azorult | 693883c68fc9fd236ff5e63c81c01a0ba5ffa60360c4db1c125c5094bbce68fa

Analysis

max time kernel
128s
max time network
150s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen.bat
Size

146B
MD5

98ee725f76d72ee9e9899a3fab9ba23b
SHA1

45c34541a5b0aa0bb99043f6c39f49605ec4ebd8
SHA256

ce6afc9a209c23efea91c9ce412abd19b882c1b3ac93fd26ed746eb05aebf2ff
SHA512

369176b70962b18910fcbb876945873fcfb9bb251e845e3e601d38b38f3998c1808f45796be01eb5a6ccc585b2533bcf2c4d1d3e2fc63fd4fabba31e3b8c5b06

Score

10^/10

azorult fabookie ffdroider pony bootkit collection discovery infostealer persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral11/files/0x0006000000017205-948.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral11/memory/1548-1033-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral11/memory/1548-1036-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

Executes dropped EXE 15 IoCs

pid	Process
2952	key.exe
2832	002.exe
1520	key.exe
560	Setup.exe
2420	setup.exe
1772	aliens.exe
1032	jg2_2qua.exe
2528	85F91A36E275562F.exe
2584	85F91A36E275562F.exe
2432	ThunderFW.exe
492	file1.exe
1772	BTRSetp.exe
2708	askinstall21.exe
2176	hjjgaa.exe
1548	jfiag3g_gg.exe

Loads dropped DLL 41 IoCs

pid	Process
2020	keygen-pr.exe
2020	keygen-pr.exe
2020	keygen-pr.exe
2020	keygen-pr.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2952	key.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
560	Setup.exe
560	Setup.exe
560	Setup.exe
560	Setup.exe
2420	setup.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
1956	MsiExec.exe
1772	aliens.exe
1772	aliens.exe
2528	85F91A36E275562F.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2628	keygen-step-4.exe
2176	hjjgaa.exe
2176	hjjgaa.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral11/files/0x000800000001d212-1030.dat	upx
behavioral11/memory/1548-1033-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral11/memory/1548-1036-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\manifest.json	85F91A36E275562F.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\manifest.json	askinstall21.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
36	iplogger.org
37	iplogger.org
43	iplogger.org
50	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1772	aliens.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2952 set thread context of 1520	2952	key.exe	41
PID 2528 set thread context of 1532	2528	85F91A36E275562F.exe	62
PID 2528 set thread context of 2308	2528	85F91A36E275562F.exe	68
PID 2528 set thread context of 2416	2528	85F91A36E275562F.exe	69

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\__tmp_rar_sfx_access_check_259468756	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2832	taskkill.exe
2584	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
2320	PING.EXE
1400	PING.EXE
2152	PING.EXE
2000	PING.EXE

Suspicious behavior: CmdExeWriteProcessMemorySpam 5 IoCs

pid	Process
1844	intro.exe
2020	keygen-pr.exe
828	keygen-step-1.exe
2404	keygen-step-3.exe
2628	keygen-step-4.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2952	key.exe
2952	key.exe
2076	chrome.exe
2076	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2712	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2516	msiexec.exe
Token: SeTakeOwnershipPrivilege	2516	msiexec.exe
Token: SeSecurityPrivilege	2516	msiexec.exe
Token: SeCreateTokenPrivilege	2712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2712	msiexec.exe
Token: SeLockMemoryPrivilege	2712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2712	msiexec.exe
Token: SeMachineAccountPrivilege	2712	msiexec.exe
Token: SeTcbPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeLoadDriverPrivilege	2712	msiexec.exe
Token: SeSystemProfilePrivilege	2712	msiexec.exe
Token: SeSystemtimePrivilege	2712	msiexec.exe
Token: SeProfSingleProcessPrivilege	2712	msiexec.exe
Token: SeIncBasePriorityPrivilege	2712	msiexec.exe
Token: SeCreatePagefilePrivilege	2712	msiexec.exe
Token: SeCreatePermanentPrivilege	2712	msiexec.exe
Token: SeBackupPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeShutdownPrivilege	2712	msiexec.exe
Token: SeDebugPrivilege	2712	msiexec.exe
Token: SeAuditPrivilege	2712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2712	msiexec.exe
Token: SeChangeNotifyPrivilege	2712	msiexec.exe
Token: SeRemoteShutdownPrivilege	2712	msiexec.exe
Token: SeUndockPrivilege	2712	msiexec.exe
Token: SeSyncAgentPrivilege	2712	msiexec.exe
Token: SeEnableDelegationPrivilege	2712	msiexec.exe
Token: SeManageVolumePrivilege	2712	msiexec.exe
Token: SeImpersonatePrivilege	2712	msiexec.exe
Token: SeCreateGlobalPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	2712	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2712	msiexec.exe
Token: SeLockMemoryPrivilege	2712	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2712	msiexec.exe
Token: SeMachineAccountPrivilege	2712	msiexec.exe
Token: SeTcbPrivilege	2712	msiexec.exe
Token: SeSecurityPrivilege	2712	msiexec.exe
Token: SeTakeOwnershipPrivilege	2712	msiexec.exe
Token: SeLoadDriverPrivilege	2712	msiexec.exe
Token: SeSystemProfilePrivilege	2712	msiexec.exe
Token: SeSystemtimePrivilege	2712	msiexec.exe
Token: SeProfSingleProcessPrivilege	2712	msiexec.exe
Token: SeIncBasePriorityPrivilege	2712	msiexec.exe
Token: SeCreatePagefilePrivilege	2712	msiexec.exe
Token: SeCreatePermanentPrivilege	2712	msiexec.exe
Token: SeBackupPrivilege	2712	msiexec.exe
Token: SeRestorePrivilege	2712	msiexec.exe
Token: SeShutdownPrivilege	2712	msiexec.exe
Token: SeDebugPrivilege	2712	msiexec.exe
Token: SeAuditPrivilege	2712	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2712	msiexec.exe
Token: SeChangeNotifyPrivilege	2712	msiexec.exe
Token: SeRemoteShutdownPrivilege	2712	msiexec.exe
Token: SeUndockPrivilege	2712	msiexec.exe
Token: SeSyncAgentPrivilege	2712	msiexec.exe
Token: SeEnableDelegationPrivilege	2712	msiexec.exe
Token: SeManageVolumePrivilege	2712	msiexec.exe
Token: SeImpersonatePrivilege	2712	msiexec.exe
Token: SeCreateGlobalPrivilege	2712	msiexec.exe
Token: SeCreateTokenPrivilege	2712	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2712	msiexec.exe
2076	chrome.exe
2076	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2832	002.exe
2832	002.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1844	1708	cmd.exe	31
PID 1708 wrote to memory of 1844	1708	cmd.exe	31
PID 1708 wrote to memory of 1844	1708	cmd.exe	31
PID 1708 wrote to memory of 1844	1708	cmd.exe	31
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 2020	1708	cmd.exe	32
PID 1708 wrote to memory of 828	1708	cmd.exe	33
PID 1708 wrote to memory of 828	1708	cmd.exe	33
PID 1708 wrote to memory of 828	1708	cmd.exe	33
PID 1708 wrote to memory of 828	1708	cmd.exe	33
PID 1708 wrote to memory of 2404	1708	cmd.exe	34
PID 1708 wrote to memory of 2404	1708	cmd.exe	34
PID 1708 wrote to memory of 2404	1708	cmd.exe	34
PID 1708 wrote to memory of 2404	1708	cmd.exe	34
PID 2404 wrote to memory of 1956	2404	keygen-step-3.exe	35
PID 2404 wrote to memory of 1956	2404	keygen-step-3.exe	35
PID 2404 wrote to memory of 1956	2404	keygen-step-3.exe	35
PID 2404 wrote to memory of 1956	2404	keygen-step-3.exe	35
PID 1956 wrote to memory of 2320	1956	cmd.exe	37
PID 1956 wrote to memory of 2320	1956	cmd.exe	37
PID 1956 wrote to memory of 2320	1956	cmd.exe	37
PID 1956 wrote to memory of 2320	1956	cmd.exe	37
PID 1708 wrote to memory of 2628	1708	cmd.exe	38
PID 1708 wrote to memory of 2628	1708	cmd.exe	38
PID 1708 wrote to memory of 2628	1708	cmd.exe	38
PID 1708 wrote to memory of 2628	1708	cmd.exe	38
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2020 wrote to memory of 2952	2020	keygen-pr.exe	39
PID 2628 wrote to memory of 2832	2628	keygen-step-4.exe	40
PID 2628 wrote to memory of 2832	2628	keygen-step-4.exe	40
PID 2628 wrote to memory of 2832	2628	keygen-step-4.exe	40
PID 2628 wrote to memory of 2832	2628	keygen-step-4.exe	40
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2952 wrote to memory of 1520	2952	key.exe	41
PID 2628 wrote to memory of 560	2628	keygen-step-4.exe	46
PID 2628 wrote to memory of 560	2628	keygen-step-4.exe	46
PID 2628 wrote to memory of 560	2628	keygen-step-4.exe	46
PID 2628 wrote to memory of 560	2628	keygen-step-4.exe	46
PID 2628 wrote to memory of 560	2628	keygen-step-4.exe	46

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\keygen.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\intro.exe
  intro.exe 1O5ZF
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:1844
- C:\Users\Admin\AppData\Local\Temp\keygen-pr.exe
  keygen-pr.exe -p83fsase3Ge
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Accesses Microsoft Outlook accounts
    - Accesses Microsoft Outlook profiles
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    - outlook_win_path
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe
      C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe -txt -scanlocal -file:potato.dat
      4⤵
      Executes dropped EXE
      PID:1520
- C:\Users\Admin\AppData\Local\Temp\keygen-step-1.exe
  keygen-step-1.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:828
- C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe
  keygen-step-3.exe
  2⤵
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\keygen-step-3.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      Runs ping.exe
      PID:2320
- C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
  keygen-step-4.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:560
  - - C:\Users\Admin\AppData\Local\Temp\sib21A6.tmp\0\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\sib21A6.tmp\0\setup.exe" -s
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:2420
    - - C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
        
        "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        
        PID:1772
      - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        6⤵
        Enumerates connected drives
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:2528
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:1532
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:2308
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        7⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        7⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2000
      - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
        6⤵
        Executes dropped EXE
        Drops Chrome extension
        Writes to the Master Boot Record (MBR)
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:332
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        7⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        8⤵
        Runs ping.exe
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        6⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:1400
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe"
    3⤵
    - Executes dropped EXE
    PID:1032
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\file1.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\file1.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    PID:492
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe"
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall21.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall21.exe"
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c taskkill /f /im chrome.exe
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        5⤵
        Kills process with taskkill
        
        PID:2584
  - - C:\Windows\SysWOW64\xcopy.exe
      xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\" /s /e /y
      4⤵
      Enumerates system info in registry
      PID:2420
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      PID:2076
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef6a59758,0x7fef6a59768,0x7fef6a59778
        5⤵
        
        PID:1160
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1128 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:2
        5⤵
        
        PID:1328
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=1504 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:8
        5⤵
        
        PID:2320
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=1628 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:8
        5⤵
        
        PID:2916
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2172 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:1
        5⤵
        
        PID:2832
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2180 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:1
        5⤵
        
        PID:1620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2188 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:1
        5⤵
        
        PID:300
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2196 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:1
        5⤵
        
        PID:2264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1368 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:2
        5⤵
        
        PID:1496
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3452 --field-trial-handle=1376,i,238179009406412262,9268961289410445675,131072 /prefetch:1
        5⤵
        
        PID:1912
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
      4⤵
      Executes dropped EXE
      PID:1548

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91C7424ED434570C521BFCD0B1171527 C
  2⤵
  - Loads dropped DLL
  PID:1956

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
e8c2d161d79d91970aa22127875050c6

SHA1
c7503f1bdab60e32234dd8d1e0c22c2812fb5e54

SHA256
77e5088caadeff4eb9ec824259527d0fe266b4763e41ba66e11a569dae918d6a

SHA512
7b045894d705ba6186bc7a9cb3b1fca3496d8d347606879fffac850f989e3d702fc028b2fd84a6fbe6bf204660f38c244cc2b75141ed4bf40dda9c89c9117b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
eabd1f4b742334fa53cf629447d14ede

SHA1
442742577a6f854934490f7d609bc243ad30b57b

SHA256
2a43114a0e441edc2698f797a76ad204ec580dab349a9eb63d1bdcc7db3e3eaa

SHA512
77eccdb18bf3b4b2ea1f687679e12e5370060c730e9bc8e847ec9384a26090cc5e95c3f3024184530a58957195aebdb836fb0f9ab96eb6b6e34b3b124c030b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data.bak

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA42.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3B5B.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\JOzWR.dat

Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\key.exe

Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\potato.dat

Filesize
726B

MD5
0f90439556d51de52381dd94eb25d275

SHA1
57bdae06b5ab853b6260f922a2bc6c7c59d7d566

SHA256
3de735c19abbe9d49535e46580afe988d41064fb00cf75a579d86e3a7380a213

SHA512
d13b7213f35e2c06f5eea9cd1f2dd1610150a528cbb92b9c19dc2de9f5b992d3c77ec5b75bb5a7ca78c9b0884c6eba986f84f1dedbf6239d465dd4f4a341191a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\hjjgaa.exe

Filesize
978KB

MD5
5af45b49951e4e3b1c6d1a0b9cbed2db

SHA1
cae3f32b485f8406d8c4fb9aeeceb923b94b9452

SHA256
86407608f44bb780d40b92e45b200edb584395ca6536e172149c75fa8c60fc5e

SHA512
f4dfcd7a5da8458fc5727df712fee1e14be0b9c9fc0b14dd31c8bc10ab85e469d975c2d4982d031901abb1baba10db3976b58e4d66be1094dc79fff04d4ac74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE80F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse2119.tmp\Sibuia.dll

Filesize
527KB

MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad\settings.dat

Filesize
40B

MD5
f956de956cddcda63d6d9df45c0c463a

SHA1
0e4903dc7cd96445215d305e980cff550c725983

SHA256
2d78531b24f16c12409ad3a8528ce5ab18b4898cc11bf6a159edc02f11f86088

SHA512
0e4c73d55986be7d548101a336fe8596335cd43bd7121c13c272eecd7c7078a37674a5bed7ac0d72a0061a6f3d53b5ca02c2d5d06276f7b4dcf7866d9614b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_000002

Filesize
20KB

MD5
9733b28706daf43380c4360d4c3192ea

SHA1
3cb2732e2aff81ff0c3b09a76fd07e94283a0717

SHA256
b8d08e5cb54c78a349ca477205288dab5ffdf9e745dae04fd6f7af5df12d0765

SHA512
7e4182cbd689577ec22e9a9d1b9e0002b7e039a6a0dadcdc0a232505ab18fca1648b9c15278aea9a2041fce9bd114e242192c192fb7647bf2b4daebb5f859820

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000b

Filesize
17KB

MD5
df1c35a189211c1f2d13cf92e872ce8e

SHA1
364dc84e3bef71fe2b953b1a48755614740e3743

SHA256
991179fe6698622b9e16eaa0e835ee2ca4098e526598f2d4f33706508dd283ad

SHA512
aa5c9a44eea1db929b047f650526cc6d8bd162330e9df5cf63b9ead9e4f76255c20031a86ff9bce5b888224377b6cef9a0d6bc2f2b42fceabd1d44cf86f4a77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000f

Filesize
16KB

MD5
9978db669e49523b7adb3af80d561b1b

SHA1
7eb15d01e2afd057188741fad9ea1719bccc01ea

SHA256
4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c

SHA512
04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\background.js

Filesize
886B

MD5
fedaca056d174270824193d664e50a3f

SHA1
58d0c6e4ec18ab761805aabb8d94f3c4cbe639f5

SHA256
8f538ed9e633d5c9ea3e8fb1354f58b3a5233f1506c9d3d01873c78e3eb88b8d

SHA512
2f1968ede11b9510b43b842705e5ddac4f85a9e2aa6aee542bec80600228ff5a5723246f77c526154eb9a00a87a5c7ddd634447a8f7a97d6da33b94509731dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\d8yI+Hf7rX.js

Filesize
152B

MD5
30cbbf4df66b87924c75750240618648

SHA1
64af3dd53d6ded500863387e407f876c89a29b9a

SHA256
d35fbd13c27f0a01dc944584d05776ba7e6ad3b3d2cbde1f7c349e94502127f5

SHA512
8117b8537a0b5f4bb3ed711d9f062e7a901a90fd3d2cf9dffcc15d03ed4e001991ba2c79bca072fa7fd7ce100f38370105d3ce76eb87f2877c0bf18b4d8cfbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\icon.png

Filesize
1KB

MD5
5d207f5a21e55e47fccd8ef947a023ae

SHA1
3a80a7cf3a8c8f9bdce89a04239a7e296a94160f

SHA256
4e8ce139d89a497adb4c6f7d2ffc96b583da1882578ab09d121a459c5ad8335f

SHA512
38436956d5414a2cf66085f290ef15681dbf449b453431f937a09bfe21577252565d0c9fa0aceaad158b099383e55b94c721e23132809df728643504effcbe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\icon48.png

Filesize
2KB

MD5
e35b805293ccd4f74377e9959c35427d

SHA1
9755c6f8bab51bd40bd6a51d73be2570605635d1

SHA256
2bf1d9879b36be03b2f140fad1932bc6aaaaac834082c2cd9e98be6773918ca0

SHA512
6c7d37378aa1e521e73980c431ce5815dedb28d5b7003009b91392303d3bec1ee6f2aae719b766da4209b607cd702fae283e1682d3785eff85e07d5ee81319c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\jquery-1.8.3.min.js

Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\manifest.json

Filesize
1KB

MD5
daeb07575f18e899586ec16b49bc64bb

SHA1
f2eb63bee6c46fdf4619d04118c70fac2a9f86c9

SHA256
6882a880abe63c38cab3abf2d787400c0c198a6bbaeff1176a4b0dd2917f3512

SHA512
de9b6ca3781e45b52f4786cf5800fd31756a2ae1d711388a9b5cf277a565d2295e63db9a5229a2dae5961a9bffd69e5dab57d1681b9f6e024a7a0959bc148890

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\popup.html

Filesize
280B

MD5
e93b02d6cffcca037f3ea55dc70ee969

SHA1
db09ed8eb9dbc82119fa1f76b3e36f2722ed2153

SHA256
b057584f5e81b48291e696c061f94b1e88ca52522490816d4bf900817ff822bd

SHA512
f85b5b38ade3efa605e1da27e8680045548e3343804073f9fe0c83e4becfb2eb4a237c8e1c84d43da386cbdddcc45f915bce950ed41d53a8dfdf85af2dfac879

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\gnhbhmjpkklddamcnddhnjdalncoofkm\1.0.0.0_0\popup.js

Filesize
642B

MD5
2ac02ee5f808bc4deb832fb8e7f6f352

SHA1
05375ef86ff516d91fb9746c0cbc46d2318beb86

SHA256
ddc877c153b3a9cd5ec72fef6314739d58ae885e5eff09aadbb86b41c3d814e6

SHA512
6b86f979e43a35d24baaf5762fc0d183584b62779e4b500eb0c5f73fae36b054a66c5b0620ea34c6ac3c562624bec3db3698520af570bb4ed026d907e03182e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GCM Store\Encryption\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GCM Store\Encryption\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Network\2aef9c40-b70b-477d-9e4e-f93d67945562.tmp

Filesize
987B

MD5
7b09d8f6cc88fb3c29bccebeb5492312

SHA1
a87e2112148798603bcba8dac64bc8d590093908

SHA256
504ad972dcf37bca66b3cf48451de2a4ded00c0eb54af35508862ce21ed13dbb

SHA512
32b263aa6e2a7752ee5160ec446e0f09cc534444523715f8d1a302157c68e070f0d12c4cea745176027e7ed1d4b4712439b9b900922935b2cf99365ca748cf38

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Network\TransportSecurity

Filesize
683B

MD5
5b533426c37cf7c41872d97f5479b8e8

SHA1
131e4740046f311a20ded8a02c31f6d55befb892

SHA256
753cc8c6a9114e4a2cb13dd92cd822cb4f5caafa1f379cdd9670f2e05786c369

SHA512
ee4f66b5fd6c0b7cc0a67d6b83e26269ad3b6b7e2b1363988e15c4757eba1ad2ad10e5697bebacb5c5860fb060325db81b9f906a26ea12b740da6951ea10ccfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\shared_proto_db\MANIFEST-000004

Filesize
50B

MD5
494e626a5079642efed0f0c7f38bd4ef

SHA1
0cbead74a33ad551eae3b25c213d3b080535589b

SHA256
9ce8bd68fe0b86c0bf2067d549e7b93bc1c24f12bdfd227aba521e9d7e704436

SHA512
659bc9699799757dec5b257d78949d378caf03001890f7ae24d28055cff7175d85f8ea14393048aab1c0ba460082f568e5f4bfacdb8921f006f98989293fe78d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x07tfuqf.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
2eab03c24e521ee22c08a3e3bab16d7f

SHA1
d8ea20c5d4e7866c66ef36201e27fce4e10ad12b

SHA256
5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2

SHA512
916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\002.exe

Filesize
1.2MB

MD5
6503c9c4f19a4b33b701cc5b97b349bc

SHA1
fedb760f67f6000bf311c76dff55c35beeda8b81

SHA256
b79d5e0c3939bb3dd877dd327af8d16a9406d8eca0b888938a0ad39b56311c1a

SHA512
641629267461ae617bb639be4a1c4498fe0aea101b447a9cf1fc78140a6194992de3e60a2eb936001226dc088248ed37254d39914f5d0dced1351c9039823bf6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\BTRSetp.exe

Filesize
172KB

MD5
65e85c03a7547fb7b79575f6e7d08ae6

SHA1
ed4733496e21e797b1ec02478deeda490bca6af5

SHA256
edd73f76650b83dcda8d2fa247c23ed297a6609a25a5d76a59a8774214be7a67

SHA512
0527aabe9197b4f7f9964e2ef95fc9d42f61270666fdb88020cba1b95be72658e534a0bfd0cbcfb234dd0803134fd0589dd0350415bc042f280bc1fc9a347ecf

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\Setup.exe

Filesize
4.0MB

MD5
2dcf88dbdd296bd9c00a91820af57109

SHA1
07f957d33e873528110edc4b68939578bb164d2f

SHA256
0a47ff3002351e2925d038e389c814f2a5f69ce4bf03b0f886ee2ee75ea89a65

SHA512
5407918f9540658d3645f4c030072bcbf2060563972dd0ad4b7b433ef10083d79701538721de0f5ce774682318e4b4b11f1f1834811a635d7b3468c0246322ab

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\askinstall21.exe

Filesize
524KB

MD5
3b7666ddcd8668a6e0f228bc15c2d528

SHA1
1ec26d6afc64c30291a12638f9fa1cacbc530834

SHA256
ff7c1be25f9d0b351c2f1f11b9700d6c467519f6e374df66a78db855eac39dd9

SHA512
21730df8c6450f304926c0f81b2c1352563127fa353c4a05b32ea03c3950d65daaa83b684c27f31334bf7c00b99ca49cae508fcc2ef93ad1bf70b57310898995

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\file1.exe

Filesize
192KB

MD5
f542ee32e7168671e2952b89be66bca3

SHA1
c3e785978ea1747182d3c153cbb39089e522a4a1

SHA256
8ee3a19d5e1a6c198e6ad759c697910d681365a638ace0bc9e9c622afe16bc73

SHA512
2c8c5fd5b0267f750809d2bab24ebe070d11649cf2c827661c78c6627c8d7fc3b1375fda43079dd7dab21a02f5d75b9423f044203f58aeace78c4f89d23c64ab

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\jg2_2qua.exe

Filesize
561KB

MD5
676757904c8383fd9acbeed15aa8dcc4

SHA1
63f219ec9ef458a258b1845f42d46d2b12f30e8a

SHA256
b44acc4498924f5fa6a479e263626e3a36fee380c6d7463269bc5054dc64c4a9

SHA512
a4d4c945d334153fb91f2736a1ef20f6c4b5c710ec7e2064cdef503d926bb5da16f6ed32c56d2fc94ebb0f75be5e25e0c4cf13e8f9a8f2fd2f110b547aec0845

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\sib21A6.tmp\0\setup.exe

Filesize
3.8MB

MD5
d64e3cc11afc6331715bdfec5f26c2a0

SHA1
ba606f3c9115c584a902c909ac82f411463b551a

SHA256
4c02d9bcae00635df67ea4d3d64c67f258f0256c9f1553997815f8702bc34c63

SHA512
da002e155d6baf03648576a4574ea4635bd35ade04ea0175f3f406895085cd1da9a19eb0e19e0445d40c7d6e2a42d613f0d65684775022ad426db840034448cb

Download Submit
\Users\Admin\AppData\Local\Temp\sib21A6.tmp\SibClr.dll

Filesize
51KB

MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
memory/492-338-0x00000000000F0000-0x00000000000FD000-memory.dmp

Filesize
52KB

Download
memory/560-123-0x000000000EE10000-0x000000000EE22000-memory.dmp

Filesize
72KB

Download
memory/560-124-0x0000000011330000-0x00000000113EA000-memory.dmp

Filesize
744KB

Download
memory/828-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1032-171-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-294-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-326-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1032-279-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1520-62-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-66-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-72-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1520-73-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-70-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-68-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-64-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-60-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-58-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-56-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-54-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-84-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-82-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-87-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-86-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-85-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-112-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-114-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1520-113-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/1548-1033-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1548-1036-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1772-173-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/1772-371-0x0000000000270000-0x0000000000276000-memory.dmp

Filesize
24KB

Download
memory/1772-372-0x00000000004D0000-0x00000000004F4000-memory.dmp

Filesize
144KB

Download
memory/1772-140-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1772-370-0x0000000001040000-0x0000000001074000-memory.dmp

Filesize
208KB

Download
memory/1772-373-0x00000000003C0000-0x00000000003C6000-memory.dmp

Filesize
24KB

Download
memory/1772-188-0x00000000038A0000-0x000000000396B000-memory.dmp

Filesize
812KB

Download
memory/2176-1111-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2176-1031-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2176-1032-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2176-1110-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/2528-210-0x0000000003B70000-0x0000000004021000-memory.dmp

Filesize
4.7MB

Download
memory/2528-194-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2584-206-0x0000000003EA0000-0x0000000004351000-memory.dmp

Filesize
4.7MB

Download
memory/2628-169-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-284-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-287-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-285-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-386-0x0000000003440000-0x00000000034CA000-memory.dmp

Filesize
552KB

Download
memory/2628-385-0x0000000003440000-0x00000000034CA000-memory.dmp

Filesize
552KB

Download
memory/2628-286-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-377-0x0000000003440000-0x00000000034CA000-memory.dmp

Filesize
552KB

Download
memory/2628-168-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-167-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2628-166-0x00000000039B0000-0x0000000003AE6000-memory.dmp

Filesize
1.2MB

Download
memory/2708-388-0x0000000000920000-0x00000000009AA000-memory.dmp

Filesize
552KB

Download
memory/2708-945-0x0000000000920000-0x00000000009AA000-memory.dmp

Filesize
552KB

Download
memory/2832-76-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download