fabookie | 693883c68fc9fd236ff5e63c81c01a0ba5ffa60360c4db1c125c5094bbce68fa

Analysis

max time kernel
137s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

keygen-step-4.exe
Size

7.6MB
MD5

1770a7731a4ea1030149e7f05cff1705
SHA1

02868a443c1864bb0afbe0832545736bd538028f
SHA256

3bd0eb640c37fb31423b560aeb5bf4f9f6117cb60c2a9e4509b7a0db80e0a092
SHA512

eec736c11084a6a066c2767ebbd1d4f06b6cfb4524450ca19bd8f9c743725545c7559f45e03aa5287732be9d35dbd72e80dfbd4bcdb810abd70bfc5b2ac00fe7
SSDEEP

196608:K90XryNC3HMcOrcX4MPIJe9A1eGL+pieBJPE11ExWR:1iUDX4MQwA1PCpiey11Z

Score

10^/10

fabookie ffdroider bootkit discovery persistence spyware stealer upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral9/files/0x000500000001879f-1160.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral9/memory/1900-1204-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral9/memory/1364-1244-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 13 IoCs

pid	Process
2792	002.exe
2620	Setup.exe
724	setup.exe
2284	aliens.exe
1492	jg2_2qua.exe
2264	85F91A36E275562F.exe
2924	85F91A36E275562F.exe
2660	ThunderFW.exe
2568	file1.exe
1684	BTRSetp.exe
1032	askinstall21.exe
1052	hjjgaa.exe
1900	jfiag3g_gg.exe

Loads dropped DLL 36 IoCs

pid	Process
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2620	Setup.exe
2620	Setup.exe
2620	Setup.exe
2620	Setup.exe
724	setup.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
1740	MsiExec.exe
2284	aliens.exe
2284	aliens.exe
2264	85F91A36E275562F.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
2276	keygen-step-4.exe
1052	hjjgaa.exe
1052	hjjgaa.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral9/memory/1900-1201-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral9/files/0x000400000001dc97-1198.dat	upx
behavioral9/memory/1900-1204-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral9/files/0x000400000001dc97-1235.dat	upx
behavioral9/memory/1364-1238-0x0000000000400000-0x0000000000422000-memory.dmp	upx
behavioral9/memory/1364-1244-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\manifest.json	askinstall21.exe
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\manifest.json	85F91A36E275562F.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
28	iplogger.org
34	iplogger.org
41	iplogger.org
27	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
68	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	aliens.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe
File opened for modification	\??\PhysicalDrive0	85F91A36E275562F.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2284	aliens.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2264 set thread context of 1896	2264	85F91A36E275562F.exe	43
PID 2264 set thread context of 2660	2264	85F91A36E275562F.exe	49
PID 2264 set thread context of 1996	2264	85F91A36E275562F.exe	53

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe
File opened for modification	C:\Program Files (x86)\ujvqkl7ofji6	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\__tmp_rar_sfx_access_check_259425731	setup.exe
File created	C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
3008	taskkill.exe
2072	taskkill.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104612000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 19000000010000001000000018e847daffeaedafa0faaea36340ea790f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd140000000100000014000000f8d0dc54367cf794020f8b92783a5d8a91251f9f2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	aliens.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	aliens.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD	file1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6C0CE2DD0584C47CAC18839F14055F19FA270CDD\Blob = 0f0000000100000020000000f58d226a1455ea81e8c8df37b8c942f342ebbc60a29701fc2895ec13140104610300000001000000140000006c0ce2dd0584c47cac18839f14055f19fa270cdd2000000001000000500500003082054c30820434a0030201020206016de34cff62300d06092a864886f70d01010b05003081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a301e170d3030303130313030303030305a170d3438313231353039313533375a3081aa313b303906035504030c32436861726c65732050726f78792043412028313920e58d81e69c8820323031392c204445534b544f502d424e41543131552931253023060355040b0c1c68747470733a2f2f636861726c657370726f78792e636f6d2f73736c3111300f060355040a0c08584b3732204c74643111300f06035504070c084175636b6c616e643111300f06035504080c084175636b6c616e64310b3009060355040613024e5a30820122300d06092a864886f70d01010105000382010f003082010a0282010100ae86c5043ed34d99f44fa3052ea34047a7fbbe33188b1dc2ca645ca3249e85e54b4921d4998fda6a22247c32d9087d742af3bf850803ae8c1e25faad53fb8fd823b7353d9a3ac992bf917f693826c790e53a540b120b6553508ec9585e467d310bd3ef9fb61731deb522eb78f43f824b34be36782db7a8cb162cd22247b14e4c5ae633ed66542354a59971bddc59160ecdc521b4477c93ca9e624e0af00298602300f5dc368819c3cb9f02604636888276b3a498570473b5328b0834f327c34285e333da9207e12f0edbb654c8cf11e3cc7cba17a52cd7cd42c10ae095a2e4eb9d3e3f361488243f0584af40e72d6e6e182149bfb8342384f60f12e14734258d0203010001a382017430820170300f0603551d130101ff040530030101ff3082012c06096086480186f842010d0482011d138201195468697320526f6f74206365727469666963617465207761732067656e65726174656420627920436861726c65732050726f787920666f722053534c2050726f7879696e672e20496620746869732063657274696669636174652069732070617274206f66206120636572746966696361746520636861696e2c2074686973206d65616e73207468617420796f752772652062726f7773696e67207468726f75676820436861726c65732050726f787920776974682053534c2050726f7879696e6720656e61626c656420666f72207468697320776562736974652e20506c656173652073656520687474703a2f2f636861726c657370726f78792e636f6d2f73736c20666f72206d6f726520696e666f726d6174696f6e2e300e0603551d0f0101ff040403020204301d0603551d0e04160414f8d0dc54367cf794020f8b92783a5d8a91251f9f300d06092a864886f70d01010b05000382010100662271eb9d5c744c88382de98ba37320e6312104d04273a92007a8670976d6530e6347d00bbded1319bb6754f36237596095922911e3661a70354f6ba0b797a76258be7adebb8c8dbeeed977760b80271d74b2444d92f6c1337a379b73545b251de5f8812b9625abbbfaedc15f8c6c374b9b26dd0fef035185f5899d8819e689dc6db5f0babbfd637c52b1bec80115b889faeed493d4112d744954ad3abe6607c41a4a2d657ba330ed131fa4e8c25bb28ee181dcef8da91c17bfd30a23c8eae81b152ed85ff938afc32b34ffdaffbdb72d9bb04067bfc87f579eba9637b165ea008ea7408bc8265f33c039bf60f506d245a6b53017afc8e161d70ed5b0d76576	file1.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
1076	PING.EXE
2824	PING.EXE
2908	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2620	chrome.exe
2620	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2768	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2768	msiexec.exe
Token: SeLockMemoryPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeMachineAccountPrivilege	2768	msiexec.exe
Token: SeTcbPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeLoadDriverPrivilege	2768	msiexec.exe
Token: SeSystemProfilePrivilege	2768	msiexec.exe
Token: SeSystemtimePrivilege	2768	msiexec.exe
Token: SeProfSingleProcessPrivilege	2768	msiexec.exe
Token: SeIncBasePriorityPrivilege	2768	msiexec.exe
Token: SeCreatePagefilePrivilege	2768	msiexec.exe
Token: SeCreatePermanentPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeDebugPrivilege	2768	msiexec.exe
Token: SeAuditPrivilege	2768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2768	msiexec.exe
Token: SeChangeNotifyPrivilege	2768	msiexec.exe
Token: SeRemoteShutdownPrivilege	2768	msiexec.exe
Token: SeUndockPrivilege	2768	msiexec.exe
Token: SeSyncAgentPrivilege	2768	msiexec.exe
Token: SeEnableDelegationPrivilege	2768	msiexec.exe
Token: SeManageVolumePrivilege	2768	msiexec.exe
Token: SeImpersonatePrivilege	2768	msiexec.exe
Token: SeCreateGlobalPrivilege	2768	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2768	msiexec.exe
Token: SeLockMemoryPrivilege	2768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2768	msiexec.exe
Token: SeMachineAccountPrivilege	2768	msiexec.exe
Token: SeTcbPrivilege	2768	msiexec.exe
Token: SeSecurityPrivilege	2768	msiexec.exe
Token: SeTakeOwnershipPrivilege	2768	msiexec.exe
Token: SeLoadDriverPrivilege	2768	msiexec.exe
Token: SeSystemProfilePrivilege	2768	msiexec.exe
Token: SeSystemtimePrivilege	2768	msiexec.exe
Token: SeProfSingleProcessPrivilege	2768	msiexec.exe
Token: SeIncBasePriorityPrivilege	2768	msiexec.exe
Token: SeCreatePagefilePrivilege	2768	msiexec.exe
Token: SeCreatePermanentPrivilege	2768	msiexec.exe
Token: SeBackupPrivilege	2768	msiexec.exe
Token: SeRestorePrivilege	2768	msiexec.exe
Token: SeShutdownPrivilege	2768	msiexec.exe
Token: SeDebugPrivilege	2768	msiexec.exe
Token: SeAuditPrivilege	2768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2768	msiexec.exe
Token: SeChangeNotifyPrivilege	2768	msiexec.exe
Token: SeRemoteShutdownPrivilege	2768	msiexec.exe
Token: SeUndockPrivilege	2768	msiexec.exe
Token: SeSyncAgentPrivilege	2768	msiexec.exe
Token: SeEnableDelegationPrivilege	2768	msiexec.exe
Token: SeManageVolumePrivilege	2768	msiexec.exe
Token: SeImpersonatePrivilege	2768	msiexec.exe
Token: SeCreateGlobalPrivilege	2768	msiexec.exe
Token: SeCreateTokenPrivilege	2768	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2768	msiexec.exe
2620	chrome.exe
2620	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	002.exe
2792	002.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2792	2276	keygen-step-4.exe	30
PID 2276 wrote to memory of 2792	2276	keygen-step-4.exe	30
PID 2276 wrote to memory of 2792	2276	keygen-step-4.exe	30
PID 2276 wrote to memory of 2792	2276	keygen-step-4.exe	30
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2276 wrote to memory of 2620	2276	keygen-step-4.exe	31
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 2620 wrote to memory of 724	2620	Setup.exe	32
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 724 wrote to memory of 2284	724	setup.exe	33
PID 2276 wrote to memory of 1492	2276	keygen-step-4.exe	34
PID 2276 wrote to memory of 1492	2276	keygen-step-4.exe	34
PID 2276 wrote to memory of 1492	2276	keygen-step-4.exe	34
PID 2276 wrote to memory of 1492	2276	keygen-step-4.exe	34
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2284 wrote to memory of 2768	2284	aliens.exe	35
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2124 wrote to memory of 1740	2124	msiexec.exe	37
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2264	2284	aliens.exe	38
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2924	2284	aliens.exe	39
PID 2284 wrote to memory of 2128	2284	aliens.exe	40
PID 2284 wrote to memory of 2128	2284	aliens.exe	40
PID 2284 wrote to memory of 2128	2284	aliens.exe	40
PID 2284 wrote to memory of 2128	2284	aliens.exe	40
PID 2128 wrote to memory of 1076	2128	cmd.exe	42
PID 2128 wrote to memory of 1076	2128	cmd.exe	42
PID 2128 wrote to memory of 1076	2128	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe
"C:\Users\Admin\AppData\Local\Temp\keygen-step-4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\sib83A3.tmp\0\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\sib83A3.tmp\0\setup.exe" -s
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:724
  - - C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe
      "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\gdiview.msi"
        5⤵
        Enumerates connected drives
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:2768
    - - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 0011 installp1
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        
        PID:2264
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:1896
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:2660
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:1996
      - C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe
        
        C:\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe ThunderFW "C:\Users\Admin\AppData\Local\Temp\download\MiniThunderPlatform.exe"
        6⤵
        Executes dropped EXE
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        6⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:2908
    - - C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe
        
        C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe 200 installp1
        5⤵
        Executes dropped EXE
        Drops Chrome extension
        Writes to the Master Boot Record (MBR)
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:940
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:3008
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Users\Admin\AppData\Local\Temp\85F91A36E275562F.exe"
        6⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        7⤵
        Runs ping.exe
        
        PID:2824
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1 -n 3 & del "C:\Program Files (x86)\ujvqkl7ofji6\aliens.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2128
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 3
        6⤵
        Runs ping.exe
        
        PID:1076
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe"
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe"
  2⤵
  - Executes dropped EXE
  - Modifies system certificate store
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    PID:940
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      PID:2072
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\" /s /e /y
    3⤵
    - Enumerates system info in registry
    PID:2288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2620
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778
      4⤵
      PID:1440
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:2
      4⤵
      PID:2328
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=1548 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:8
      4⤵
      PID:380
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --mojo-platform-channel-handle=1628 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:8
      4⤵
      PID:2404
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2140 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:1
      4⤵
      PID:1992
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=1888 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:1
      4⤵
      PID:980
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=2320 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:1
      4⤵
      PID:2316
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2348 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:1
      4⤵
      PID:2952
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:2
      4⤵
      PID:2604
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99" --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3240 --field-trial-handle=1384,i,18035753870892826195,17194556736975149712,131072 /prefetch:1
      4⤵
      PID:2028
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  PID:1052
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:1364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 89A8B1DC15815117C7912743DBFC46B6 C
  2⤵
  - Loads dropped DLL
  PID:1740

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
1bfe0a81db078ea084ff82fe545176fe

SHA1
50b116f578bd272922fa8eae94f7b02fd3b88384

SHA256
5ba8817f13eee00e75158bad93076ab474a068c6b52686579e0f728fda68499f

SHA512
37c582f3f09f8d80529608c09041295d1644bcc9de6fb8c4669b05339b0dd870f9525abc5eed53ad06a94b51441275504bc943c336c5beb63b53460ba836ca8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
0a19a937a91bee6c0c48240454db4ce9

SHA1
a286785a86bc3882ce562aa872807f9e24c45293

SHA256
b86ca3d8354321c7e89e396d30d5db04ad4c51dfa007819e2b816715e58afd05

SHA512
613ad092b60c3789ecc046706071bd85bf264a98f39408dd0101d38b96b4ed6473f0c1a094b222a9e54c129ec20539905f128832b195040c377c338eb3f9897d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
149c970b605aaf63e1160f664db6cc25

SHA1
e4871801e156954dfde7bfa1e165665baf8ae056

SHA256
93dd7407ffd79e7f0d9248f0f48d6568fc59c0265d4a45e7c7092c9c5eb8c424

SHA512
0f1f68957d2ea3ba51af725cf5f868a8b8d217ce379afcfaaa03e9d1c9bcac964126d7047872874af8882dffe26b12fe21edcdad95296b24e5fa32cba24c9813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
477a03e46296b77b0e404d55046b9051

SHA1
3ffe6484a4be2fd56a620e16b3ee3d7f8329f081

SHA256
cc37dbce574fa93591405378cee17be1af1320bc8425132ade0fd1ba7cb107cf

SHA512
01b52ce9932cd00d24fd1ea9d211431ee867ca7eb9cd2f1233de5a86dbdfca1747100651e1a042c82c508dabc5233422f6a4c1f7cba6bfa77e2f83db226e0485

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\js\background.js

Filesize
16KB

MD5
c91c37512ade5eb915ce0d9bab796bd3

SHA1
a95b3ce5458a385a91c645b0d2b6e8411c79a638

SHA256
03ac1bde02ccefb52f65ba629e1a6005d570478ea1aa26675515f596039378d8

SHA512
b3e0dfc1eee09679fc840f2916afc7cf19781e141b734d4c0f44df29d2e56e3676bb7d67a73160b59abe98731f466f4d4bb7cc402ffbaad775a6f684a00d8ae9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\fnfhfpkmpnmlmlgfeabpegnfpdnmokco\5.18.6_0\manifest.json

Filesize
1KB

MD5
2fbed92dc5b4a4785a0ce6ff66ffefd0

SHA1
a4897ce09783ac30414a9a2b5476252c31f504a3

SHA256
a27d3b6c3856c73f46f50ccbc5f2d6f5388ed6071e2437074534ae226ba91ef3

SHA512
1881325f57c1c850d6b917e9e2f1d2532fa86721128d19b73b36e6161e7fe29738da6c23821b20aed334052488705b3dfc13902deab21094e8f878bd31a1cf0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
bd05bbf4507f160ca91548bcb0516d86

SHA1
5b6c7175ddcfdc88eb1403f2b7541a048329d36c

SHA256
34d0f376191c7e600d1cc2034fa313c1613056bbd74449c28726875155143b04

SHA512
473eec64d4f3f8c3952a2843b14f320287e5155982cc9920a89c07e69438d53a37d900239a95190ae1acfe2fcb5bfb894d1de7e729845f095d862a973ec8fac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
dd807e32d39de97a0cdc59acd8444803

SHA1
5e93e9baf3d3de33bc32c6a4c23ce249d0a51712

SHA256
82ccbc1fc474325efb11b6c62a1a90a239816fbf14cbdb2fa95697569b4df953

SHA512
52a971382717c2af41937725060df47300e3a030641484cad6a1f2aa8e2b173819424e873f9d0ab30c85637bd2d5d148cc7685f94721c9c0a20fae39a8e47dcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
243f34667bbd3057a6b22ebb860694c2

SHA1
2d60ff3859eb03b51fc10436a33a9a41898cc688

SHA256
c7ca6c9deb01ad81f335a1dc9e79fa8ba88ac0e520a1064ab02291dbfbdb2f06

SHA512
576d7a04accf66cfb7b61f9c9cebdbdfde084da5c38976a81f09bc732278808380c80b60967476caeb6180948efaa9a8d27dfc32ea096ac5539ffdd919d73455

Download Submit
C:\Users\Admin\AppData\Local\Login Data1720713081491

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2F6A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\BTRSetp.exe

Filesize
172KB

MD5
65e85c03a7547fb7b79575f6e7d08ae6

SHA1
ed4733496e21e797b1ec02478deeda490bca6af5

SHA256
edd73f76650b83dcda8d2fa247c23ed297a6609a25a5d76a59a8774214be7a67

SHA512
0527aabe9197b4f7f9964e2ef95fc9d42f61270666fdb88020cba1b95be72658e534a0bfd0cbcfb234dd0803134fd0589dd0350415bc042f280bc1fc9a347ecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hjjgaa.exe

Filesize
978KB

MD5
5af45b49951e4e3b1c6d1a0b9cbed2db

SHA1
cae3f32b485f8406d8c4fb9aeeceb923b94b9452

SHA256
86407608f44bb780d40b92e45b200edb584395ca6536e172149c75fa8c60fc5e

SHA512
f4dfcd7a5da8458fc5727df712fee1e14be0b9c9fc0b14dd31c8bc10ab85e469d975c2d4982d031901abb1baba10db3976b58e4d66be1094dc79fff04d4ac74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\jg2_2qua.exe

Filesize
561KB

MD5
676757904c8383fd9acbeed15aa8dcc4

SHA1
63f219ec9ef458a258b1845f42d46d2b12f30e8a

SHA256
b44acc4498924f5fa6a479e263626e3a36fee380c6d7463269bc5054dc64c4a9

SHA512
a4d4c945d334153fb91f2736a1ef20f6c4b5c710ec7e2064cdef503d926bb5da16f6ed32c56d2fc94ebb0f75be5e25e0c4cf13e8f9a8f2fd2f110b547aec0845

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4942.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gdiview.msi

Filesize
231KB

MD5
7cc103f6fd70c6f3a2d2b9fca0438182

SHA1
699bd8924a27516b405ea9a686604b53b4e23372

SHA256
dbd9f2128f0b92b21ef99a1d7a0f93f14ebe475dba436d8b1562677821b918a1

SHA512
92ec9590e32a0cf810fc5d15ca9d855c86e5b8cb17cf45dd68bcb972bd78692436535adf9f510259d604e0a8ba2e25c6d2616df242261eb7b09a0ca5c6c2c128

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Crashpad\settings.dat

Filesize
40B

MD5
73a6dc263cd0733744af3edf0430e73c

SHA1
627cfa8003fb9e8b263ff4c7d5bd33e6c511af51

SHA256
c3a51d91384cbd5b6cf6797e9d82c938ed539a333f1909b3d2542d91a23f9300

SHA512
9387b59fc1767aacaf2995d78ee0cd32b74b040f75fa9036fcf268afdd99add3071e621f5c9748fcffe21c66cf648cd9d2b4c55732487bad3ef78771521342e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_000002

Filesize
20KB

MD5
9733b28706daf43380c4360d4c3192ea

SHA1
3cb2732e2aff81ff0c3b09a76fd07e94283a0717

SHA256
b8d08e5cb54c78a349ca477205288dab5ffdf9e745dae04fd6f7af5df12d0765

SHA512
7e4182cbd689577ec22e9a9d1b9e0002b7e039a6a0dadcdc0a232505ab18fca1648b9c15278aea9a2041fce9bd114e242192c192fb7647bf2b4daebb5f859820

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_000003

Filesize
129KB

MD5
a15cc318edaf06924cda318e9263419e

SHA1
e61c70bd77d9dcbe77d1a6c2a77d1a78b53867b7

SHA256
a6b46fe9ddbf350c91243280c2766e2f4b021ea2278bae3cd1cad8dab4cba838

SHA512
7bbec1a591be0b3d17b8777ee654394c502b6fc932cef02b550f84d21eb83755896804d93b1e1a0cdd434402c93997470367689d183d71b5153480ee9e0baafb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_000009

Filesize
20KB

MD5
4690934c380d75d115a4b4478ca8a3bc

SHA1
36c0a0af10113cce19044b25adc2333329e8b515

SHA256
e3e9909db760bdb8dea9eec7ff8d91fc226eba7a1f5e06b1f67c2fe24dda9c8d

SHA512
c1fbabca4a589c79c9a1fe7b4918279281eb802dd32f1b8b7f0e3ad280367c20bf4bba2c6660cd54b954c0bd8e8e99740cb28118890047f2c608d1bc3fdba644

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000a

Filesize
38KB

MD5
0072d23ce51b03828c973b42cd0e7112

SHA1
b1d5ce08d7b871998aa048ec901e8507d06d7e2e

SHA256
bb66f93d40eb9ba0410e0d3ccedb611c0526a6c42da2516493b1395286e556f5

SHA512
569f02302bde3232bfdd30034cfa5604806b4c2b03e788070831d05ef480834a3601d7a99ad4619e87491b0323c7674e1f83982e24e7c30eec2b137a90816139

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000b

Filesize
17KB

MD5
df1c35a189211c1f2d13cf92e872ce8e

SHA1
364dc84e3bef71fe2b953b1a48755614740e3743

SHA256
991179fe6698622b9e16eaa0e835ee2ca4098e526598f2d4f33706508dd283ad

SHA512
aa5c9a44eea1db929b047f650526cc6d8bd162330e9df5cf63b9ead9e4f76255c20031a86ff9bce5b888224377b6cef9a0d6bc2f2b42fceabd1d44cf86f4a77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000c

Filesize
21KB

MD5
3669e98b2ae9734d101d572190d0c90d

SHA1
5e36898bebc6b11d8e985173fd8b401dc1820852

SHA256
7061caa61b21e5e5c1419ae0dc8299142ba89c8169a2bd968b6de34a564f888a

SHA512
0c5f0190b0df4939c2555ec7053a24f5dae388a0936140d68ed720a70542b40aaf65c882f43eb1878704bea3bd18934de4b1aac57a92f89bbb4c67a51b983ae3

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000d

Filesize
71KB

MD5
53e80ed6f1b37eaef95c059654690bb6

SHA1
dfde8964d3ca6bf930186a8dfb49c9886ea3dc88

SHA256
20792585bc10b071a7023b58644f65b7ee42347af941bc0eb27880bb5c50df3f

SHA512
64b47c9cc7be7d219f59767d8402ca25cb70debe1ac0a46aa672f768eee6450d5f1e0e85577a6173b546eda7c86c9f02ec160afec8c44f25ad942c784dc35119

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000e

Filesize
20KB

MD5
c1164ab65ff7e42adb16975e59216b06

SHA1
ac7204effb50d0b350b1e362778460515f113ecc

SHA256
d7928d8f5536d503eb37c541b5ce813941694b71b0eb550250c7e4cbcb1babbb

SHA512
1f84a9d9d51ac92e8fb66b54d103986e5c8a1ca03f52a7d8cdf21b77eb9f466568b33821530e80366ce95900b20816e14a767b73043a0019de4a2f1a4ffd1509

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_00000f

Filesize
34KB

MD5
b63bcace3731e74f6c45002db72b2683

SHA1
99898168473775a18170adad4d313082da090976

SHA256
ea3a8425dcf06dbc9c9be0ccd2eb6381507dd5ac45e2a685b3a9b1b5d289d085

SHA512
d62d4dddb7ec61ef82d84f93f6303001ba78d16fd727090c9d8326a86ab270f926b338c8164c2721569485663da88b850c3a6452ccb8b3650c6fa5ce1ce0f140

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Cache\Cache_Data\f_000010

Filesize
16KB

MD5
9978db669e49523b7adb3af80d561b1b

SHA1
7eb15d01e2afd057188741fad9ea1719bccc01ea

SHA256
4e57f4cf302186300f95c74144cbca9eb756c0a8313ebf32f8aba5c279dd059c

SHA512
04b216bd907c70ee2b96e513f7de56481388b577e6ccd67145a48178a605581fab715096cfb75d1bb336e6ad0060701d2a3680e9f38fe31e1573d5965f1e380a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
193ce3d92ce8d85577ce15a18d2c7181

SHA1
d50d50d51c4d5d6500db5a1c661a8c5c6486c10e

SHA256
c4e80e3a92a31c787bc333a1e1887355d0354c14360ac17468e21a50f4fb74f9

SHA512
c47c7a8b3e4a77115e6934d42d45c94cb607257750508dad2a1f18685de3676345430eb34934b3e3a47b37bbacdf1480b4be3fb62f24af7fdac14132fa2f4970

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\background.js

Filesize
886B

MD5
fedaca056d174270824193d664e50a3f

SHA1
58d0c6e4ec18ab761805aabb8d94f3c4cbe639f5

SHA256
8f538ed9e633d5c9ea3e8fb1354f58b3a5233f1506c9d3d01873c78e3eb88b8d

SHA512
2f1968ede11b9510b43b842705e5ddac4f85a9e2aa6aee542bec80600228ff5a5723246f77c526154eb9a00a87a5c7ddd634447a8f7a97d6da33b94509731dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\d8yI+Hf7rX.js

Filesize
152B

MD5
30cbbf4df66b87924c75750240618648

SHA1
64af3dd53d6ded500863387e407f876c89a29b9a

SHA256
d35fbd13c27f0a01dc944584d05776ba7e6ad3b3d2cbde1f7c349e94502127f5

SHA512
8117b8537a0b5f4bb3ed711d9f062e7a901a90fd3d2cf9dffcc15d03ed4e001991ba2c79bca072fa7fd7ce100f38370105d3ce76eb87f2877c0bf18b4d8cfbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\icon.png

Filesize
1KB

MD5
5d207f5a21e55e47fccd8ef947a023ae

SHA1
3a80a7cf3a8c8f9bdce89a04239a7e296a94160f

SHA256
4e8ce139d89a497adb4c6f7d2ffc96b583da1882578ab09d121a459c5ad8335f

SHA512
38436956d5414a2cf66085f290ef15681dbf449b453431f937a09bfe21577252565d0c9fa0aceaad158b099383e55b94c721e23132809df728643504effcbe2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\icon48.png

Filesize
2KB

MD5
e35b805293ccd4f74377e9959c35427d

SHA1
9755c6f8bab51bd40bd6a51d73be2570605635d1

SHA256
2bf1d9879b36be03b2f140fad1932bc6aaaaac834082c2cd9e98be6773918ca0

SHA512
6c7d37378aa1e521e73980c431ce5815dedb28d5b7003009b91392303d3bec1ee6f2aae719b766da4209b607cd702fae283e1682d3785eff85e07d5ee81319c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\jquery-1.8.3.min.js

Filesize
91KB

MD5
e1288116312e4728f98923c79b034b67

SHA1
8b6babff47b8a9793f37036fd1b1a3ad41d38423

SHA256
ba6eda7945ab8d7e57b34cc5a3dd292fa2e4c60a5ced79236ecf1a9e0f0c2d32

SHA512
bf28a9a446e50639a9592d7651f89511fc4e583e213f20a0dff3a44e1a7d73ceefdb6597db121c7742bde92410a27d83d92e2e86466858a19803e72a168e5656

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\manifest.json

Filesize
1KB

MD5
daeb07575f18e899586ec16b49bc64bb

SHA1
f2eb63bee6c46fdf4619d04118c70fac2a9f86c9

SHA256
6882a880abe63c38cab3abf2d787400c0c198a6bbaeff1176a4b0dd2917f3512

SHA512
de9b6ca3781e45b52f4786cf5800fd31756a2ae1d711388a9b5cf277a565d2295e63db9a5229a2dae5961a9bffd69e5dab57d1681b9f6e024a7a0959bc148890

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\popup.html

Filesize
280B

MD5
e93b02d6cffcca037f3ea55dc70ee969

SHA1
db09ed8eb9dbc82119fa1f76b3e36f2722ed2153

SHA256
b057584f5e81b48291e696c061f94b1e88ca52522490816d4bf900817ff822bd

SHA512
f85b5b38ade3efa605e1da27e8680045548e3343804073f9fe0c83e4becfb2eb4a237c8e1c84d43da386cbdddcc45f915bce950ed41d53a8dfdf85af2dfac879

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Extensions\nijbdiefebbgcbkabegbknmfejhopejj\1.0.0.0_0\popup.js

Filesize
642B

MD5
2ac02ee5f808bc4deb832fb8e7f6f352

SHA1
05375ef86ff516d91fb9746c0cbc46d2318beb86

SHA256
ddc877c153b3a9cd5ec72fef6314739d58ae885e5eff09aadbb86b41c3d814e6

SHA512
6b86f979e43a35d24baaf5762fc0d183584b62779e4b500eb0c5f73fae36b054a66c5b0620ea34c6ac3c562624bec3db3698520af570bb4ed026d907e03182e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GCM Store\Encryption\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Local Storage\leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Safe Browsing Network\Safe Browsing Cookies

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Secure Preferences

Filesize
13KB

MD5
8b7ffdf2fc5bf9103d83e6cd4e8ba482

SHA1
6545ce4073179a7f692310d48a186bf1079f3ef4

SHA256
c26a231de6e99e7c62f1b539646f7bc7307d1ce5f3b3b5bf65804170071837ff

SHA512
c0974dfa14962ecf888211e16fcd2cffb86388aa7c4fd48e592239c8366785b7f5b7119221cbe7cacac52d678f370b577abc1ce36ceaea3a63a5e041cf4d38eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnnsfgfgfghaz99\Default\shared_proto_db\MANIFEST-000004

Filesize
50B

MD5
494e626a5079642efed0f0c7f38bd4ef

SHA1
0cbead74a33ad551eae3b25c213d3b080535589b

SHA256
9ce8bd68fe0b86c0bf2067d549e7b93bc1c24f12bdfd227aba521e9d7e704436

SHA512
659bc9699799757dec5b257d78949d378caf03001890f7ae24d28055cff7175d85f8ea14393048aab1c0ba460082f568e5f4bfacdb8921f006f98989293fe78d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\puxo0sjr.Admin\storage\default\moz-extension+++c9cdd9b2-a8a6-4f4c-8167-86f19e1820e6^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.sqlite

Filesize
48KB

MD5
2eab03c24e521ee22c08a3e3bab16d7f

SHA1
d8ea20c5d4e7866c66ef36201e27fce4e10ad12b

SHA256
5c1fffc1e126ebbc19e4ef0cff60d5a0278cc57868737157746827acf7248ba2

SHA512
916cefe311d2b01d58062a022f5172880bd99c817b421f354a75a5c09e013676da7e2c16f333f1be121d62cb848b9739b0f2c4d2f45c56789574b93a97c7685b

Download Submit
\Users\Admin\AppData\Local\Temp\MSI93C7.tmp

Filesize
6KB

MD5
84878b1a26f8544bda4e069320ad8e7d

SHA1
51c6ee244f5f2fa35b563bffb91e37da848a759c

SHA256
809aab5eace34dfbfb2b3d45462d42b34fcb95b415201d0d625414b56e437444

SHA512
4742b84826961f590e0a2d6cc85a60b59ca4d300c58be5d0c33eb2315cefaf5627ae5ed908233ad51e188ce53ca861cf5cf8c1aa2620dc2667f83f98e627b549

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\002.exe

Filesize
1.2MB

MD5
6503c9c4f19a4b33b701cc5b97b349bc

SHA1
fedb760f67f6000bf311c76dff55c35beeda8b81

SHA256
b79d5e0c3939bb3dd877dd327af8d16a9406d8eca0b888938a0ad39b56311c1a

SHA512
641629267461ae617bb639be4a1c4498fe0aea101b447a9cf1fc78140a6194992de3e60a2eb936001226dc088248ed37254d39914f5d0dced1351c9039823bf6

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
4.0MB

MD5
2dcf88dbdd296bd9c00a91820af57109

SHA1
07f957d33e873528110edc4b68939578bb164d2f

SHA256
0a47ff3002351e2925d038e389c814f2a5f69ce4bf03b0f886ee2ee75ea89a65

SHA512
5407918f9540658d3645f4c030072bcbf2060563972dd0ad4b7b433ef10083d79701538721de0f5ce774682318e4b4b11f1f1834811a635d7b3468c0246322ab

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\askinstall21.exe

Filesize
524KB

MD5
3b7666ddcd8668a6e0f228bc15c2d528

SHA1
1ec26d6afc64c30291a12638f9fa1cacbc530834

SHA256
ff7c1be25f9d0b351c2f1f11b9700d6c467519f6e374df66a78db855eac39dd9

SHA512
21730df8c6450f304926c0f81b2c1352563127fa353c4a05b32ea03c3950d65daaa83b684c27f31334bf7c00b99ca49cae508fcc2ef93ad1bf70b57310898995

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\file1.exe

Filesize
192KB

MD5
f542ee32e7168671e2952b89be66bca3

SHA1
c3e785978ea1747182d3c153cbb39089e522a4a1

SHA256
8ee3a19d5e1a6c198e6ad759c697910d681365a638ace0bc9e9c622afe16bc73

SHA512
2c8c5fd5b0267f750809d2bab24ebe070d11649cf2c827661c78c6627c8d7fc3b1375fda43079dd7dab21a02f5d75b9423f044203f58aeace78c4f89d23c64ab

Download Submit
\Users\Admin\AppData\Local\Temp\download\ThunderFW.exe

Filesize
71KB

MD5
f0372ff8a6148498b19e04203dbb9e69

SHA1
27fe4b5f8cb9464ab5ddc63e69c3c180b77dbde8

SHA256
298d334b630c77b70e66cf5e9c1924c7f0d498b02c2397e92e2d9efdff2e1bdf

SHA512
65d84817cdddb808b6e0ab964a4b41e96f7ce129e3cc8c253a31642efe73a9b7070638c22c659033e1479322aceea49d1afdceff54f8ed044b1513bffd33f865

Download Submit
\Users\Admin\AppData\Local\Temp\nso82E7.tmp\Sibuia.dll

Filesize
527KB

MD5
eb948284236e2d61eae0741280265983

SHA1
d5180db7f54de24c27489b221095871a52dc9156

SHA256
dbe5a7daf5bcff97f7c48f9b5476db3072cc85fbffd660adaff2e0455132d026

SHA512
6d8087022ee62acd823cfa871b8b3e3251e44f316769dc04e2ad169e9df6a836dba95c3b268716f2397d6c6a3624a9e50dbe0bc847f3c4f3ef8e09bff30f2d75

Download Submit
\Users\Admin\AppData\Local\Temp\sib83A3.tmp\0\setup.exe

Filesize
3.8MB

MD5
d64e3cc11afc6331715bdfec5f26c2a0

SHA1
ba606f3c9115c584a902c909ac82f411463b551a

SHA256
4c02d9bcae00635df67ea4d3d64c67f258f0256c9f1553997815f8702bc34c63

SHA512
da002e155d6baf03648576a4574ea4635bd35ade04ea0175f3f406895085cd1da9a19eb0e19e0445d40c7d6e2a42d613f0d65684775022ad426db840034448cb

Download Submit
\Users\Admin\AppData\Local\Temp\sib83A3.tmp\SibClr.dll

Filesize
51KB

MD5
928e680dea22c19febe9fc8e05d96472

SHA1
0a4a749ddfd220e2b646b878881575ff9352cf73

SHA256
8b6b56f670d59ff93a1c7e601468127fc21f02dde567b5c21a5d53594cdaef94

SHA512
5fbc72c3fa98dc2b5ad2ed556d2c6dc9279d4be3eb90ffd7fa2ada39cb976eba7cb34033e5786d1cb6137c64c869027002be2f2cad408acefd5c22006a1fef34

Download Submit
memory/1032-1156-0x0000000000150000-0x00000000001DA000-memory.dmp

Filesize
552KB

Download
memory/1052-1199-0x0000000001FD0000-0x000000000202B000-memory.dmp

Filesize
364KB

Download
memory/1052-1200-0x0000000001FD0000-0x000000000202B000-memory.dmp

Filesize
364KB

Download
memory/1052-1236-0x0000000001FD0000-0x0000000001FF2000-memory.dmp

Filesize
136KB

Download
memory/1052-1237-0x0000000001FD0000-0x0000000001FF2000-memory.dmp

Filesize
136KB

Download
memory/1052-1229-0x0000000001FD0000-0x000000000202B000-memory.dmp

Filesize
364KB

Download
memory/1052-1230-0x0000000001FD0000-0x000000000202B000-memory.dmp

Filesize
364KB

Download
memory/1364-1238-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1364-1244-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1492-231-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1492-222-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1492-114-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1492-267-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/1684-315-0x0000000000300000-0x0000000000324000-memory.dmp

Filesize
144KB

Download
memory/1684-314-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/1684-313-0x00000000000C0000-0x00000000000F4000-memory.dmp

Filesize
208KB

Download
memory/1684-316-0x0000000000420000-0x0000000000426000-memory.dmp

Filesize
24KB

Download
memory/1900-1201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-1204-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2264-149-0x0000000003D30000-0x00000000041E1000-memory.dmp

Filesize
4.7MB

Download
memory/2264-138-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2276-233-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-234-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-320-0x00000000033D0000-0x000000000345A000-memory.dmp

Filesize
552KB

Download
memory/2276-232-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-329-0x00000000033D0000-0x000000000345A000-memory.dmp

Filesize
552KB

Download
memory/2276-328-0x00000000033D0000-0x000000000345A000-memory.dmp

Filesize
552KB

Download
memory/2276-113-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-112-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-111-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2276-110-0x0000000003930000-0x0000000003A66000-memory.dmp

Filesize
1.2MB

Download
memory/2284-133-0x0000000004100000-0x00000000041CB000-memory.dmp

Filesize
812KB

Download
memory/2284-118-0x0000000010000000-0x000000001033D000-memory.dmp

Filesize
3.2MB

Download
memory/2284-139-0x0000000004100000-0x00000000041CB000-memory.dmp

Filesize
812KB

Download
memory/2284-83-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2568-279-0x0000000000100000-0x000000000010D000-memory.dmp

Filesize
52KB

Download
memory/2620-68-0x0000000011310000-0x00000000113CA000-memory.dmp

Filesize
744KB

Download
memory/2620-67-0x0000000010EB0000-0x0000000010EC2000-memory.dmp

Filesize
72KB

Download
memory/2792-34-0x0000000010000000-0x00000000100E4000-memory.dmp

Filesize
912KB

Download