fabookie | ea5e0d5f12deeb25573cc7fcade7327945d5e4778c1569e189dc483e96583cbc

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2024 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fijewh.zip
Size

36.0MB
MD5

7e6d7c0df23672babd30f9543916ca52
SHA1

0571efe4079a95cb118d79f8c87cdb8694193973
SHA256

ea5e0d5f12deeb25573cc7fcade7327945d5e4778c1569e189dc483e96583cbc
SHA512

010799374e9bb476c248ecd326ef67e076959b92da685c538b7f4bd4b94570a3e3cf43d64cd52b2a127dc15e2f11b41e1ea2d8c32fd9019f7272538311baf8c2
SSDEEP

393216:dGRv1cKZdpkm4SNOFXT+93GRv1cKZdpkm4SNOFXT+9ZEcnTXHfV18f49bWUccq:G/dkUsTD/dkUsTwECL/nXbW2q

Score

10^/10

fabookie mimikatz pony socelars collection credential_access discovery persistence rat spyware stealer upx vmprotect

Malware Config

Extracted

Family

socelars

http://www.nicekkk.pw/

http://www.nextinfo.pw/

http://www.allinfo.pw/

Signatures

Detect Fabookie payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4512-186-0x00000000007E0000-0x0000000000E50000-memory.dmp	family_fabookie
behavioral1/memory/3864-344-0x0000000000F70000-0x00000000015E0000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz
Pony family
pony
Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1516-175-0x0000000000400000-0x000000000052B000-memory.dmp	family_socelars
behavioral1/memory/396-336-0x0000000000400000-0x000000000052B000-memory.dmp	family_socelars
behavioral1/memory/396-351-0x0000000000400000-0x000000000052B000-memory.dmp	family_socelars

Detected Nirsoft tools 5 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/4512-186-0x00000000007E0000-0x0000000000E50000-memory.dmp	Nirsoft
behavioral1/memory/3540-197-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	Nirsoft
behavioral1/memory/3864-344-0x0000000000F70000-0x00000000015E0000-memory.dmp	Nirsoft
behavioral1/memory/4012-357-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft

mimikatz is an open source tool to dump credentials on Windows 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe	mimikatz
behavioral1/memory/3736-100-0x0000000000400000-0x0000000000531000-memory.dmp	mimikatz
behavioral1/memory/3692-285-0x0000000000400000-0x0000000000531000-memory.dmp	mimikatz

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

whhw.exeSetup.tmpSetup.tmpLonelyscreen.1.2.9.keygen.by.Paradox.exekeygen-step-4.exekeygen-pr.exekeygen-step-4.exewhhw.exeLonelyscreen.1.2.9.keygen.by.Paradox.exekeygen-pr.exeLonelyscreen.1.2.9.keygen.by.Paradox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	whhw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Setup.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	whhw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Executes dropped EXE 30 IoCs

Processes:

Lonelyscreen.1.2.9.keygen.by.Paradox.exekeygen-pr.exekeygen-step-3.exekeygen-step-4.exekey.exewhhw.exekey.exesetup.upx.exeid6.exeLonelyscreen.1.2.9.keygen.by.Paradox.exeSetup.exeSetup.tmpsearzar.exehjjgaa.exejfiag_gg.exekeygen-pr.exekeygen-step-3.exekeygen-step-4.exekey.exejfiag_gg.exewhhw.exesetup.upx.exeid6.exeSetup.exeSetup.tmpsearzar.exehjjgaa.exejfiag_gg.exejfiag_gg.exeLonelyscreen.1.2.9.keygen.by.Paradox.exe

pid	process
2116	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
2972	keygen-pr.exe
4576	keygen-step-3.exe
2844	keygen-step-4.exe
4040	key.exe
4876	whhw.exe
2420	key.exe
3736	setup.upx.exe
3392	id6.exe
452	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
3968	Setup.exe
440	Setup.tmp
1516	searzar.exe
4512	hjjgaa.exe
3540	jfiag_gg.exe
884	keygen-pr.exe
3160	keygen-step-3.exe
2420	keygen-step-4.exe
1572	key.exe
4780	jfiag_gg.exe
3384	whhw.exe
3692	setup.upx.exe
4348	id6.exe
4448	Setup.exe
2180	Setup.tmp
396	searzar.exe
3864	hjjgaa.exe
4012	jfiag_gg.exe
4940	jfiag_gg.exe
6248	Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe	vmprotect
behavioral1/memory/4512-186-0x00000000007E0000-0x0000000000E50000-memory.dmp	vmprotect
behavioral1/memory/3864-344-0x0000000000F70000-0x00000000015E0000-memory.dmp	vmprotect

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	key.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

hjjgaa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kissq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kissq.exe"	hjjgaa.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

47 iplogger.org
81 iplogger.org
82 iplogger.org
43 iplogger.org
44 iplogger.org
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

51 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

key.exe

description pid process target process

PID 4040 set thread context of 2420 4040 key.exe key.exe

flow	ioc
47	iplogger.org
81	iplogger.org
82	iplogger.org
43	iplogger.org
44	iplogger.org

flow	ioc
51	ip-api.com

description	pid	process	target process
PID 4040 set thread context of 2420	4040	key.exe	key.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe	upx
behavioral1/memory/3736-99-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral1/memory/3736-100-0x0000000000400000-0x0000000000531000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe	upx
behavioral1/memory/1516-165-0x0000000000400000-0x000000000052B000-memory.dmp	upx
behavioral1/memory/1516-175-0x0000000000400000-0x000000000052B000-memory.dmp	upx
behavioral1/memory/3540-193-0x0000000000400000-0x000000000045B000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe	upx
behavioral1/memory/3540-197-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/3692-285-0x0000000000400000-0x0000000000531000-memory.dmp	upx
behavioral1/memory/396-336-0x0000000000400000-0x000000000052B000-memory.dmp	upx
behavioral1/memory/396-351-0x0000000000400000-0x000000000052B000-memory.dmp	upx
behavioral1/memory/4012-354-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/memory/4012-357-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 41 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

id6.exeLonelyScreen.exekeygen-step-4.exesearzar.execmd.exekeygen-step-4.exekeygen-pr.exePING.EXESetup.tmpkeygen-step-3.execmd.exeSetup.exehjjgaa.exejfiag_gg.exeLonelyscreen.1.2.9.keygen.by.Paradox.exeLonelyscreen.1.2.9.keygen.by.Paradox.exehjjgaa.exekey.exeSetup.tmpPING.EXEcmd.exesearzar.exeLonelyscreen.1.2.9.keygen.by.Paradox.exePING.EXEcmd.exewhhw.execmd.exeSetup.exejfiag_gg.execmd.exekeygen-step-3.exekey.exeid6.exesetup.upx.exewhhw.exejfiag_gg.exekey.exesetup.upx.exePING.EXEjfiag_gg.exekeygen-pr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	id6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LonelyScreen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	searzar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjjgaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjjgaa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	searzar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lonelyscreen.1.2.9.keygen.by.Paradox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whhw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-step-3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	id6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whhw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	key.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.upx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	keygen-pr.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

cmd.exePING.EXEPING.EXEcmd.execmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid process

3184 cmd.exe
2336 PING.EXE
1648 PING.EXE
3864 cmd.exe
6404 cmd.exe
6988 PING.EXE
1440 cmd.exe
2760 PING.EXE
1044 cmd.exe
1608 PING.EXE

pid	process
3184	cmd.exe
2336	PING.EXE
1648	PING.EXE
3864	cmd.exe
6404	cmd.exe
6988	PING.EXE
1440	cmd.exe
2760	PING.EXE
1044	cmd.exe
1608	PING.EXE

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Install.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Install.exe	nsis_installer_2

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings firefox.exe
Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

1648 PING.EXE
1608 PING.EXE
6988 PING.EXE
2336 PING.EXE
2760 PING.EXE
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

key.exeSetup.tmpjfiag_gg.exeSetup.tmpjfiag_gg.exe

pid process

4040 key.exe
4040 key.exe
440 Setup.tmp
440 Setup.tmp
4780 jfiag_gg.exe
4780 jfiag_gg.exe
2180 Setup.tmp
2180 Setup.tmp
4940 jfiag_gg.exe
4940 jfiag_gg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

4452 7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe

pid	process
1648	PING.EXE
1608	PING.EXE
6988	PING.EXE
2336	PING.EXE
2760	PING.EXE

pid	process
4040	key.exe
4040	key.exe
440	Setup.tmp
440	Setup.tmp
4780	jfiag_gg.exe
4780	jfiag_gg.exe
2180	Setup.tmp
2180	Setup.tmp
4940	jfiag_gg.exe
4940	jfiag_gg.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

7zFM.exe7zG.exe7zG.exekey.exefirefox.exe

description	pid	process
Token: SeRestorePrivilege	4452	7zFM.exe
Token: 35	4452	7zFM.exe
Token: SeSecurityPrivilege	4452	7zFM.exe
Token: SeRestorePrivilege	3956	7zG.exe
Token: 35	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe
Token: SeSecurityPrivilege	3956	7zG.exe
Token: SeRestorePrivilege	3384	7zG.exe
Token: 35	3384	7zG.exe
Token: SeSecurityPrivilege	3384	7zG.exe
Token: SeSecurityPrivilege	3384	7zG.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeImpersonatePrivilege	4040	key.exe
Token: SeTcbPrivilege	4040	key.exe
Token: SeChangeNotifyPrivilege	4040	key.exe
Token: SeCreateTokenPrivilege	4040	key.exe
Token: SeBackupPrivilege	4040	key.exe
Token: SeRestorePrivilege	4040	key.exe
Token: SeIncreaseQuotaPrivilege	4040	key.exe
Token: SeAssignPrimaryTokenPrivilege	4040	key.exe
Token: SeDebugPrivilege	1772	firefox.exe
Token: SeDebugPrivilege	1772	firefox.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

7zFM.exe7zG.exe7zG.exeLonelyScreen.exeSetup.tmpSetup.tmpfirefox.exe

pid	process
4452	7zFM.exe
4452	7zFM.exe
4452	7zFM.exe
3956	7zG.exe
3384	7zG.exe
1544	LonelyScreen.exe
1544	LonelyScreen.exe
1544	LonelyScreen.exe
1544	LonelyScreen.exe
440	Setup.tmp
2180	Setup.tmp
1772	firefox.exe
1772	firefox.exe
1772	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

LonelyScreen.exe

pid process

1544 LonelyScreen.exe
1544 LonelyScreen.exe
1544 LonelyScreen.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

LonelyScreen.exeid6.exeid6.exefirefox.exe

pid process

1544 LonelyScreen.exe
1544 LonelyScreen.exe
3392 id6.exe
3392 id6.exe
4348 id6.exe
4348 id6.exe
1772 firefox.exe

pid	process
1544	LonelyScreen.exe
1544	LonelyScreen.exe
1544	LonelyScreen.exe

pid	process
1544	LonelyScreen.exe
1544	LonelyScreen.exe
3392	id6.exe
3392	id6.exe
4348	id6.exe
4348	id6.exe
1772	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Lonelyscreen.1.2.9.keygen.by.Paradox.execmd.exekeygen-step-3.execmd.exekeygen-pr.exekeygen-step-4.exekey.exewhhw.exesetup.upx.execmd.exeSetup.exeSetup.tmphjjgaa.exe

description	pid	process	target process
PID 2116 wrote to memory of 2144	2116	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	cmd.exe
PID 2116 wrote to memory of 2144	2116	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	cmd.exe
PID 2116 wrote to memory of 2144	2116	Lonelyscreen.1.2.9.keygen.by.Paradox.exe	cmd.exe
PID 2144 wrote to memory of 2972	2144	cmd.exe	keygen-pr.exe
PID 2144 wrote to memory of 2972	2144	cmd.exe	keygen-pr.exe
PID 2144 wrote to memory of 2972	2144	cmd.exe	keygen-pr.exe
PID 2144 wrote to memory of 4576	2144	cmd.exe	keygen-step-3.exe
PID 2144 wrote to memory of 4576	2144	cmd.exe	keygen-step-3.exe
PID 2144 wrote to memory of 4576	2144	cmd.exe	keygen-step-3.exe
PID 4576 wrote to memory of 3184	4576	keygen-step-3.exe	cmd.exe
PID 4576 wrote to memory of 3184	4576	keygen-step-3.exe	cmd.exe
PID 4576 wrote to memory of 3184	4576	keygen-step-3.exe	cmd.exe
PID 2144 wrote to memory of 2844	2144	cmd.exe	keygen-step-4.exe
PID 2144 wrote to memory of 2844	2144	cmd.exe	keygen-step-4.exe
PID 2144 wrote to memory of 2844	2144	cmd.exe	keygen-step-4.exe
PID 3184 wrote to memory of 2336	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2336	3184	cmd.exe	PING.EXE
PID 3184 wrote to memory of 2336	3184	cmd.exe	PING.EXE
PID 2972 wrote to memory of 4040	2972	keygen-pr.exe	key.exe
PID 2972 wrote to memory of 4040	2972	keygen-pr.exe	key.exe
PID 2972 wrote to memory of 4040	2972	keygen-pr.exe	key.exe
PID 2844 wrote to memory of 4876	2844	keygen-step-4.exe	whhw.exe
PID 2844 wrote to memory of 4876	2844	keygen-step-4.exe	whhw.exe
PID 2844 wrote to memory of 4876	2844	keygen-step-4.exe	whhw.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4040 wrote to memory of 2420	4040	key.exe	key.exe
PID 4876 wrote to memory of 3736	4876	whhw.exe	setup.upx.exe
PID 4876 wrote to memory of 3736	4876	whhw.exe	setup.upx.exe
PID 4876 wrote to memory of 3736	4876	whhw.exe	setup.upx.exe
PID 3736 wrote to memory of 1440	3736	setup.upx.exe	cmd.exe
PID 3736 wrote to memory of 1440	3736	setup.upx.exe	cmd.exe
PID 3736 wrote to memory of 1440	3736	setup.upx.exe	cmd.exe
PID 1440 wrote to memory of 2760	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 2760	1440	cmd.exe	PING.EXE
PID 1440 wrote to memory of 2760	1440	cmd.exe	PING.EXE
PID 2844 wrote to memory of 3392	2844	keygen-step-4.exe	id6.exe
PID 2844 wrote to memory of 3392	2844	keygen-step-4.exe	id6.exe
PID 2844 wrote to memory of 3392	2844	keygen-step-4.exe	id6.exe
PID 2844 wrote to memory of 3968	2844	keygen-step-4.exe	Setup.exe
PID 2844 wrote to memory of 3968	2844	keygen-step-4.exe	Setup.exe
PID 2844 wrote to memory of 3968	2844	keygen-step-4.exe	Setup.exe
PID 3968 wrote to memory of 440	3968	Setup.exe	Setup.tmp
PID 3968 wrote to memory of 440	3968	Setup.exe	Setup.tmp
PID 3968 wrote to memory of 440	3968	Setup.exe	Setup.tmp
PID 440 wrote to memory of 1516	440	Setup.tmp	searzar.exe
PID 440 wrote to memory of 1516	440	Setup.tmp	searzar.exe
PID 440 wrote to memory of 1516	440	Setup.tmp	searzar.exe
PID 2844 wrote to memory of 4512	2844	keygen-step-4.exe	hjjgaa.exe
PID 2844 wrote to memory of 4512	2844	keygen-step-4.exe	hjjgaa.exe
PID 2844 wrote to memory of 4512	2844	keygen-step-4.exe	hjjgaa.exe
PID 4512 wrote to memory of 3540	4512	hjjgaa.exe	jfiag_gg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_win_path 1 IoCs

Processes:

key.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	key.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\fijewh.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2864

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\fijewh\412433\" -spe -an -ai#7zMap15012:84:7zEvent25387
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3956

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\fijewh\LonelyScreen\" -spe -an -ai#7zMap27052:96:7zEvent5481
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3384

C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe
"C:\Users\Admin\Desktop\fijewh\LonelyScreen\LonelyScreen.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1544

C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_win_path
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3184
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2336
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3736
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2760
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp" /SL5="$20324,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:440
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3540
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4780

C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3788
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX4\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:756
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-3.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:1044
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1648
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX5\whhw.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3384
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX6\setup.upx.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX5\id6.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4348
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4448
    - - C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3PEJ9.tmp\Setup.tmp" /SL5="$50350,1223153,733696,C:\Users\Admin\AppData\Local\Temp\RarSFX5\Setup.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\hjjgaa.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX5\hjjgaa.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3864
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3160

C:\Program Files\Mozilla Firefox\private_browsing.exe
"C:\Program Files\Mozilla Firefox\private_browsing.exe"
1⤵
PID:3632
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
  2⤵
  PID:1324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -private-window
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1936 -parentBuildID 20240401114208 -prefsHandle 1964 -prefMapHandle 1956 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8abe7d5-13c3-4bac-9f56-227d06b88662} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" gpu
      4⤵
      PID:392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e6ece4a4-7077-4fbc-869f-cfeae8d24ef2} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" socket
      4⤵
      Checks processor information in registry
      PID:4148
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3048 -prefsLen 24665 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12a4bd5e-acb3-4d69-a37a-763465a18bce} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:5288
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4032 -childID 2 -isForBrowser -prefsHandle 4148 -prefMapHandle 4144 -prefsLen 29014 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31597b1b-210c-4118-a5f2-ab00e2c6dbf5} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:5532
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4940 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4724 -prefMapHandle 4776 -prefsLen 29070 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3647019-e360-4e3f-a7d6-ad999848fa49} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" utility
      4⤵
      Checks processor information in registry
      PID:3156
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dce6d464-e880-4c3a-97cd-9ff74be9ce8f} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:6720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d92de53a-3634-429a-98a0-dbb93ad89497} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:6752
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5316 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5680 -prefsLen 27023 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ab7cccd-9b09-41be-84bd-466c015f80d3} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:6764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1304 -childID 6 -isForBrowser -prefsHandle 6132 -prefMapHandle 2364 -prefsLen 27104 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9bc8a26-bc91-4611-a12a-0997b6d262b9} 1772 "\\.\pipe\gecko-crash-server-pipe.1772" tab
      4⤵
      PID:5760

C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe
"C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen.bat" "
  2⤵
  PID:6324
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-pr.exe
    keygen-pr.exe -p83fsase3Ge
    3⤵
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe"
      4⤵
      PID:7064
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX8\key.exe -txt -scanlocal -file:potato.dat
        5⤵
        
        PID:1336
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe
    keygen-step-3.exe
    3⤵
    PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-3.exe"
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:6404
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:6988
- - C:\Users\Admin\AppData\Local\Temp\RarSFX7\keygen-step-4.exe
    keygen-step-4.exe
    3⤵
    PID:6396
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX9\whhw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX9\whhw.exe"
      4⤵
      PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data1

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
0fdc1f287a6756d42c95bedd953a5b16

SHA1
5cac2a0fc55aa2352625bcdc8aca14a935505b9d

SHA256
459e3ba8dc3f9bc029cf4c6d7dc97c15c5b60c0f92d3d9620ed03a8fc217e179

SHA512
6c186112ff79f1bad1c46ee7e67bb93d435d4420096ae8c450315b78f1aaa59e7923dfa48e61a2ebf29114bc97cac70680676d255b2072c736fb93f961ea0435

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl.tmp

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe

Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-3.exe

Filesize
1.1MB

MD5
20f5a9440a46acd791f3e14a51168709

SHA1
6228ed232ea25299e4ec54654bed013d8022c6ee

SHA256
838b3a60041cef51e5e5ef385c9753d3526fcb0429c322374bb14d08512683a3

SHA512
f847f68789c9d02b14fadb6f0f6d402d2aaf6f866a56a1837d100c17eb1006f47b0f2a2f9e68e106fd420d0279e542679816182b2c9181be87b83ae4e20bc812

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe

Filesize
10.6MB

MD5
5152124e9780ce8fdaffdb2ecf01f147

SHA1
fd5c673082d3c82f84cdc9ef9aa3ebf167588170

SHA256
70d612145ca07e3f272a8c4ca5f5bdc1c2e52fe5833c537d9d1d437e746c7c65

SHA512
087790afa61f8d384185b5febeaca93a836d6ec9159282a328f47810a2c2cf6fde2c8bf27817748501cc37e3beacf618fb330b4d7e5f2d3d447b021e84da51bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat

Filesize
97B

MD5
362a98ff358cee4c06aedf4c8e6f8770

SHA1
376b001129e2e64ecee89e27a343195f50c196a3

SHA256
c02a8b5cd85868da0523b58370bc5b6f8c24fa5ac8e59d874f8ba1c21f4ef158

SHA512
d60822a56650f91b3e108b9053558ca3367ce008b3972707e68986c874a856137efce7578def798248cea0852b664f429581e66c3ef67bb0e338e91501c76ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat

Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe

Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\potato.dat

Filesize
503B

MD5
0bdd93df3b5ee96569a2f22f9d617b8e

SHA1
7f8704c83cf599bb2e739698766f05089f70a5e2

SHA256
c1d3be98c494f08e6de80f6e38ab94368cd33b199700ee5bd62e9d6d15063d1b

SHA512
483714eff806aec59033e326b887a9f1cd7256cf49e88ca873a014fe95d564b0b29d18bab47f788be09d6bfe520f14e09c8c682d3275825c4145f833c72a7a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\user32.dll

Filesize
1.6MB

MD5
634fbe95ea4ef2e799b3d117dd9ec52e

SHA1
09533551abefbc922b87d1c2553329abd328c387

SHA256
1ba4bc4f000dd9263307357ffa42d83eb01f59bf28aec16ef2eb74e24683412e

SHA512
7d3857623c2d6806ed56e436fba2aa72ee57978ed8261894c3d7bb97a9f747d87866ca1dfaa2bc21ea22de1544fe7daf223565b7f16d894d02219ea9a690b7cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\Setup.exe

Filesize
1.8MB

MD5
e818a2384a90a03d8314cc4cf1cad1e0

SHA1
a28e0df0e8853596db4508925e9b93f4b8e2e902

SHA256
0585a29ddcdb6a4f0d23d4d09304768877ef1ae500c9664af9c21a6aff9d330c

SHA512
e96d9fe81aff387b7ce844552fba43f20d3833cf75078855d6fa3d15b58a5486b7cec71d7499d82165425dd3ac25a624aa918251cff6044b4df3cfe096a02569

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\hjjgaa.exe

Filesize
3.9MB

MD5
7016ff8fcb9d9451139d7a7541512597

SHA1
bf20fea9aa80a94531c4c3af8549b3e32bcada77

SHA256
97d21bc11812933a88c45cec4bef20e346952fc4a4144c93b19a205d20420a57

SHA512
b1ceab00b09c6feb716658e19b3021a8fe2d79ff06888b94376652907931aa67a451bb775ed0fc53fbd661f8b3ecaf98b8304604c1341df4ef21e9feac035e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\id6.exe

Filesize
2.1MB

MD5
d9ec2bce43693cd8c042abda75cc2f82

SHA1
fb270d5ccecdd9f18b01438b371e1caf72548fb4

SHA256
61271188de7b7dc646c38eb9aff1e5582b7d8981f19af2c8684ca12902bc3454

SHA512
d5bb890b4e344e090023bc100778fe557b8972a3640b3c2a5528523c44de26b5524523dbad3ba1bf05b1a3154f5c5d6f98411f2866e66368794427d0ca2127c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\searzar.exe

Filesize
498KB

MD5
5af346c85e6a347401ebd8798035df35

SHA1
036e6513eccaee195ba637e85683744a8dce09c0

SHA256
e7129b9545ead3dc009bcf40b5368eac467705889478cfac339cfa129631b87d

SHA512
117338b32f8610facf930748b4d916bb9cc90dba1c72f2059e52219726d19f8dc6314c46505e80e492104ac7b4e5222419036c8ceb9477da12fc9ce32fbdda77

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\unins000.dat

Filesize
5KB

MD5
ee8ec729ed8d9c47837b12eefe91e699

SHA1
eb5aca5d1ab3924850714f920ff799348b38a09a

SHA256
921bb19943f8eb02ef6ef5836fb42509b94c2e08f957457e4623bfdce1566745

SHA512
187107c6e8481b8af967da57cfb8d7388989b60211527ab4847430edb01765749e4ae3c57329d41d9583d7cc35c81567234599a48051a1bc3eb7b1669656e6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\searzar\unins000.exe

Filesize
2.4MB

MD5
37942174e71daee7d2c01d854fb0f099

SHA1
828efb5608816121a21291e384c8cf95967214af

SHA256
8c841a5c438dc26b0249081c0ecc1e2d0a6f25392084b26a0362e0a88b52a37f

SHA512
c0f724ff4c827943b6ef30a66929875c7e7fd9a16d3004da892c8172c3e983754bdc04807019ba5bce430e2ca785d01114ec4f00c014edc4d8f66acf6bf42174

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\whhw.exe

Filesize
1.3MB

MD5
2fb5455dab77dd4d793aafa3df21b013

SHA1
453ef895e9edc4b22cddd9d4881afa19295ad2c0

SHA256
160785406249aae0e5f2bd62dd5daf64a15ce9bbb36c57a6f8f5c1ddb6390d9b

SHA512
2e5d7eb6a881b8e7d8309dd2cbe8c57c06c2acc2e2a50004717a9354b372a694d511bd197730d8528b4d4fc446134fa95fc0ae496feab33c854e14e9c8574c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX3\setup.upx.exe

Filesize
528KB

MD5
7d72db8aaceccd5cab82e0f618ce9d81

SHA1
c690d1e3a90499ce1b63ee9388dfaec786751e1e

SHA256
a8374f4efacd0d4ace4f78a781baf7a1e0913edaceb8feddcb82d07b68a1bcab

SHA512
88ff9256d7bfe8d724e42f59be08e51e70244d546ac8ef6466864d2466e52aac5d84acb0ea552168701e5e1d1eceee0696a0e3a40de2d83ab720e0e69de0d6d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\BTRSetp.exe

Filesize
610KB

MD5
6331d170c7c2c06ea9ecf289987a8db2

SHA1
e938ff9b901d2a51a076688f0a8af8b241433600

SHA256
b452a777118ad0153b13c0aa7d141c34f9f7c212d082998c071f69ce10f09234

SHA512
7ace643fa9e0320c8aeabe57c725868a0ed654130a89e1b799f03de6f19ad0a273c5bafb27ff3afc1dbc438fb37cc304abb188a25a7259e508e70753cf160944

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\DreamTrips.bat

Filesize
44B

MD5
7b24665f2db82f311bff238f05eb639a

SHA1
4001fddab3079c1f50207c6b19e782cfefa059c5

SHA256
81c2e1e08984f45a9fcd8a5e54087b5b2160ed553b584bac7ef589c0867e4478

SHA512
5cb0ae0a5a5e995adf21975b25b121103e56d6ad2f5bef5759d93e389f00ac62c4a963bdd80aa9e703e285dfe8acc9ca036e03b9b3d445ed516021397467d2a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Full Version.exe

Filesize
377KB

MD5
5eb7d1110a6268092d008d93701a08b5

SHA1
6c1d846d8d01ee31f18c3bca5ad0245aa6a056ec

SHA256
b858e24eac464afd49d6bf782557f946b03e5e97431a1987b09b0203b5636c97

SHA512
8029b8f196d4030589c8e2ae8de5ff13892ae0619da35f600b028e8ca0c7bb76b9d5c0f623ce97c674d9e6ca5b9e01f6ab6f9b1313d87654797e247eca2fd669

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\Install.exe

Filesize
1.8MB

MD5
09bea173fb3f7244bfddaa3b110761a8

SHA1
5a4a6b0d01643616121cf258c671b22b65c91e1f

SHA256
674a3e21beb7da6768d1484ffdbddf88a2f7cbebe9355c1e7646e6831795c894

SHA512
09cf74fbee32eb13751000868eafb32a0008d469536db9a97ff924191842684de55910b513896d9960e159a06dcd9009631fdac7349ce36735d126c0c6561fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX9\lunch.bat

Filesize
44B

MD5
e56df68ac513d0d1bd4e36b6fd24f710

SHA1
bccae5ce3fae788789115d9963d7dc70598c76db

SHA256
fb2696efa485021c577b6d6966e03e35dc7dd0f3f86825e17328eafd95a3c777

SHA512
f84e4fed8ee4df08a61c23b5911e13335ca07912ca1011acaafb7bc3756d60a7ff745945663b2f1bc2f267997bfe6ebe5777ca505509f3121e25053e5098b9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjgha23_fa.txt

Filesize
1KB

MD5
c7be3c661dc1ae8c3c5cee7c5463b8b7

SHA1
6bc151f7473448fc7ae464443be9e6ca0343bbd3

SHA256
ffbc54f9854804b7a5b12dda41be1af202b4ee0f39be12ec57e2ab0860d3e1bb

SHA512
096861535dcfe6dd7420b2139f5b79d46baac47e7aab86d0bdcf3dd9403d34b7da4d98d62aae5e03a8c4ea6536d1581750d944078eb2d30643ae392741f4cd7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7S25V.tmp\Setup.tmp

Filesize
2.4MB

MD5
2f7b6979529e98725c226681b9431206

SHA1
12a2e01e39f79997b1fd71f33da78c672b37b590

SHA256
22241dd602bb54f1d16db7723c5033d1bd88b2b8218b7e36eaeef746ad0c9823

SHA512
34d380be583b27f39b8aeb93f9944370cbe9857699976535fff230e43883d4c497216ddf3d5501d9daf436aefb8f57b8d88a7e6933e2f243defb45aa476851b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag_gg.exe

Filesize
103KB

MD5
4d4c98eca32b14aeb074db34cd0881e4

SHA1
92f213d609bba05d41d6941652a88c44936663a4

SHA256
4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

SHA512
959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
9a20e75b4583cbf9c1018d79ffefc7ef

SHA1
ebb4336dff312e65fd15074088d532ad50b6bd54

SHA256
4c0743e51f9236c9ccee5e83b709096f51e06a17cb3bc8eb69d88878641abbf5

SHA512
5681ae1020b9aa0cf48472eb842ba7a0e573029e1651d821cc7248a1567f8a825bb44aebfe637a1eec5ec0cfe6d2c4fcde08e72afbb987ddc86e9e00112de78b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
8b2c4a7dd08f12aed19ec10998b40d32

SHA1
aaa7214a19d638ed18a9ad03189a7f3aa58730e9

SHA256
bb2358fc0baa751568d162bed12ca7f34f2b9abe33821396546bc7dbc509b53c

SHA512
634df8da027274ad7ee955d5285a4dd17dbf413db5e5b21555722c7b1998f8c0f0ab16210d87bafb9a242487f4fa6d96026e3da0faf46ca3efd9f985e18a915b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
e7c07b62c73089e7921181a87b7f1755

SHA1
cb989207fa7c2727123b377d57c953836c28c8f2

SHA256
58c8c7ff07cb54c6f6c568cba1048367a00502ff40f9a06070a0e7976dbf3a97

SHA512
63870100ed91d8c2d028af450b25774a986000f34c81b8a335688b9516d19936c83948e8fd2f1dae41f8111bc747a899c2f41b01abb4a1ee03f0d19127769fe4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1b24142087d59fd4049932d3ba089c63

SHA1
c91440d73716d347f7086ab0de05eb1c0cf22e42

SHA256
68e24ba310b9cd999210900204e12c770b56aabb9ca36efb948a37cbe4b2c457

SHA512
5b557ba6dd8d6b1cec00bfc47b557484af855c2962fba7a41b9db2f64e0eb6d2807d4112024892fe473fb5547d955d818e8d3b1303e3e6f25635c2fc13b0e4d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\6e592166-d6da-41c5-affe-6bb8ce6609a9

Filesize
982B

MD5
c7a895997138b293aca452110a961dd4

SHA1
99156ca9682a2c29d26d77a069c3ea324dc7014c

SHA256
5a322d97f1edc59f433c4e24148cba2756ff5161e1a5add050853ee7c8ea0b18

SHA512
0cbd7351c509839de35f5041252e0e2c3e5f1023e577f02cc1170768a6cb52c9130f75d16520b967a28526e173ce508026e79217c8442986ea9ce143968ab9d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\a34d9b6b-e9fb-407c-83b2-66f988fd7eea

Filesize
27KB

MD5
a867e6365033fb80ccd0967b657205fd

SHA1
4a298f4a67b9a06f75cb8b9df54514f34b674b10

SHA256
92cceade0c6935e4148c8e639e450773f29d03e05bcc206ef73cb40875ed34bf

SHA512
3201afe111b0d4e3dd78339b0016f52318f9ce4d2f2c258ba53f0d28d34cee28696db380fb26e4bdc34ee1244e3950aa15dba9539ba5a55d58412d632ce6af87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\b35bafc4-52f7-4df2-a06c-dac644858735

Filesize
4KB

MD5
dce7201e71cf6fbe3700fcb5dbc3a672

SHA1
03b4a2ede47af8f33793926abf1430c40291252e

SHA256
544357b3f1e2967cd8e5a95e315993cbee324506389e70c1f61552292de82b41

SHA512
ccaf6ea126a782a1e5b49e8876644ac3b1bb285eeaa2dcc7b951b6e10756d209ff8aefad33564badd6210918965ba544f31793aa160c627dd4451e558f43a6ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\c4ddfc07-c826-47c8-adef-6734159ca801

Filesize
671B

MD5
a4ee991a6bb43261a26273d69674f44d

SHA1
ed4e1e9b664e988d0b0d584ef129a3d0d90a9c97

SHA256
f5d77df364c9d1975b42df24e3d0c713de84aa1e127c0501d98354df14290ea0

SHA512
78b8d534c744e573c92f96955f7f3c07811b6ed149527a6789a8859d626ae571431f7c1645b0d1b3f41a5e81dbb5f980b291d911c5eef7de181049ba0faf0316

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs-1.js

Filesize
10KB

MD5
e14cdc1591f60563ff1396c644c3d963

SHA1
a1d89c88e035b8541d4bc80ee9c5f607dacc9ee4

SHA256
988f4f655a4cc2d5ef6f61ce369074dd2139c2f86a03b50c68b2d7f1c50b3c00

SHA512
f17a243fb5eb8bcc6b30e80c531422035347216f61cd199108d66493a129ea515c70e37e394a44ab54284535ab67e8616c0ffe46afa0a9c5ec408342a011699a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
51ce66ae2497d368b8ae047989680616

SHA1
f55c3629ad9ec0d2a4ed9568708b8ddfbd176a6b

SHA256
23e5940a4cfafe399c4a9525a00dc50ff39958e69273cf5d9edad7b690344ed9

SHA512
adbf6dd2a0acdb41b62757d794478373cbe2f28c74cde99bbc08c934dbfe32e1f501c7caa41f96da356bc4ea28efd9e07207026055f192005f721de3fdc1a400

Download Submit
C:\Users\Admin\Desktop\fijewh\412433.zip

Filesize
26.5MB

MD5
a803f82431678efa91e202dfc4e59dfa

SHA1
aac1594ee4bc7d91b640c2d5b66c64e7b7671cc3

SHA256
6b2816073c1bd747fe54b0e1876ef261a93af763bc4e8754d389d265afda1b04

SHA512
4f2965a6f7edbd23d4aa317b66fc4aa2bf46e5a0905cd48fa63920c7e859f46aba0bc3759fcde66c523e4b615a367e789857349d6d8a029e5ffe746cbaa01053

Download Submit
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

Filesize
13.4MB

MD5
48c356e14b98fb905a36164e28277ae5

SHA1
d7630bd683af02de03aebc8314862c512acd5656

SHA256
b2f43148c08f4fe2a0902873813fd7bbb9b513920089939c220826097480396c

SHA512
278ae5723544691844aae917938c7ab835f5da9c01c59472497112ca9f5d326a2586fa0bc79fbd0d907aab972b3f855c0087656c5e10504adc760b756ada221b

Download Submit
C:\Users\Admin\Desktop\fijewh\412433\Lonelyscreen.1.2.9.keygen.by.Paradox.zip

Filesize
13.2MB

MD5
5aaa5c6788ccdc89c2d393ae139a1479

SHA1
d176526637cabd9af128ae485363731c73016b97

SHA256
47e2d401491fa349aff65afd36809607588a13555a4353b32fc37ba812ce553f

SHA512
88fd03792c8e3c3c89f5ad82a99ed5a90175969b7c90bb82c57887d49c2781b2b0aa7954e3e252fbfa46440de17d44f88cdaeffec79c311bf7525067da7d8651

Download Submit
C:\Users\Admin\Desktop\fijewh\LonelyScreen.zip

Filesize
9.5MB

MD5
34cbb7645c079ba403250edea20ad34e

SHA1
feebf5bd2332cd26ae6bc3770725987da19befba

SHA256
4fc6b36e62dd4619193a22c3aa43dd905895d5bd2c8aa8ebf5098958dbef988e

SHA512
80d64d20a119d1bbf83c8a417216e6171eb8c786cb7f0d03ab5da41ae76f57486c1ac5fed01a0751ae19be8dfd661e25c3ac4da9873c840ed06c4e1f4ae30367

Download Submit
memory/396-336-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/396-351-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/440-177-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/1516-165-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/1516-175-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2180-337-0x0000000000400000-0x000000000067C000-memory.dmp

Filesize
2.5MB

Download
memory/2420-118-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-95-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-83-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-93-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-102-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-101-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-103-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-116-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/2420-117-0x0000000000400000-0x0000000000983000-memory.dmp

Filesize
5.5MB

Download
memory/3392-126-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/3540-193-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3540-197-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3692-285-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3736-99-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3736-100-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/3864-344-0x0000000000F70000-0x00000000015E0000-memory.dmp

Filesize
6.4MB

Download
memory/3968-178-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/3968-143-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4012-357-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4012-354-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4348-300-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/4448-314-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4448-338-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/4512-186-0x00000000007E0000-0x0000000000E50000-memory.dmp

Filesize
6.4MB

Download