Malware Analysis Report

2024-10-23 19:20

Sample ID 230630-bfzykagf2z
Target https://anonfiles.com/zcs165y1zc/Silly_Boost_rar
Tags
stealerium collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://anonfiles.com/zcs165y1zc/Silly_Boost_rar was found to be: Known bad.

Malicious Activity Summary

stealerium collection spyware stealer

Stealerium

Reads user/profile data of web browsers

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

outlook_office_path

Modifies registry class

Modifies Internet Explorer Phishing Filter

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Volume Shadow Copy service COM API

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

outlook_win_path

Uses Volume Shadow Copy WMI provider

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 01:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 01:05

Reported

2023-06-30 01:08

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/zcs165y1zc/Silly_Boost_rar

Signatures

Stealerium

stealer stealerium

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 24ad397b44a4d901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{8C0CCCCA-190D-43C0-B063-800CF95A6C6F}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "477704764" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{47394882-16E2-11EE-9FB7-CE83860A346F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\DOMStorage\anonfiles.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "467094860" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea000000000200000000001066000000010000200000003a07990287b9bedf6d2fe6d36cbae8615bd874013cde459019458242b495a968000000000e80000000020000200000000275f78bdf5586f6f06231918b269a14827ed2dffe70b682ff3ab8f5cfcacce4200000006235ba0d35ae52f1623a65569b9d6ceb747463aa5f522ca6f87f621b873b152f40000000d86ed52bb8aa3e5940b61ab30beb1225fe9c842f00f0648fcb0c261c9d40aa8136ed07f2ef0d18c31c0bbab7b3edb06a56877df7a33f04a38ec6bff67de24b29 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\anonfiles.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bf101eefaad901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\RepId C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042287" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40171f1eefaad901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31042287" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\anonfiles.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "467094860" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31042287" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbcc4d706d9277469144fa0d79f40dea00000000020000000000106600000001000020000000460d38667641dd5940c6432422450c4d16120cc8cc84aa00201db3804663980a000000000e8000000002000020000000192339719fc7b96ae19e9a5dd78128f576bb27e322fa2a7e6bf407b3f276443d200000004c527bceec0c33a4eb1dc37f697bd1686ccafef42f7c979eff729fdde884b1a240000000303a6985e1320e116d5f0ddd365ac229cc9a613230c2219d129f5033be47c3c78f1e0895aac9611f116210afd18800f5d52e03cb4c9b290d04636ce5061c74e8 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "2" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000d556903c110050524f4752417e310000740009000400efbe874fdb49d556903c2e0000003f0000000000010000000000000000004a00000000005d273d00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\.rar\ = "rar_auto_file" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000d55653361000372d5a6970003c0009000400efbed5565336d55653362e00000085e7010000000800000000000000000000000000000093d98d0037002d005a0069007000000014000000 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications\7z.exe\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open\command C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4025927695-1301755775-2607443251-1000\{D9B97E50-676A-4264-ABE5-DBF6B7420ECE} C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Windows\system32\OpenWith.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\rar_auto_file\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\"" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\system32\OpenWith.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000_Classes\.rar C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7z.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4488 wrote to memory of 2472 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4488 wrote to memory of 2472 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4488 wrote to memory of 2472 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1168 wrote to memory of 5064 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\7-Zip\7z.exe
PID 1168 wrote to memory of 5064 N/A C:\Windows\system32\OpenWith.exe C:\Program Files\7-Zip\7z.exe
PID 1408 wrote to memory of 3636 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3636 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3636 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 3636 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 4688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3636 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3636 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3636 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3636 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3636 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3636 wrote to memory of 2360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1408 wrote to memory of 4408 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 4408 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 4408 N/A C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe C:\Windows\SysWOW64\cmd.exe
PID 4408 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 1444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4408 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4408 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4408 wrote to memory of 716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4025927695-1301755775-2607443251-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe N/A

Processes

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://anonfiles.com/zcs165y1zc/Silly_Boost_rar

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4488 CREDAT:17410 /prefetch:2

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7z.exe

"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Silly Boost.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap29819:84:7zEvent16555

C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe

"C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe

"C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 anonfiles.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
SE 45.154.253.150:443 anonfiles.com tcp
SE 45.154.253.150:443 anonfiles.com tcp
US 8.8.8.8:53 150.253.154.45.in-addr.arpa udp
US 8.8.8.8:53 142.33.222.23.in-addr.arpa udp
SE 45.154.253.150:443 anonfiles.com tcp
SE 45.154.253.150:443 anonfiles.com tcp
SE 45.154.253.150:443 anonfiles.com tcp
SE 45.154.253.150:443 anonfiles.com tcp
US 8.8.8.8:53 djv99sxoqpv11.cloudfront.net udp
US 151.101.2.217:443 vjs.zencdn.net tcp
US 151.101.2.217:443 vjs.zencdn.net tcp
NL 13.227.211.132:443 djv99sxoqpv11.cloudfront.net tcp
NL 13.227.211.132:443 djv99sxoqpv11.cloudfront.net tcp
US 8.8.8.8:53 19.101.122.92.in-addr.arpa udp
US 8.8.8.8:53 132.211.227.13.in-addr.arpa udp
US 8.8.8.8:53 217.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 221.61.156.108.in-addr.arpa udp
US 8.8.8.8:53 11.102.239.18.in-addr.arpa udp
US 8.8.8.8:53 41.102.239.18.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.195.233:443 assets.msn.com tcp
US 8.8.8.8:53 233.195.19.2.in-addr.arpa udp
US 8.8.8.8:53 233.112.50.184.in-addr.arpa udp
US 8.8.8.8:53 cdn-141.anonfiles.com udp
SE 195.96.151.34:443 cdn-141.anonfiles.com tcp
SE 195.96.151.34:443 cdn-141.anonfiles.com tcp
US 8.8.8.8:53 34.151.96.195.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 200.81.21.72.in-addr.arpa udp
GB 51.104.15.253:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 assets.msn.com udp
NL 2.19.195.216:443 assets.msn.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 216.195.19.2.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 evcs-ocsp.ws.symantec.com udp
US 8.8.8.8:53 74.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 149.50.195.152.in-addr.arpa udp
US 152.195.50.149:80 evcs-ocsp.ws.symantec.com tcp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 apiv2.gofile.io udp
FR 51.178.66.33:443 apiv2.gofile.io tcp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 store4.gofile.io udp
FR 31.14.70.245:443 store4.gofile.io tcp
US 8.8.8.8:53 245.70.14.31.in-addr.arpa udp
US 104.18.115.97:80 icanhazip.com tcp
US 162.159.136.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U74AOVB4\favicon-32x32-anonfiles[1].png

MD5 ee0e6dd4ef643128a1b7bd4ab32b8a79
SHA1 8136c70aac1e50f8356c83f91fb77ea4b6596cbc
SHA256 51f305558b4ed6fcf3a31b4f9e404fc2ea426cb5e785ac46ce827de0c5cabb4c
SHA512 f57a1882e4d57f6cdb67fc5b8ed61d0dba28f000af87644bfd402275958163b66f7748b83e4d78dff72bb8edd9077c3fe67f5e831a6b79bce72ca4bd1d086b34

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5qy8zhw\imagestore.dat

MD5 8e024fbe3e899c1cb6faed1ecce72048
SHA1 b4d45e6d7c0b5f66368807b8570ee1011b98d457
SHA256 bf7d9c132769a7d432494484f75e26f9dc66db79b0815eebbbf4dded8c5d24ef
SHA512 ab74c9591019d608175fd18ee5f51985f1949ae7b4be4302ae7f275b56c21f7a071f4a16d25b43a60ed90e13077cc6fdd2075e8330b7e97ac188174492ecbdd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\U74AOVB4\Silly Boost[1].rar

MD5 43dfeeaabbd337e88aa8db402e695017
SHA1 c7f70d5da0a576964f4ffed550ebbb04e77eaff4
SHA256 0f426d80c8be8e7df72af481f982e34e1fe86681a39afdd68572e7bca91dbac1
SHA512 0fccbbc682341bde0108a3b9a18453a9b9fad553cb5ef101063956090634bd5ada2d45205c124b48aac074a6096d5d0bf510faaf7f2b73ffbfb0d6725924ce64

C:\Users\Admin\Downloads\Silly Boost.rar.93q7u3k.partial

MD5 43dfeeaabbd337e88aa8db402e695017
SHA1 c7f70d5da0a576964f4ffed550ebbb04e77eaff4
SHA256 0f426d80c8be8e7df72af481f982e34e1fe86681a39afdd68572e7bca91dbac1
SHA512 0fccbbc682341bde0108a3b9a18453a9b9fad553cb5ef101063956090634bd5ada2d45205c124b48aac074a6096d5d0bf510faaf7f2b73ffbfb0d6725924ce64

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 ca91957dba9acf19445a2f7c977ffc60
SHA1 196aed0b910df1718341c0441a468cabcd0ed2c9
SHA256 f62e73804a1dba00c375f0e135c32e9fa07576b86d2c053e1944be2ec427e9e3
SHA512 a29c82d0bab21b9ab82aced416f735503383345049f90ef02ca4198c21060f2da31dc3e163305e7c3e050d55b2d7f9645f0ad7a63fa76531e3b389e2293b83ed

C:\Users\Admin\AppData\Local\Temp\~DF8BE4D3ED6C75FCB1.TMP

MD5 b533db809402e6ce5f30b8e29adb9940
SHA1 f91ca55ed8ef8a73ba9153f1a119a4e57ff53dea
SHA256 994e234fe5f2c9ce65870913f9c1c9b5e355082f8face5c89fd6e4878c9d7c30
SHA512 2ea4b55700d2cfe6cfb084450ab02cedc1dccd08ff5cd702f6c5e67d34d33dde0792787a6e1ee4dfe9a3b4ed71b486931d35d63fe435a00137ae06dd0fee7c86

C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe

MD5 6168cae808b3f34d187c03d9a4c975cc
SHA1 cc119a9d255a2a2be791314420345e778c8655ac
SHA256 80b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512 d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454

C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe

MD5 6168cae808b3f34d187c03d9a4c975cc
SHA1 cc119a9d255a2a2be791314420345e778c8655ac
SHA256 80b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512 d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454

memory/1408-241-0x0000000000870000-0x0000000000A04000-memory.dmp

memory/1408-242-0x0000000005250000-0x00000000052B6000-memory.dmp

memory/1408-243-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/1408-247-0x00000000051D0000-0x00000000051E0000-memory.dmp

C:\Users\Admin\Downloads\Silly Boost\tokens.txt

MD5 a848dcb207336284a7879589f3f4a0d1
SHA1 1f7cd8b2f2476038f54ab53e77a959b665f20fd0
SHA256 bca00833e24ba2891b11f6d3da58768ab2b924efb662c1c79973d840e3790542
SHA512 2dd3c4edaf591667dda25e31fca7185cfcec79ad93fd70b19a34498607e141cd7d93d72d087ec356d9125d2e38f56d23dda78cda21af983b2d1eff6eaf2d72a8

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\Debug.txt

MD5 f25e650d41f7fe53a9fff6f21315300f
SHA1 828db3e0247918b1c753a00c49d1cec695095e1a
SHA256 b1df56112360ca386b9ea1149d3712de20aba277fa2e5a097ad505c7261f50ec
SHA512 fdced45f03220f8e3d902c27854600edf92bf9c03273dc2cd4b8d8cbda6bedb4de3dcea7c6b06844c08579a398ee7dac3c1be4fe4707b478fb8f2e2bc93826bc

memory/1408-305-0x00000000074A0000-0x0000000007532000-memory.dmp

memory/1408-308-0x0000000007AF0000-0x0000000008094000-memory.dmp

C:\Users\Admin\Downloads\Silly Boost\Silly Boost.exe

MD5 6168cae808b3f34d187c03d9a4c975cc
SHA1 cc119a9d255a2a2be791314420345e778c8655ac
SHA256 80b39b93254011afc3b601c26e848114850ea31d722a45c03daff7b4f3f606da
SHA512 d6df9688e8509318fb91c0462056f4bac0dcbdfee8e9feec6aa367e8804d76fc56c0bdfdbfbe1386a2886cbdd6c2aa7566cdef20e3efffe8c0459cdcb9486454

memory/3788-348-0x0000000002870000-0x0000000002880000-memory.dmp

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\Apps.txt

MD5 d32c9e7cfe54f13b21f01375c28de50e
SHA1 679e6b1b6667c7b064ca6ed4048ba6bbdf2316f9
SHA256 5c88c2a113cc3e0b7e1f96f35121b2e5d3cd67f7317d57a23fbd7b0d649b2f6a
SHA512 119e2a4114bec6b397aece914a31e3d0fa4fc625804958dad763328dc1f9a27ecb7635047c8a1648bcc10a2367df1d160b23e67240a02e265f7e8e84d0e13ddb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 e1b08586b0b02f40fb0fa772535bb5ba
SHA1 45f7cd31a7a0ac477813f3880e0171400c4ecc54
SHA256 522300e43298a67570a5564bda21135ddb91bda2b45686424997bb9b99ccd37e
SHA512 cb132ba980d46b8a7640df7da7303d914dc11ddc535bcbefdcfbbf16aeb7ffbc60d576d3aae2eef28c8a2201b7d4d4248a8336b80636942074fd7f0170a362e8

memory/5076-404-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-407-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-405-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-412-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-413-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-414-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-417-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-419-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-420-0x000002C88A320000-0x000002C88A321000-memory.dmp

memory/5076-416-0x000002C88A320000-0x000002C88A321000-memory.dmp

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\Process.txt

MD5 30446715fef7b73ea9bedb2eda4acdb4
SHA1 1ad6e5d32a2bb2f62292f167fb4f3cea1f15843a
SHA256 1c73e3eae46247502e19957daa7253c647f24d4fb709643540e0e119ae6c762c
SHA512 46ca6da44b140a1a502e4689208d88a7a5da7ad15afb3a1391225265628c05f018eaaaa9537135214145c86811d34545d1aaf0aef61c91584899fb52e495ded5

memory/1408-436-0x00000000051D0000-0x00000000051E0000-memory.dmp

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\OneDrive.txt

MD5 966247eb3ee749e21597d73c4176bd52
SHA1 1e9e63c2872cef8f015d4b888eb9f81b00a35c79
SHA256 8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e
SHA512 bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\System\ProductKey.txt

MD5 71eb5479298c7afc6d126fa04d2a9bde
SHA1 a9b3d5505cf9f84bb6c2be2acece53cb40075113
SHA256 f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3
SHA512 7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\Silly Boost\tokens.txt

MD5 a848dcb207336284a7879589f3f4a0d1
SHA1 1f7cd8b2f2476038f54ab53e77a959b665f20fd0
SHA256 bca00833e24ba2891b11f6d3da58768ab2b924efb662c1c79973d840e3790542
SHA512 2dd3c4edaf591667dda25e31fca7185cfcec79ad93fd70b19a34498607e141cd7d93d72d087ec356d9125d2e38f56d23dda78cda21af983b2d1eff6eaf2d72a8

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\Videos.txt

MD5 1fddbf1169b6c75898b86e7e24bc7c1f
SHA1 d2091060cb5191ff70eb99c0088c182e80c20f8c
SHA256 a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733
SHA512 20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\Admin@FGVGNMBE_en-US\Directories\Startup.txt

MD5 68c93da4981d591704cea7b71cebfb97
SHA1 fd0f8d97463cd33892cc828b4ad04e03fc014fa6
SHA256 889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483
SHA512 63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

memory/1408-516-0x0000000006E00000-0x0000000006E22000-memory.dmp

C:\Users\Admin\AppData\Local\0e717741ca6a4fff1d8f6ab24cf77af8\msgid.dat

MD5 766c1c3c519de0b8513ba2666cc12f4e
SHA1 21b93bf41e404dab11e9f0acc6fc242652a1d5c8
SHA256 cb7a424e8ef7174bed586d93a8eaecf47d8fd8595240f1d76977b1fbd511a594
SHA512 4b65423559cb8e901f0fb235078bdb66817fd0d9e2e4dd2ddb3b6b8f8613abdd844cd342dc4019e538f84e79f09fbd1e5fde912857bfc9f6cfb7fcec749b2b53

memory/1408-528-0x0000000006F80000-0x0000000006F8A000-memory.dmp

memory/1408-529-0x00000000051D0000-0x00000000051E0000-memory.dmp