4408 wrote to memory of 1444 4408 cmd.exe chcp.com PID 4408 wrote to memory of 716 4408 cmd.exe netsh.exe PID 4408 wrote to memory of 716 4408 cmd.exe netsh.exe PID 4408 wrote to memory of 716 4408 cmd.exe netsh.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
Processes:
Silly Boost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Silly Boost.exe -
outlook_win_path 1 IoCs
Processes:
Silly Boost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Silly Boost.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/zcs165y1zc/Silly_Boost_rar1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4488 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2472
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Program Files\7-Zip\7z.exe"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Silly Boost.rar"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5064
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3752
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29819:84:7zEvent165551⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1464
-
C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1408 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All2⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:4688
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show profile3⤵PID:1860
-
C:\Windows\SysWOW64\findstr.exefindstr All3⤵PID:2360
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid2⤵
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\chcp.comchcp 650013⤵PID:1444
-
C:\Windows\SysWOW64\netsh.exenetsh wlan show networks mode=bssid3⤵PID:716
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2896
-
C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Browsers\Firefox\Bookmarks.txt
Filesize105B
MD52e9d094dda5cdc3ce6519f75943a4ff4
SHA15d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\OneDrive.txt
Filesize25B
MD5966247eb3ee749e21597d73c4176bd52
SHA11e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA2568ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\Startup.txt
Filesize24B
MD568c93da4981d591704cea7b71cebfb97
SHA1fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA51263455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\Videos.txt
Filesize23B
MD51fddbf1169b6c75898b86e7e24bc7c1f
SHA1d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA51220bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\Silly Boost\tokens.txt
Filesize3KB
MD5a848dcb207336284a7879589f3f4a0d1
SHA11f7cd8b2f2476038f54ab53e77a959b665f20fd0
SHA256bca00833e24ba2891b11f6d3da58768ab2b924efb662c1c79973d840e3790542
SHA5122dd3c4edaf591667dda25e31fca7185cfcec79ad93fd70b19a34498607e141cd7d93d72d087ec356d9125d2e38f56d23dda78cda21af983b2d1eff6eaf2d72a8
-
Filesize
4KB
MD5d32c9e7cfe54f13b21f01375c28de50e
SHA1679e6b1b6667c7b064ca6ed4048ba6bbdf2316f9
SHA2565c88c2a113cc3e0b7e1f96f35121b2e5d3cd67f7317d57a23fbd7b0d649b2f6a
SHA512119e2a4114bec6b397aece914a31e3d0fa4fc625804958dad763328dc1f9a27ecb7635047c8a1648bcc10a2367df1d160b23e67240a02e265f7e8e84d0e13ddb
-
Filesize
323B
MD5f25e650d41f7fe53a9fff6f21315300f
SHA1828db3e0247918b1c753a00c49d1cec695095e1a
SHA256b1df56112360ca386b9ea1149d3712de20aba277fa2e5a097ad505c7261f50ec
SHA512fdced45f03220f8e3d902c27854600edf92bf9c03273dc2cd4b8d8cbda6bedb4de3dcea7c6b06844c08579a398ee7dac3c1be4fe4707b478fb8f2e2bc93826bc
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\Process.txt
Filesize4KB
MD530446715fef7b73ea9bedb2eda4acdb4
SHA11ad6e5d32a2bb2f62292f167fb4f3cea1f15843a
SHA2561c73e3eae46247502e19957daa7253c647f24d4fb709643540e0e119ae6c762c
SHA51246ca6da44b140a1a502e4689208d88a7a5da7ad15afb3a1391225265628c05f018eaaaa9537135214145c86811d34545d1aaf0aef61c91584899fb52e495ded5
-
C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\ProductKey.txt
Filesize29B
MD571eb5479298c7afc6d126fa04d2a9bde
SHA1a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA5127c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd
-
Filesize
19B
MD5766c1c3c519de0b8513ba2666cc12f4e
SHA121b93bf41e404dab11e9f0acc6fc242652a1d5c8
SHA256cb7a424e8ef7174bed586d93a8eaecf47d8fd8595240f1d76977b1fbd511a594
SHA5124b65423559cb8e901f0fb235078bdb66817fd0d9e2e4dd2ddb3b6b8f8613abdd844cd342dc4019e538f84e79f09fbd1e5fde912857bfc9f6cfb7fcec749b2b53
-
Filesize
1KB
MD58e024fbe3e899c1cb6faed1ecce72048
SHA1b4d45e6d7c0b5f66368807b8570ee1011b98d457
SHA256bf7d9c132769a7d432494484f75e26f9dc66db79b0815eebbbf4dded8c5d24ef
SHA512ab74c9591019d608175fd18ee5f51985f1949ae7b4be4302ae7f275b56c21f7a071f4a16d25b43a60ed90e13077cc6fdd2075e8330b7e97ac188174492ecbdd3
-
Filesize
28KB
MD5ca91957dba9acf19445a2f7c977ffc60
SHA1196aed0b910df1718341c0441a468cabcd0ed2c9
SHA256f62e73804a1dba00c375f0e135c32e9fa07576b86d2c053e1944be2ec427e9e3
SHA512a29c82d0bab21b9ab82aced416f735503383345049f90ef02ca4198c21060f2da31dc3e163305e7c3e050d55b2d7f9645f0ad7a63fa76531e3b389e2293b83ed
-
Filesize
28KB
MD5e1b08586b0b02f40fb0fa772535bb5ba
SHA145f7cd31a7a0ac477813f3880e0171400c4ecc54
SHA256522300e43298a67570a5564bda21135ddb91bda2b45686424997bb9b99ccd37e
SHA512cb132ba980d46b8a7640df7da7303d914dc11ddc535bcbefdcfbbf16aeb7ffbc60d576d3aae2eef28c8a2201b7d4d4248a8336b80636942074fd7f0170a362e8
-
Filesize
1.5MB
MD543dfeeaabbd337e88aa8db402e695017
SHA1c7f70d5da0a576964f4ffed550ebbb04e77eaff4
SHA2560f426d80c8be8e7df72af481f982e34e1fe86681a39afdd68572e7bca91dbac1
SHA5120fccbbc682341bde0108a3b9a18453a9b9fad553cb5ef101063956090634bd5ada2d45205c124b48aac074a6096d5d0bf510faaf7f2b73ffbfb0d6725924ce64
-
Filesize
1KB
MD5ee0e6dd4ef643128a1b7bd4ab32b8a79
SHA18136c70aac1e50f8356c83f91fb77ea4b6596cbc
SHA25651f305558b4ed6fcf3a31b4f9e404fc2ea426cb5e785ac46ce827de0c5cabb4c
SHA512f57a1882e4d57f6cdb67fc5b8ed61d0dba28f000af87644bfd402275958163b66f7748b83e4d78dff72bb8edd9077c3fe67f5e831a6b79bce72ca4bd1d086b34
-
Filesize
16KB
MD5b533db809402e6ce5f30b8e29adb9940
SHA1f91ca55ed8ef8a73ba9153f1a119a4e57ff53dea
SHA256994e234fe5f2c9ce65870913f9c1c9b5e355082f8face5c89fd6e4878c9d7c30
SHA5122ea4b55700d2cfe6cfb084450ab02cedc1dccd08ff5cd702f6c5e67d34d33dde0792787a6e1ee4dfe9a3b4ed71b486931d35d63fe435a00137ae06dd0fee7c86
-
Filesize
1.5MB
MD543dfeeaabbd337e88aa8db402e695017
SHA1c7f70d5da0a576964f4ffed550ebbb04e77eaff4
SHA2560f426d80c8be8e7df72af481f982e34e1fe86681a39afdd68572e7bca91dbac1
SHA5120fccbbc682341bde0108a3b9a18453a9b9fad553cb5ef101063956090634bd5ada2d45205c124b48aac074a6096d5d0bf510faaf7f2b73ffbfb0d6725924ce64
-
Filesize
1.6MB
MD56168cae808b3f34d187c03d9a4c975cc
SHA1cc119a9d255a2a2be791314420345e778c8655ac
SHA25680b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454
-
Filesize
1.6MB
MD56168cae808b3f34d187c03d9a4c975cc
SHA1cc119a9d255a2a2be791314420345e778c8655ac
SHA25680b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454
-
Filesize
1.6MB
MD56168cae808b3f34d187c03d9a4c975cc
SHA1cc119a9d255a2a2be791314420345e778c8655ac
SHA25680b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454
-
Filesize
3KB
MD5a848dcb207336284a7879589f3f4a0d1
SHA11f7cd8b2f2476038f54ab53e77a959b665f20fd0
SHA256bca00833e24ba2891b11f6d3da58768ab2b924efb662c1c79973d840e3790542
SHA5122dd3c4edaf591667dda25e31fca7185cfcec79ad93fd70b19a34498607e141cd7d93d72d087ec356d9125d2e38f56d23dda78cda21af983b2d1eff6eaf2d72a8