fabookie | 3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
27-06-2024 20:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe
Size

7.6MB
MD5

1770a7731a4ea1030149e7f05cff1705
SHA1

02868a443c1864bb0afbe0832545736bd538028f
SHA256

3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
SHA512

eec736c11084a6a066c2767ebbd1d4f06b6cfb4524450ca19bd8f9c743725545c7559f45e03aa5287732be9d35dbd72e80dfbd4bcdb810abd70bfc5b2ac00fe7
SSDEEP

196608:K90XryNC3HMcOrcX4MPIJe9A1eGL+pieBJPE11ExWR:1iUDX4MQwA1PCpiey11Z

Score

10^/10

fabookie ffdroider bootkit evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233fa-1527.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Nirsoft 5 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023423-186.dat	Nirsoft
behavioral2/memory/1396-1533-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1396-1535-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral2/memory/1532-1542-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft
behavioral2/memory/1532-1548-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	setup.exe

Executes dropped EXE 17 IoCs

pid	Process
1544	002.exe
1536	Setup.exe
436	setup.exe
1728	aliens.exe
1104	jg2_2qua.exe
4852	85F91A36E275562F.exe
4156	85F91A36E275562F.exe
3048	1719520709265.exe
2208	1719520710593.exe
424	1719520711687.exe
5096	file1.exe
1156	BTRSetp.exe
4224	askinstall21.exe
1604	ThunderFW.exe
4268	hjjgaa.exe
1396	jfiag3g_gg.exe
1532	jfiag3g_gg.exe

Loads dropped DLL 4 IoCs

pid	Process
1536	Setup.exe
1536	Setup.exe
1536	Setup.exe
4252	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1396-1533-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1396-1535-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1532-1542-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral2/memory/1532-1548-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	aliens.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	85F91A36E275562F.exe

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\manifest.json	askinstall21.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\manifest.json	85F91A36E275562F.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1728	aliens.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4852 set thread context of 4760	4852	85F91A36E275562F.exe	99
PID 4852 set thread context of 3020	4852	85F91A36E275562F.exe	108
PID 4852 set thread context of 2992	4852	85F91A36E275562F.exe	110

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\__tmp_rar_sfx_access_check_240614609	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1964	1104	WerFault.exe	85
2872	5096	WerFault.exe	117
452	5096	WerFault.exe	117
4304	1156	WerFault.exe	122

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	85F91A36E275562F.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	85F91A36E275562F.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	85F91A36E275562F.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2996	taskkill.exe
3464	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
3624	PING.EXE
4316	PING.EXE
3456	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3048	1719520709265.exe
3048	1719520709265.exe
2208	1719520710593.exe
2208	1719520710593.exe
424	1719520711687.exe
424	1719520711687.exe
4212	chrome.exe
4212	chrome.exe
1532	jfiag3g_gg.exe
1532	jfiag3g_gg.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe
4212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	724	msiexec.exe
Token: SeSecurityPrivilege	5068	msiexec.exe
Token: SeCreateTokenPrivilege	724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	724	msiexec.exe
Token: SeLockMemoryPrivilege	724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	724	msiexec.exe
Token: SeMachineAccountPrivilege	724	msiexec.exe
Token: SeTcbPrivilege	724	msiexec.exe
Token: SeSecurityPrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeLoadDriverPrivilege	724	msiexec.exe
Token: SeSystemProfilePrivilege	724	msiexec.exe
Token: SeSystemtimePrivilege	724	msiexec.exe
Token: SeProfSingleProcessPrivilege	724	msiexec.exe
Token: SeIncBasePriorityPrivilege	724	msiexec.exe
Token: SeCreatePagefilePrivilege	724	msiexec.exe
Token: SeCreatePermanentPrivilege	724	msiexec.exe
Token: SeBackupPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeShutdownPrivilege	724	msiexec.exe
Token: SeDebugPrivilege	724	msiexec.exe
Token: SeAuditPrivilege	724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	724	msiexec.exe
Token: SeChangeNotifyPrivilege	724	msiexec.exe
Token: SeRemoteShutdownPrivilege	724	msiexec.exe
Token: SeUndockPrivilege	724	msiexec.exe
Token: SeSyncAgentPrivilege	724	msiexec.exe
Token: SeEnableDelegationPrivilege	724	msiexec.exe
Token: SeManageVolumePrivilege	724	msiexec.exe
Token: SeImpersonatePrivilege	724	msiexec.exe
Token: SeCreateGlobalPrivilege	724	msiexec.exe
Token: SeCreateTokenPrivilege	724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	724	msiexec.exe
Token: SeLockMemoryPrivilege	724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	724	msiexec.exe
Token: SeMachineAccountPrivilege	724	msiexec.exe
Token: SeTcbPrivilege	724	msiexec.exe
Token: SeSecurityPrivilege	724	msiexec.exe
Token: SeTakeOwnershipPrivilege	724	msiexec.exe
Token: SeLoadDriverPrivilege	724	msiexec.exe
Token: SeSystemProfilePrivilege	724	msiexec.exe
Token: SeSystemtimePrivilege	724	msiexec.exe
Token: SeProfSingleProcessPrivilege	724	msiexec.exe
Token: SeIncBasePriorityPrivilege	724	msiexec.exe
Token: SeCreatePagefilePrivilege	724	msiexec.exe
Token: SeCreatePermanentPrivilege	724	msiexec.exe
Token: SeBackupPrivilege	724	msiexec.exe
Token: SeRestorePrivilege	724	msiexec.exe
Token: SeShutdownPrivilege	724	msiexec.exe
Token: SeDebugPrivilege	724	msiexec.exe
Token: SeAuditPrivilege	724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	724	msiexec.exe
Token: SeChangeNotifyPrivilege	724	msiexec.exe
Token: SeRemoteShutdownPrivilege	724	msiexec.exe
Token: SeUndockPrivilege	724	msiexec.exe
Token: SeSyncAgentPrivilege	724	msiexec.exe
Token: SeEnableDelegationPrivilege	724	msiexec.exe
Token: SeManageVolumePrivilege	724	msiexec.exe
Token: SeImpersonatePrivilege	724	msiexec.exe
Token: SeCreateGlobalPrivilege	724	msiexec.exe
Token: SeCreateTokenPrivilege	724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	724	msiexec.exe
Token: SeLockMemoryPrivilege	724	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
724	msiexec.exe
4212	chrome.exe
4212	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1544	002.exe
1544	002.exe
1536	Setup.exe
436	setup.exe
1728	aliens.exe
4852	85F91A36E275562F.exe
4156	85F91A36E275562F.exe
3048	1719520709265.exe
2208	1719520710593.exe
424	1719520711687.exe
1604	ThunderFW.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 672 wrote to memory of 1544	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	80
PID 672 wrote to memory of 1544	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	80
PID 672 wrote to memory of 1544	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	80
PID 672 wrote to memory of 1536	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	82
PID 672 wrote to memory of 1536	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	82
PID 672 wrote to memory of 1536	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	82
PID 1536 wrote to memory of 436	1536	Setup.exe	83
PID 1536 wrote to memory of 436	1536	Setup.exe	83
PID 1536 wrote to memory of 436	1536	Setup.exe	83
PID 436 wrote to memory of 1728	436	setup.exe	84
PID 436 wrote to memory of 1728	436	setup.exe	84
PID 436 wrote to memory of 1728	436	setup.exe	84
PID 672 wrote to memory of 1104	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	85
PID 672 wrote to memory of 1104	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	85
PID 672 wrote to memory of 1104	672	1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe	85
PID 1728 wrote to memory of 724	1728	aliens.exe	86
PID 1728 wrote to memory of 724	1728	aliens.exe	86
PID 1728 wrote to memory of 724	1728	aliens.exe	86
PID 5068 wrote to memory of 4252	5068	msiexec.exe	88
PID 5068 wrote to memory of 4252	5068	msiexec.exe	88
PID 5068 wrote to memory of 4252	5068	msiexec.exe	88
PID 1728 wrote to memory of 4852	1728	aliens.exe	91
PID 1728 wrote to memory of 4852	1728	aliens.exe	91
PID 1728 wrote to memory of 4852	1728	aliens.exe	91
PID 1728 wrote to memory of 4156	1728	aliens.exe	95
PID 1728 wrote to memory of 4156	1728	aliens.exe	95
PID 1728 wrote to memory of 4156	1728	aliens.exe	95
PID 1728 wrote to memory of 2164	1728	aliens.exe	96
PID 1728 wrote to memory of 2164	1728	aliens.exe	96
PID 1728 wrote to memory of 2164	1728	aliens.exe	96
PID 2164 wrote to memory of 3624	2164	cmd.exe	98
PID 2164 wrote to memory of 3624	2164	cmd.exe	98
PID 2164 wrote to memory of 3624	2164	cmd.exe	98
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4852 wrote to memory of 4760	4852	85F91A36E275562F.exe	99
PID 4156 wrote to memory of 2692	4156	85F91A36E275562F.exe	100
PID 4156 wrote to memory of 2692	4156	85F91A36E275562F.exe	100
PID 4156 wrote to memory of 2692	4156	85F91A36E275562F.exe	100
PID 2692 wrote to memory of 2996	2692	cmd.exe	102
PID 2692 wrote to memory of 2996	2692	cmd.exe	102
PID 2692 wrote to memory of 2996	2692	cmd.exe	102
PID 4852 wrote to memory of 3048	4852	85F91A36E275562F.exe	104
PID 4852 wrote to memory of 3048	4852	85F91A36E275562F.exe	104
PID 4852 wrote to memory of 3048	4852	85F91A36E275562F.exe	104
PID 4156 wrote to memory of 1268	4156	85F91A36E275562F.exe	105
PID 4156 wrote to memory of 1268	4156	85F91A36E275562F.exe	105
PID 4156 wrote to memory of 1268	4156	85F91A36E275562F.exe	105
PID 1268 wrote to memory of 4316	1268	cmd.exe	107
PID 1268 wrote to memory of 4316	1268	cmd.exe	107
PID 1268 wrote to memory of 4316	1268	cmd.exe	107
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 3020	4852	85F91A36E275562F.exe	108
PID 4852 wrote to memory of 2208	4852	85F91A36E275562F.exe	109
PID 4852 wrote to memory of 2208	4852	85F91A36E275562F.exe	109
PID 4852 wrote to memory of 2208	4852	85F91A36E275562F.exe	109
PID 4852 wrote to memory of 2992	4852	85F91A36E275562F.exe	110

C:\Users\Admin\AppData\Local\Temp\1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1770a7731a4ea1030149e7f05cff1705_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:672
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1544
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\sib7AFE.tmp\0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\sib7AFE.tmp\0\setup.exe" -s
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
      "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1728
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:724
    - - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4852
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:4760
      - C:\Users\Admin\AppData\Roaming\1719520709265.exe
        
        "C:\Users\Admin\AppData\Roaming\1719520709265.exe" /sjson "C:\Users\Admin\AppData\Roaming\1719520709265.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3048
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:3020
      - C:\Users\Admin\AppData\Roaming\1719520710593.exe
        
        "C:\Users\Admin\AppData\Roaming\1719520710593.exe" /sjson "C:\Users\Admin\AppData\Roaming\1719520710593.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2992
      - C:\Users\Admin\AppData\Roaming\1719520711687.exe
        
        "C:\Users\Admin\AppData\Roaming\1719520711687.exe" /sjson "C:\Users\Admin\AppData\Roaming\1719520711687.txt"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:424
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        6⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
        5⤵
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops Chrome extension
        Writes to the Master Boot Record (MBR)
        Checks SCSI registry key(s)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4156
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:4316
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:3624
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe"
  2⤵
  - Executes dropped EXE
  PID:1104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 1112
    3⤵
    - Program crash
    PID:1964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe"
  2⤵
  - Executes dropped EXE
  PID:5096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1476
    3⤵
    - Program crash
    PID:2872
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 1492
    3⤵
    - Program crash
    PID:452
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
  2⤵
  - Executes dropped EXE
  PID:1156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1600
    3⤵
    - Program crash
    PID:4304
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:4224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:4760
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:3464
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\" /s /e /y
    3⤵
    - Enumerates system info in registry
    PID:4072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4212
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffc9b0aab58,0x7ffc9b0aab68,0x7ffc9b0aab78
      4⤵
      PID:1544
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:2
      4⤵
      PID:5096
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=2168 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:8
      4⤵
      PID:5060
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=2276 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:8
      4⤵
      PID:1132
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:1608
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2864 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:3184
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3504 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:3904
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3636 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:4592
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5188 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:4396
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3368 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:4152
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4236 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:3976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=5784 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:8
      4⤵
      PID:3900
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=3184 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:8
      4⤵
      PID:3316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2816 --field-trial-handle=1976,i,13449900455262644387,16652508917789802424,131072 /prefetch:1
      4⤵
      PID:4452
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:1396
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1532

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A603BBCCEC3855B3B6C186EADE99BF07 C
  2⤵
  - Loads dropped DLL
  PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1104 -ip 1104
1⤵
PID:2208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5096 -ip 5096
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5096 -ip 5096
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1156 -ip 1156
1⤵
PID:3388

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Cookies1719520710578

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\background.js

Filesize
16KB

MD5
ad375cda893e732adf0c88f08a5fe160

SHA1
ac58d259da9500c17c1b45692fccbe3d9937fdec

SHA256
4a610b9f4827b05ca7e836af0690cea0eee1b7954827d67fee81989a53b97609

SHA512
ef1513f6570354895689f657f319c619af501b7d977ea83bc73eaa10cc2bc0f474ec4e7ca540c429b4012ba8ebd80e3aafa020ff21ae2e12fa51bfd58babe144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\content.js

Filesize
11KB

MD5
38c5d8d1659b28763016edd40fc1d7de

SHA1
e45694b03f48ffdc7914720ef7c0616d3bde6b37

SHA256
f17509b07447b7184df5e9f424d86e358c866a39f20c2a2adf4c0cfeaccf6317

SHA512
b5011dc0632941ecb9fcdb03adbb228b85d58daa224eccd8fca4afcc372f479236bee1d7ff358fd510023ef7afbede09975dd67c975339a7d22d96b4b835ce53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\srchfeedyoungie.js

Filesize
18KB

MD5
66e4d45a86c1bce273924325d2384f05

SHA1
0db9748fbfb98b6ad3d879efd50c9b138aced36f

SHA256
f8a907a423bc06b8ccc90e38f514a0e7e8fe95b2c407005bb1fda0dff2f8ee7c

SHA512
923c21f62b8e571b8b7b31e3a9aeea42a4a78e29e2714c3c5d97cff9755e3a97191520d7ff85edc4ff1d4f5e0a1e7e4ee2ca309264582db06f9364a53949eb46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\manifest.json

Filesize
1KB

MD5
2fbed92dc5b4a4785a0ce6ff66ffefd0

SHA1
a4897ce09783ac30414a9a2b5476252c31f504a3

SHA256
a27d3b6c3856c73f46f50ccbc5f2d6f5388ed6071e2437074534ae226ba91ef3

SHA512
1881325f57c1c850d6b917e9e2f1d2532fa86721128d19b73b36e6161e7fe29738da6c23821b20aed334052488705b3dfc13902deab21094e8f878bd31a1cf0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\jquery-1.8.3.min.js

Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\manifest.json

Filesize
1KB

MD5
daeb07575f18e899586ec16b49bc64bb

SHA1
f2eb63bee6c46fdf4619d04118c70fac2a9f86c9

SHA256
6882a880abe63c38cab3abf2d787400c0c198a6bbaeff1176a4b0dd2917f3512

SHA512
de9b6ca3781e45b52f4786cf5800fd31756a2ae1d711388a9b5cf277a565d2295e63db9a5229a2dae5961a9bffd69e5dab57d1681b9f6e024a7a0959bc148890

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\popup.html

Filesize
280B

MD5
e93b02d6cffcca037f3ea55dc70ee969

SHA1
db09ed8eb9dbc82119fa1f76b3e36f2722ed2153

SHA256
b057584f5e81b48291e696c061f94b1e88ca52522490816d4bf900817ff822bd

SHA512
f85b5b38ade3efa605e1da27e8680045548e3343804073f9fe0c83e4becfb2eb4a237c8e1c84d43da386cbdddcc45f915bce950ed41d53a8dfdf85af2dfac879

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac41b7e86fdca59d9d1e15193fd84284

SHA1
e30bbb6d2baec72ecb61e95d9130077a0dfde2af

SHA256
02f7591b8fbcdc501acb91bab84c47ec0211bcc8783ab83913292f4f6e3d7ecd

SHA512
56412ec8fc36a29452ce5ca1d6a2785be69e6535a024e6c69d44a3b38588989bab87251b72cdac25baf6441a7668946a89d292fa0ee306d1fea0b10027888d62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
20KB

MD5
189889c07d0c4a7ab504696261c9a21c

SHA1
a88c4a1cf2385308ba1109170a3a033d7515990d

SHA256
1efbf2234192b16e517f2455b13a4f1064be79ab0f4bffde3f39e4c41f46f3a5

SHA512
56697b66fa3c9bc9ad8f128291c8d62179df4ec62b253c7eaa06a4c9b28b48b50b5afedfb6a85b2b0817b8ed30e7ccf2b817a3ffe8970c24fd213b498cacda8d

Download Submit
C:\Users\Admin\AppData\Local\Login Data1719520710578

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Login Data1719520710578

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI98B6.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

Filesize
1.2MB

MD5
6503c9c4f19a4b33b701cc5b97b349bc

SHA1
fedb760f67f6000bf311c76dff55c35beeda8b81

SHA256
b79d5e0c3939bb3dd877dd327af8d16a9406d8eca0b888938a0ad39b56311c1a

SHA512
641629267461ae617bb639be4a1c4498fe0aea101b447a9cf1fc78140a6194992de3e60a2eb936001226dc088248ed37254d39914f5d0dced1351c9039823bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe

Filesize
172KB

MD5
65e85c03a7547fb7b79575f6e7d08ae6

SHA1
ed4733496e21e797b1ec02478deeda490bca6af5

SHA256
edd73f76650b83dcda8d2fa247c23ed297a6609a25a5d76a59a8774214be7a67

SHA512
0527aabe9197b4f7f9964e2ef95fc9d42f61270666fdb88020cba1b95be72658e534a0bfd0cbcfb234dd0803134fd0589dd0350415bc042f280bc1fc9a347ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
4.0MB

MD5
2dcf88dbdd296bd9c00a91820af57109

SHA1
07f957d33e873528110edc4b68939578bb164d2f

SHA256
0a47ff3002351e2925d038e389c814f2a5f69ce4bf03b0f886ee2ee75ea89a65

SHA512
5407918f9540658d3645f4c030072bcbf2060563972dd0ad4b7b433ef10083d79701538721de0f5ce774682318e4b4b11f1f1834811a635d7b3468c0246322ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe

Filesize
524KB

MD5
3b7666ddcd8668a6e0f228bc15c2d528

SHA1
1ec26d6afc64c30291a12638f9fa1cacbc530834

SHA256
ff7c1be25f9d0b351c2f1f11b9700d6c467519f6e374df66a78db855eac39dd9

SHA512
21730df8c6450f304926c0f81b2c1352563127fa353c4a05b32ea03c3950d65daaa83b684c27f31334bf7c00b99ca49cae508fcc2ef93ad1bf70b57310898995

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
812bec2f16987593fa8eb28c13b5f2d3

SHA1
1a5df7a077fa80bf7c2f16bc4560a3496437fdcb

SHA256
a654a65a023292d4daf434473ef875cf0d8eb26301ca99aa03654960cfa8d5fd

SHA512
467720b0c0f0fa78aa85b8d891ab650e7c0ad59dc0188baecb457e2b6a622aa5913321afab325c22dbdc505dcb02fa0fd2c327a59738e879f2222df4f075749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
e2e311bd03f17aafbf26f8525e0ffc7e

SHA1
32fdf580dda424477170625b2ff46993c1542094

SHA256
6e9e8d4e26b24e0b9e33d6787c756d6603d39c7d1b7392c7e803964ea1bc974d

SHA512
133fe32595b804e1bdfba90a63cf05053bf25611e005081c42d37d21d3d9e686047b9f18c68e3560691de72a6ec85dc5652dd548fad40b09dc7f58174daf94bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d.jfm

Filesize
16KB

MD5
0d116adadefbbc94c1ccda8846392bec

SHA1
abfdc51f7b9083bb939face690d4bb8926060d28

SHA256
4fc80042fa92296cfd8e86390c303a5ea3fe61230f4bc6e362ed2039817ca108

SHA512
cb03d96aea761899fc829d8b91d173f0b9499d99a7caae64cb77c4b39a5b93305ec7bca68d92f17252a0dc5023a53bc36601679b34b0734ba5b0153e028b4f0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe

Filesize
192KB

MD5
f542ee32e7168671e2952b89be66bca3

SHA1
c3e785978ea1747182d3c153cbb39089e522a4a1

SHA256
8ee3a19d5e1a6c198e6ad759c697910d681365a638ace0bc9e9c622afe16bc73

SHA512
2c8c5fd5b0267f750809d2bab24ebe070d11649cf2c827661c78c6627c8d7fc3b1375fda43079dd7dab21a02f5d75b9423f044203f58aeace78c4f89d23c64ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

Filesize
978KB

MD5
5af45b49951e4e3b1c6d1a0b9cbed2db

SHA1
cae3f32b485f8406d8c4fb9aeeceb923b94b9452

SHA256
86407608f44bb780d40b92e45b200edb584395ca6536e172149c75fa8c60fc5e

SHA512
f4dfcd7a5da8458fc5727df712fee1e14be0b9c9fc0b14dd31c8bc10ab85e469d975c2d4982d031901abb1baba10db3976b58e4d66be1094dc79fff04d4ac74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe

Filesize
561KB

MD5
676757904c8383fd9acbeed15aa8dcc4

SHA1
63f219ec9ef458a258b1845f42d46d2b12f30e8a

SHA256
b44acc4498924f5fa6a479e263626e3a36fee380c6d7463269bc5054dc64c4a9

SHA512
a4d4c945d334153fb91f2736a1ef20f6c4b5c710ec7e2064cdef503d926bb5da16f6ed32c56d2fc94ebb0f75be5e25e0c4cf13e8f9a8f2fd2f110b547aec0845

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecvE148.tmp

Filesize
14.0MB

MD5
641dfa61ce4c3356a75d677e1fadd2e3

SHA1
d8d49d7fed83d680c87e8b732293deb046e93808

SHA256
36eaedbd7e0fffdcf31b845717894f99f7ba75b1d876237b3fb0f15d61f22a60

SHA512
b65466ac970bd996b96b75310b675783ee689dff2e5ca6bb34b6ae691941e9c99967c0fdd31ce9d7d077c7bf9b24d8b629591d72d5557d803e5c3829a09c6292

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf7A80.tmp\Sibuia.dll

Filesize
527KB

MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib7AFE.tmp\0\setup.exe

Filesize
3.8MB

MD5
d64e3cc11afc6331715bdfec5f26c2a0

SHA1
ba606f3c9115c584a902c909ac82f411463b551a

SHA256
4c02d9bcae00635df67ea4d3d64c67f258f0256c9f1553997815f8702bc34c63

SHA512
da002e155d6baf03648576a4574ea4635bd35ade04ea0175f3f406895085cd1da9a19eb0e19e0445d40c7d6e2a42d613f0d65684775022ad426db840034448cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib7AFE.tmp\SibCa.dll

Filesize
4KB

MD5
04f3c7753a4fcabce7970bfa3b5c76ff

SHA1
34fc37d42f86dac1fd1171a806471cdfeae9817b

SHA256
a735e33a420c2ad93279253bc57137947b5d07803ff438499aaaf6fd0692f4cd

SHA512
f774fc3f3ebf029dc6f122669060351cc58ae27c5224abe2a6c8ab1308c4b796657d2f286760eb73a2ae7563eeef335daa70ed5e4b2560d34ca9873017658afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sib7AFE.tmp\SibClr.dll

Filesize
51KB

MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
d998db6bb78f1336ff0e927205cd5dcd

SHA1
4d4a205d698b61b661514654b3917375f8ab644a

SHA256
32bce0ec12f35821550b935f0f9d841c1dcb83e9316c804190d0aa26881e9d9f

SHA512
c8e05fd8ab522baeab3742ceec64eea154ebb72f9408c82babec3d01ecad67886626c13a126b9290074d4149eef1be56853e9aea72c455147fe3f7039bbfe21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad\settings.dat

Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extension Scripts\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.2_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\en_GB\messages.json

Filesize
593B

MD5
91f5bc87fd478a007ec68c4e8adf11ac

SHA1
d07dd49e4ef3b36dad7d038b7e999ae850c5bef6

SHA256
92f1246c21dd5fd7266ebfd65798c61e403d01a816cc3cf780db5c8aa2e3d9c9

SHA512
fdc2a29b04e67ddbbd8fb6e8d2443e46badcb2b2fb3a850bbd6198cdccc32ee0bd8a9769d929feefe84d1015145e6664ab5fea114df5a864cf963bf98a65ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\background.js

Filesize
886B

MD5
fedaca056d174270824193d664e50a3f

SHA1
58d0c6e4ec18ab761805aabb8d94f3c4cbe639f5

SHA256
8f538ed9e633d5c9ea3e8fb1354f58b3a5233f1506c9d3d01873c78e3eb88b8d

SHA512
2f1968ede11b9510b43b842705e5ddac4f85a9e2aa6aee542bec80600228ff5a5723246f77c526154eb9a00a87a5c7ddd634447a8f7a97d6da33b94509731dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\d8yI+Hf7rX.js

Filesize
152B

MD5
30cbbf4df66b87924c75750240618648

SHA1
64af3dd53d6ded500863387e407f876c89a29b9a

SHA256
d35fbd13c27f0a01dc944584d05776ba7e6ad3b3d2cbde1f7c349e94502127f5

SHA512
8117b8537a0b5f4bb3ed711d9f062e7a901a90fd3d2cf9dffcc15d03ed4e001991ba2c79bca072fa7fd7ce100f38370105d3ce76eb87f2877c0bf18b4d8cfbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\icon.png

Filesize
1KB

MD5
5d207f5a21e55e47fccd8ef947a023ae

SHA1
3a80a7cf3a8c8f9bdce89a04239a7e296a94160f

SHA256
4e8ce139d89a497adb4c6f7d2ffc96b583da1882578ab09d121a459c5ad8335f

SHA512
38436956d5414a2cf66085f290ef15681dbf449b453431f937a09bfe21577252565d0c9fa0aceaad158b099383e55b94c721e23132809df728643504effcbe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\icon48.png

Filesize
2KB

MD5
e35b805293ccd4f74377e9959c35427d

SHA1
9755c6f8bab51bd40bd6a51d73be2570605635d1

SHA256
2bf1d9879b36be03b2f140fad1932bc6aaaaac834082c2cd9e98be6773918ca0

SHA512
6c7d37378aa1e521e73980c431ce5815dedb28d5b7003009b91392303d3bec1ee6f2aae719b766da4209b607cd702fae283e1682d3785eff85e07d5ee81319c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\plhpgmgeaipheoodfbldhddibhbojelo\1.0.0.0_0\popup.js

Filesize
642B

MD5
2ac02ee5f808bc4deb832fb8e7f6f352

SHA1
05375ef86ff516d91fb9746c0cbc46d2318beb86

SHA256
ddc877c153b3a9cd5ec72fef6314739d58ae885e5eff09aadbb86b41c3d814e6

SHA512
6b86f979e43a35d24baaf5762fc0d183584b62779e4b500eb0c5f73fae36b054a66c5b0620ea34c6ac3c562624bec3db3698520af570bb4ed026d907e03182e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Secure Preferences

Filesize
20KB

MD5
3d1c18afcfdaaa5c79a8724d61f00336

SHA1
537d2fbf641df0b6c33c62c8a3addb8650ea198c

SHA256
8babc4ae554f0125243305a3a44e4afa34565906bc4fd219bda5dddaddd2fb13

SHA512
c193637b98d3675cc08e47c4bc273d80b886849b0eed2b7bc8c93a3d9b3d5ebeabbc128dee508a42315cb961ecf390bbc0cdbe301c987580a2ce073578f2d14c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
07590c4d78735aeb2e30bfc6d466aac0

SHA1
98e4d8597cfd5a7cbb9f5af0e72910b66922478a

SHA256
513082c5ae970b3749a8a1abe6c66b286461d9b06cae35486870b3dbebd503f6

SHA512
f958fa6da35cccc7b59cbbdf8fabf319d2f17948aff7295e1c4ca630641fe5b23ea71cf6ceaf5d3d20a0a895e0306e2542651ab28a692248724beaa35c47d167

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\GPUCache\index

Filesize
256KB

MD5
33172e3ffc9bffffd38e7683621084cc

SHA1
ce440c367923d32db352eb553f71ec44463d59ab

SHA256
cd7bd58958f12d9b8aec9ba297f5e8b3642faacb4f8c435392318715eead594f

SHA512
d643c56188dfc0f6c20db4c2d3ada7940768dee95c6fb5c11c4f98969edd1fc9e551a6f6829590e8f5993c4566f52c06383d848ddc34da4506c7d8e0eab1c95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\cb38606d-ecdf-45a3-b0fe-957bd4f4515e.tmp

Filesize
6KB

MD5
923cde3581e8b142919be09c56b10ea4

SHA1
dcef3179d92f2a80878cdf18bee40e18e3b625fe

SHA256
8a598930f85d5802cb6dee85c5ef229db383425ee4755eba28f69e51b609b8df

SHA512
8224cbe687ca1b59f56e5c909026428c567823beb50065da47c9f41981165875bfd95599a1595b48136933a43fe93b80b71cd021d920e4e9c9f6126a79eb526f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Local State

Filesize
257KB

MD5
8415d4131c29df91a8b20fab7b8f88ed

SHA1
0a5fcbd43beb4d3c918ec21eb07f25a9c1770cb9

SHA256
77347e270580fafdcb4f94bd610837c17a39a631644ac583e575f4f556456c8a

SHA512
44e1dcb2524cee2505bcd654403ff73cca05ee1e15180d3250d94b938b8dbb83566fb5dc95f59d79e1bcac0fde55dc532af43e34fc232472177634cd8e60cd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Local State

Filesize
257KB

MD5
70e2ebc69e957923b37c5a1388fbc41e

SHA1
71bea3ec660fedf27348c9b698f0afd509bbcb07

SHA256
06d5ea01bff0825d780106759c3160e194c2611609460ee36a4507cf904ec96d

SHA512
21f4d7840968c7b29fe626ed530a7889ee3321b7bab9601a54a56d652c88c64f2f0a92cb917398135f58043ba1e56a2afe351237d7d207d4d4feab20a59cddaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Local State

Filesize
257KB

MD5
c8f546c95d9130b1c2a6df8962f38934

SHA1
160278e8eb859bf51044080646b3709b556162f3

SHA256
a6d336474c681b47bb3d43037c0cf6f8efcdcf3e30474609de5ed439f4feb969

SHA512
bb0d79389d2ece46e9a6db0c3d97c245f0dddd011550f350b3ded74632f94e3562b3a3bf31650ad62f2b8f15dc2af2935675a2e6f1cd6cc3e487be19be1d9959

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\ShaderCache\index

Filesize
256KB

MD5
1d7cb9d490acd4439e48bad63c18dd85

SHA1
1e24470de46466a90cdd72dd13b62938de23b3b0

SHA256
622b97e47ee2598cba33a763dfeacc2f913bbbd0ff44b881905daa802d45bbb0

SHA512
796b6bbead39fcafd482cb46e501d0dc3e09fc05c0c695f0ab38c1c515b2ca91581e22de633894f3f6c4dc5d0d9ac78422a9fe99e3a837ced1f918e17ea6232f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Variations

Filesize
85B

MD5
bc6142469cd7dadf107be9ad87ea4753

SHA1
72a9aa05003fab742b0e4dc4c5d9eda6b9f7565c

SHA256
b26da4f8c7e283aa74386da0229d66af14a37986b8ca828e054fc932f68dd557

SHA512
47d1a67a16f5dc6d50556c5296e65918f0a2fcad0e8cee5795b100fe8cd89eaf5e1fd67691e8a57af3677883a5d8f104723b1901d11845b286474c8ac56f6182

Download Submit
C:\Users\Admin\AppData\Roaming\1719520709265.exe

Filesize
101KB

MD5
ef6f72358cb02551caebe720fbc55f95

SHA1
b5ee276e8d479c270eceb497606bd44ee09ff4b8

SHA256
6562bdcbf775e04d8238c2b52a4e8df5afa1e35d1d33d1e4508cfe040676c1e5

SHA512
ea3f0cf40ed3aa3e43b7a19ed6412027f76f9d2d738e040e6459415aa1e5ef13c29ca830a66430c33e492558f7c5f0cc86e1df9474322f231f8506e49c3a1a90

Download Submit
C:\Users\Admin\AppData\Roaming\1719520709265.txt

Filesize
10KB

MD5
2b94581c966d0b31e79f7eda07966211

SHA1
d8d4097ee63da80bc87124031b964e8074a88d3e

SHA256
ab9e1a65a968ed971cd39253800529a8b543eba07e3ad8d7333f4d6309836561

SHA512
667f228d3cc843e57675237f9d66b5ce54e3964d46f2abcda82b05927332b21c18612a2c67baf8ec74a8fd1df4d108af38dec7666e938137b9952879e6366477

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qt34trpx.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
2eab03c24e521ee22c08a3e3bab16d7f

SHA1
d8ea20c5d4e7866c66ef36201e27fce4e10ad12b

SHA256
5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2

SHA512
916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b

Download Submit
memory/1104-283-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/1104-277-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/1104-354-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1104-279-0x0000000004170000-0x0000000004178000-memory.dmp

Filesize
32KB

Download
memory/1104-276-0x00000000040B0000-0x00000000040B8000-memory.dmp

Filesize
32KB

Download
memory/1104-282-0x00000000042B0000-0x00000000042B8000-memory.dmp

Filesize
32KB

Download
memory/1104-330-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/1104-332-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/1104-263-0x0000000003490000-0x00000000034A0000-memory.dmp

Filesize
64KB

Download
memory/1104-269-0x00000000037B0000-0x00000000037C0000-memory.dmp

Filesize
64KB

Download
memory/1104-115-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1104-284-0x0000000004670000-0x0000000004678000-memory.dmp

Filesize
32KB

Download
memory/1104-285-0x00000000046B0000-0x00000000046B8000-memory.dmp

Filesize
32KB

Download
memory/1104-102-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1104-286-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/1104-299-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/1104-307-0x00000000043E0000-0x00000000043E8000-memory.dmp

Filesize
32KB

Download
memory/1104-309-0x0000000004510000-0x0000000004518000-memory.dmp

Filesize
32KB

Download
memory/1104-322-0x00000000040D0000-0x00000000040D8000-memory.dmp

Filesize
32KB

Download
memory/1156-380-0x0000000004730000-0x0000000004736000-memory.dmp

Filesize
24KB

Download
memory/1156-379-0x00000000046A0000-0x00000000046C4000-memory.dmp

Filesize
144KB

Download
memory/1156-378-0x0000000004CD0000-0x0000000004CD6000-memory.dmp

Filesize
24KB

Download
memory/1156-377-0x00000000003F0000-0x0000000000424000-memory.dmp

Filesize
208KB

Download
memory/1396-1533-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1396-1535-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1532-1548-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1532-1542-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1536-61-0x0000000010D20000-0x0000000010DDA000-memory.dmp

Filesize
744KB

Download
memory/1536-60-0x0000000010D00000-0x0000000010D12000-memory.dmp

Filesize
72KB

Download
memory/1544-32-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download
memory/1728-79-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1728-104-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/4156-122-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4156-135-0x0000000004570000-0x0000000004A21000-memory.dmp

Filesize
4.7MB

Download
memory/4224-1524-0x00000000005F0000-0x000000000067A000-memory.dmp

Filesize
552KB

Download
memory/4224-387-0x00000000005F0000-0x000000000067A000-memory.dmp

Filesize
552KB

Download
memory/4852-121-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/4852-131-0x0000000003980000-0x0000000003E31000-memory.dmp

Filesize
4.7MB

Download