fabookie | 0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

Analysis

max time kernel
65s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Size

3.4MB
MD5

99ca4fb276c60eb9c9a57c168d36d9fd
SHA1

2f1451025754967e328337bd21498fc991bdeed7
SHA256

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442
SHA512

1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca
SSDEEP

98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

Score

10^/10

fabookie ffdroider raccoon discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d46-405.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Ffdroider family
ffdroider
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

resource	yara_rule
behavioral1/memory/2676-93-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1
behavioral1/memory/2972-135-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2316-510-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/2760-964-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 15 IoCs

pid	Process
2192	KRSetp.exe
2892	jg7_7wjg.exe
2992	proz.exe
2676	Pas.exe
2008	KRSetp.exe
1312	proz.exe
2832	jg7_7wjg.exe
2972	Pas.exe
2680	askinstall4.exe
2092	piyyy.exe
1896	customer2.exe
2932	setup.exe
1372	main.exe
2316	jfiag3g_gg.exe
2760	jfiag3g_gg.exe

Loads dropped DLL 56 IoCs

pid	Process
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2992	proz.exe
2992	proz.exe
2992	proz.exe
2992	proz.exe
2992	proz.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
1312	proz.exe
1312	proz.exe
1312	proz.exe
1312	proz.exe
1312	proz.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
1896	customer2.exe
1372	main.exe
2092	piyyy.exe
2092	piyyy.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
812	WerFault.exe
2092	piyyy.exe
2092	piyyy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	piyyy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proz.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
47	iplogger.org
48	iplogger.org
49	iplogger.org
9	iplogger.org
10	iplogger.org
21	iplogger.org
22	iplogger.org
23	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018f53-73.dat	upx
behavioral1/files/0x000b000000016d9a-508.dat	upx
behavioral1/memory/2316-510-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x00090000000146e7-911.dat	upx
behavioral1/memory/2760-964-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
812	2680	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piyyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askinstall4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	customer2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2036	cmd.exe
776	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2904	TASKKILL.exe
2864	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B537CC61-BE40-11EF-9A35-EAF933E40231} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca4cf74e5f927047ae3ee11dfd8db7ab0000000002000000000010660000000100002000000008b772af23a255b6777c596ee8f550b0b68b60fa4cd8fff3316547adf0863952000000000e8000000002000020000000cb57bab8cf18234dfe835db8fd17d63ef34f73c08a9989f12bd25bda775f54dd20000000c33d6935a406e51bb50d229ba39f1533e48543a7d4f0cd1050df7b618650e98a400000004bb87e1fa8e19f667a402e2dbc5a02c149a3ede04f1192aa391e84a116bc8576d8b62ad94bb197b2c6036de0f0b894d027432054b2d13972025bb3ec508d0444	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 806035814d52db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ca4cf74e5f927047ae3ee11dfd8db7ab0000000002000000000010660000000100002000000088e11ae32abd6d199cf2e7f7fe83a3c834d6adbce4a11c7e355978b3fa18800e000000000e800000000200002000000040922d883844edc95f870055d1e122854e6f76ede40871e57d7d5587bc551c8390000000b0f6f420b425a280d0ead2233e28ba363a6e6c6f4bac445946777061b6830e84285e9bb01590735de68ca42dbc3cdd3bd9bc9fc439ef6569c43f39da877aab3198f5f932b57ddb99482eefcc9336552290b7972991662ea0acf74c60dfd1a7d88036acb3c38fba831224ea997e05a70e348d5486ff85863ee64842cdfb573153c9e3b02e379e5a8fb937dca2d745447e400000002203824d1194826c9261fa65026cd9e966f93128491988214e219ec2ae65d4ca56108ae0f189d88dfa72c7144b24556bebf3099673d08b7781a674b3d2a908f4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pro.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\wwwD145.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Shaksd.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www12D.tmp\:favicon:$DATA	IEXPLORE.EXE

Runs .reg file with regedit 2 IoCs

pid	Process
2800	regedit.exe
1732	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
776	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	chrome.exe
2192	chrome.exe
2760	jfiag3g_gg.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	KRSetp.exe
Token: SeDebugPrivilege	2008	KRSetp.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	2904	TASKKILL.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe
Token: SeShutdownPrivilege	2192	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2444	iexplore.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe
2192	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2444	iexplore.exe
2444	iexplore.exe
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
1128	IEXPLORE.EXE
2272	IEXPLORE.EXE
2272	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2192	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	30
PID 2096 wrote to memory of 2192	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	30
PID 2096 wrote to memory of 2192	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	30
PID 2096 wrote to memory of 2192	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	30
PID 2096 wrote to memory of 2892	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2096 wrote to memory of 2892	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2096 wrote to memory of 2892	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2096 wrote to memory of 2892	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2096 wrote to memory of 2992	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2096 wrote to memory of 2992	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2096 wrote to memory of 2992	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2096 wrote to memory of 2992	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2992 wrote to memory of 2676	2992	proz.exe	33
PID 2992 wrote to memory of 2676	2992	proz.exe	33
PID 2992 wrote to memory of 2676	2992	proz.exe	33
PID 2992 wrote to memory of 2676	2992	proz.exe	33
PID 2192 wrote to memory of 2504	2192	KRSetp.exe	34
PID 2192 wrote to memory of 2504	2192	KRSetp.exe	34
PID 2192 wrote to memory of 2504	2192	KRSetp.exe	34
PID 2096 wrote to memory of 2008	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	35
PID 2096 wrote to memory of 2008	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	35
PID 2096 wrote to memory of 2008	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	35
PID 2096 wrote to memory of 2008	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	35
PID 2096 wrote to memory of 2832	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2096 wrote to memory of 2832	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2096 wrote to memory of 2832	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2096 wrote to memory of 2832	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2096 wrote to memory of 1312	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2096 wrote to memory of 1312	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2096 wrote to memory of 1312	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2096 wrote to memory of 1312	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 1312 wrote to memory of 2972	1312	proz.exe	38
PID 1312 wrote to memory of 2972	1312	proz.exe	38
PID 1312 wrote to memory of 2972	1312	proz.exe	38
PID 1312 wrote to memory of 2972	1312	proz.exe	38
PID 2444 wrote to memory of 1128	2444	iexplore.exe	40
PID 2444 wrote to memory of 1128	2444	iexplore.exe	40
PID 2444 wrote to memory of 1128	2444	iexplore.exe	40
PID 2444 wrote to memory of 1128	2444	iexplore.exe	40
PID 2008 wrote to memory of 1972	2008	KRSetp.exe	42
PID 2008 wrote to memory of 1972	2008	KRSetp.exe	42
PID 2008 wrote to memory of 1972	2008	KRSetp.exe	42
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2680	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2096 wrote to memory of 2092	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2096 wrote to memory of 2092	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2096 wrote to memory of 2092	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2096 wrote to memory of 2092	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2096 wrote to memory of 1896	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2096 wrote to memory of 1896	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2096 wrote to memory of 1896	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2096 wrote to memory of 1896	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2096 wrote to memory of 2932	2096	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47

C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
"C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2192 -s 1616
    3⤵
    PID:2504
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2008 -s 1612
    3⤵
    PID:1972
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pas.exe"
    3⤵
    - Executes dropped EXE
    PID:2972
- C:\Users\Admin\AppData\Local\Temp\askinstall4.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2864
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1344
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:812
- C:\Users\Admin\AppData\Local\Temp\piyyy.exe
  "C:\Users\Admin\AppData\Local\Temp\piyyy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2092
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2760
- C:\Users\Admin\AppData\Local\Temp\customer2.exe
  "C:\Users\Admin\AppData\Local\Temp\customer2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1372
  - - C:\Windows\system32\TASKKILL.exe
      TASKKILL /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Windows\regedit.exe
      regedit /s chrome.reg
      4⤵
      Runs .reg file with regedit
      PID:2800
  - - C:\Windows\system32\cmd.exe
      cmd /c chrome64.bat
      4⤵
      PID:2792
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        5⤵
        Modifies Internet Explorer settings
        
        PID:880
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\chrome64.bat" h"
        6⤵
        
        PID:1980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2192
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62e9758,0x7fef62e9768,0x7fef62e9778
        8⤵
        
        PID:1080
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:2
        8⤵
        
        PID:356
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1560 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:3040
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:1980
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:1
        8⤵
        
        PID:584
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:1
        8⤵
        
        PID:1312
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:2740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2860 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:1716
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3424 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:1592
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:2
        8⤵
        
        PID:2808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3540 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:1
        8⤵
        
        PID:1532
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:2620
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:2492
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1324,i,9352290145754046087,3442585870871027123,131072 /prefetch:8
        8⤵
        
        PID:872
  - - C:\Windows\regedit.exe
      regedit /s chrome-set.reg
      4⤵
      Runs .reg file with regedit
      PID:1732
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2036
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:776

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1128
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:668686 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e6799ef18b0611110a6d2040c8473666

SHA1
474670e56fe2259da7e000e2016347d577b79c11

SHA256
58a86966831298ccb4ef6f619d78597e40458ad80724450a5c04e6ae37ee4b67

SHA512
a83ebc0e379be27ae53586d67c6337c362775cec15aaa757dd158fb9e4fc461c753aa7557ca679d15903f85d2ed4d46e55f62413e5dc5c982dba19f4a2ee8ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bee6c46dcf0c01b51b005604f437a3de

SHA1
691783735582553b7ccbf6afecce8cbc9e74ecc9

SHA256
4422f1ed1b243e227bfd7f2251781679915ccee65b45b60324b10421d0742ecf

SHA512
5092f498bc723c03e1dc6558f51d63a5cafa98e1dcfd1a6ee9697eb5fe79573e2e616b735a4a3149acb18e653e15cd05ee7bc61854ea1ff60ffa997d8693a837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1477d6f6160bf127636383d82995346

SHA1
bcdd33ee44b563cbc722ccc20d8d933849313fa0

SHA256
66bab57e8c66af8dcc57ac8e3fefd7bdc0f7b846468a34c18641d08953ee85f1

SHA512
ee388bc548b0b5cf9403d1cb438e0cbd883423d510e740d778ada87dc820353903c1905ddce5e5eab168858f65beeff0b29edeccbf71ae4b6deba9dd818272a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1127d4682460afbcf3c315bb99090864

SHA1
3339720b8f2901199148ea47312bf4d6d3ea341c

SHA256
777597e786a96ebf050f0f8496ee3f0e621d8a0df13f9fd9abcfe270c50d67b8

SHA512
41b7df978a22645e9339ef557e0b4e0f1a8dbf63f1853c65d30ffc21f5cb5083c3d8cbce183faf6a75c4bc59afe9ddbca36f7754ce98bdbfb83b4029291e41a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebcf96490c4b6e4af89fe9d3eafcfd81

SHA1
d654eb8ae325f1d81162b83da7d076d5cd77503c

SHA256
84a387fad72dceb20858a2d430abee83d77b4e1ee0cc86afd05651293dfc7557

SHA512
3c31912cce3e16320292ed425e3222f18370cd270d446c5028dc93b970802b9e4721d845b14037cda31134001b06c8a9108ef1ac372fc9a2e910f77f28d27c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58e6bcb3e9cbe4b89c812c61397f6754

SHA1
4127fd941b812b6d9cd7eeb8568ef6124c0e87eb

SHA256
3d6087aa0e04a78ab5a9adda0d695b6452b60769b6fb2927dde489d68c516bba

SHA512
3ae048baf53f97887ba7d97d285c2d9fffc963f2682559ee7e047b15101e9516aa4b24ab18778d5b11bbc8a1ae6b0da1356a4b440a1013bd3e4ac6999dec06da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4d2609c04d084eed4803d39353656ea

SHA1
45ad32f59a2a81a5d7d717597cc997fc740e78e2

SHA256
eb8d3b1e83487edf303f571da7e25049b5979034a5fd589976a4519e440e8dee

SHA512
ccc0f93b3e42718f4d107ae8ab3f0286844080d4d5cb968e4b8348cdfdbb1aaf60f122586eadd26c495af36cf1148e48c52d4649ac6615b16cba8f7693aca5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c9645fe48245c4e53ad83ccee3175f6

SHA1
98819cdf2663d22c2056ff5ab1bee568e69be5a3

SHA256
7eb9cb2e4db2a4889c51543164a759a4eaf17b5052349857f06493151aa8f420

SHA512
c1f1fb99a4f8474166a11dff59b78b691b2792cd047833caf8dbf1bb419e1a20fa3d2b503df7154dd94cfb44e35edd9175da33da416f94460c4472ff93c5a9a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0fdc339b633385f638a628554904019

SHA1
68c59889412c006c9e8d27263c23c60ec4e530fe

SHA256
234c3566b79db1b5543ddff13a2b52cc52bc66164c3b356a58931195b2480afc

SHA512
c4813ea1f7d1ac7d3542a362b09404426a1ccda82e1306043dccdd840a6acdd03cd0012998a8c1b22ec42a028909c8405c0c8e66b37eb0de0fa6c5a309357c82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728c5c9872ed10143202519b48d92476

SHA1
05bf665cf9d207090c52466cec3a46be7598b17a

SHA256
7358fe1103479d0dbe682b8f4c71d01c4b86a7d9f43f0cf37aeda2f5962def10

SHA512
b9c8195ea6c0faaf16d2fbfa229da045ba565775c602407120cf9f9cd80db5313cafed54a0c94abbcef8e7c544f8a0bfdb3fc90b6af3cf715a53fecf346a0daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc8520c7560579256354d4688f105b34

SHA1
5986bb26deeaea9c5fda978054f2d38b77e226f8

SHA256
04f8fe558dc7a798701cf8224f5a4aa1832314993c02900204654447dfb22d5f

SHA512
0fbad550db87cab185c6960d4b733b758e13c6930e9cf1e7368b83b0e904d0548df5ea2da5e8b3e4f3aaff6e2f4de88a2a73bbe72cfa4929eafb65f133583152

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea8841b32fecde407ab3d7a58de681d2

SHA1
96746fa3a4ccc38d31a6a6e8925802abd5081a4b

SHA256
f2a8d8c3ac81be90b807994f6aaf5a87565f8454e33a5311d0405b4faa7ee8d2

SHA512
71d56ef883aef45d48a8e3ef64cd033690074ab094db7b6f759b36e9a4fae4b13b521aaaf355b077099189134ab8c7ed0e0c405640be1818ae3b7aa4f891c70f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e3f7c5c3ea2474b345b1afea9f31fcc

SHA1
dcc6937caf7f9e0ea3879ea9c8b702b80e3ae652

SHA256
0256546706db723cac73a1d89100a60401df910a830974ca337eac38abacb208

SHA512
4ad9e6c2b6401f9dd3f2e3b8cf102fe15f6f39fce6233e5a1c84a62370f689a9407a6ffcb815a585186c8b85926b713f530694709abc8aa221ac8379329e82ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6126a8acfb882643d3e1f6bc3060ab7a

SHA1
55d00bd325ea97e828b0a5ee9e833ed6eb718bed

SHA256
421f4a1e5f45345447028ffdbe20f6486f15d32b5cb38dca406360d430cff18c

SHA512
d6c43df2aec01502385e5a52ec15f10f216bd1c3b55bf409e51bc12de9f4e48a9b589a4112c44e39aa8a62dcc8a111ba43d00404af4cff48ae72dd114f1168c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a442ff76683efaba27116d678f55471

SHA1
cc58f60f2df27f484b8b6f4d98c86788202438c3

SHA256
d149e67f83fbfee1661b89f29cef52b61e1a799e6d584abdcf75901cf79571d0

SHA512
7704dfe4c22eb7d628439eb784005c22ea1522e1a50790e8a5b77031eecc67945d64ff576e4c412c3bc197caeee438eed46b541c2bf2b5ddb913b5ea6b824f20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35059bcfa4e08efac893057d6b3a6a2a

SHA1
991d278f7c2e7306d5a078f5bbb234fe508d3aff

SHA256
a2e6e36ad71b31b40d083e09adbf365140023019b1c2a0dfab92609aa7e05707

SHA512
e5efe423e6f9008bd6550f2327d0b79356e9b292006c116ac9cca27807f398c3b245dc6509aef5e28b200116752f544c68b6cd4ef49835b1397e75a3c026a971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
866c6b530d9625b9395600c03a947b15

SHA1
f0567c4d93246f0d5e1bd5e2e2b5269295ba3c8e

SHA256
0241576c4664581665730a47987ce81193697b9677399e85af2e5aae98f80b0b

SHA512
5d4c54e880a3bd8ea3dca2d86b8761bf9388048e611316f7a2f792a8544e88d0897a0e0883bb753b778cd8ea11f0132523b790db4031172b2d9634d48e43a6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8e1a14827dec02426bd07b5860d7cf9

SHA1
479a2c2e4372d381f917b4f7f19550cdbdf3f03b

SHA256
ea00aeb74d24707a49eb53cb20f24b4a3f579c471a900cbb31a0060eb186497a

SHA512
07386cf0f978c251bf475eca57209247c46a6c6103e9685b30b1e5f66f1b124aae13a53880d3f2579978c5bf333ef925740a56e1017f5b5bcb667bb9e1b4936d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
719d2f8ca036467942b48caea16e12ea

SHA1
402ae5f65064b2ac017b0e53ccc36c480e0fec6d

SHA256
7f7d14c53ae054e9ac2d9acadc58acd334dd36ae94fc3f8418c71fd7c1a9738e

SHA512
fc58e965610abf763489f53f6a5d8587364644d20fcbcd72eced0af1ee55e9b77eca32f167b70dbefdfc7ff6843c2e399b4c2ee7c0e60dba2b98f6be91137579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7795da1366442c66b37b01e0b4a95919

SHA1
d0c7d736a32f6847fdf476ece9456c6e5f8f2dcd

SHA256
29647bd5fbcade2c6d739f9fcac409754ebfb60944d7265511322a30d4958835

SHA512
5f4d5f27ea6a9b6cae6ad319e7313c8a979a8bb08032f4f2915a85cb1da56db18fd36634a741f6c28d74e489df5885a847d660a4cea0a232b0b7843a1d438d97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
37bfa4c5568a4899d81479990ce4eb76

SHA1
3604a38279f176dd9d52a8e579fb666916209148

SHA256
cb6e523f78b252a0cc8db1c1c92508663bcac2a1e7fe38f78488c599d5e29ae9

SHA512
0c2dad5601e33d96ddc6c608694c92c208feccff71bc66044f4e10bfeaa553066c6507e811b45f120700d453069d86b4797c1f85dfa344d491c7864329e288cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\508317df-e91f-41a3-97f5-bbfe444db724.tmp

Filesize
348KB

MD5
38bdd55d1909f45f1802829410ec056a

SHA1
30a2eea6b52e2ee45dc6351ba2edba3119b9384d

SHA256
a8034e74ce95a9c5f72b4d3a4daa948f85819debcf363ff115a106f8be3d7430

SHA512
2112dc37705ef7fd64e4c183df3c79cae5d4f73fb425916eb6d555ce256c57b10db4cd570e64b335be939ea445ede0c58d5532422535653e8e46c24f98b3ddf0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
52bbbf39c3edf0b1cf773752a5024133

SHA1
5a3882f49f3b6a197f70f527d2276ea6017880b8

SHA256
b58bdc02febf3c7ce8d3c4c0b744752641761be8a71008db0fa0d7032bb96118

SHA512
277de252e49b9fa08096ea0a555d5665f447e747f86b1a532e41abd021e03e75779753a54d4986ec0d8641e3e308fadcf19c4585e47b0777959cd4a8ad2fce36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cf534eb6-bbec-4f6b-a2ac-045b9cdccd57.tmp

Filesize
5KB

MD5
100032a75d4351d1784f9d70c6b458da

SHA1
05b292f8516a78a639986b2f3331da5795e6b4c3

SHA256
60f338d3b323daa0f82882b618c74f11c5f80436208ae8afb7f46e8661b55897

SHA512
2626a53fc98239d0a84315d27711c67fef11fff0f38961475a833990e8b22aa4d1bcaae8a0cdcf1f62d6b0720e5fab8fa0282a9f5cfd65c814d29abda26b7b1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
335KB

MD5
96ec8dc831c54ab769ea3e25082e7946

SHA1
633c2f7c79242ff2846d207443036d656afda3e4

SHA256
8cdb5f8b27cd8196f93756c416066afc47841a8cb5c65f0914f02615bb7af632

SHA512
f71e60bf586864f4d27ce79593f541e9b6c2e9b1539b98877ebb11be2c57b3e9d4de996255f5a5faa1afa20615f29204545e4914250394a0f2be3917d8cb5f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
373KB

MD5
004f9853d7d276e2fc2cc26ffbf335ae

SHA1
0fb92f562a39a294ec8a64cea0e16a3e629c5bde

SHA256
d5b8fb4381d7109304747088e6d4f6b909d07ae10b56fd54a32ba54d0e5d75d0

SHA512
70b8f702e6ecfc49e664b0dec57ba3c405eeda48e441917a362cb5f86c75f02e4ce85f8150fb463ef0699f06f6ec3750e1281b38cb28ddeb04e4594fb1ff02f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\9fajjbh\imagestore.dat

Filesize
2KB

MD5
24ffcdd5ccd54093e24b81502c2a62d1

SHA1
fe5ec13dd5d705871e3e319b8e887916761055f2

SHA256
15253ab4e3da3f0ccd6a1b4c68558d82618cbc069a79681e588f95baa8aaa789

SHA512
627e322c13f40e523aae84a61fb5aea6ae9c12a1e80a5fc7eb4fb938662ccdc1bd7f28c71e1a0aedd8b96da28e8b173305acb03d4f6e50cdc25d4b3499f96487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\1aLqy7[1].png

Filesize
116B

MD5
ec6aae2bb7d8781226ea61adca8f0586

SHA1
d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3

SHA256
b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599

SHA512
aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CXRG2YQS\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE572.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
207KB

MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pro.url

Filesize
117B

MD5
d26381a6de8cbec244d5620206e5a5e9

SHA1
0b4d7728c515c31684ae6d32c306362118cafb45

SHA256
2b1db8cfb820f61d2f6ca69447108e297e16a35e46453bef5346d38b7f7ba9b4

SHA512
e2ffd5cdc1041a755d8d06831b1094530da0bb88b795b5d5e9f3778ebf00d74d7ff654f6e3cad075223367ada709591fa7143fd845134e95d491d68b955086ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe

Filesize
555KB

MD5
668aa42d3487079b49d90a6ce3ffe3b4

SHA1
c3ff2843a977e1c858d3f6a9d8cb353b8b95bfed

SHA256
d35ff5e353ad96f804ae25db081a8fb93d91f52f46d709a6a0827754c39e84a9

SHA512
08532b911b962c7a11c8b9bebc5f5b4105b28efe5f78731ef4775dccce595e01eb5c9e587b656bff0ddc7e27b81ae020991b52a2459fb426b90b792356eeaa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shaksd.url

Filesize
117B

MD5
2bd52feacf54206f58421c6591f8e6c5

SHA1
71a9b6be64c0ad8748098a5f5c7b1fcc759cc04e

SHA256
97dbe7ef7731ad0ef263b36120736bf3bf3de72cbc38186ded115e8190ba6edb

SHA512
e3d354a3fc333fc34b8da424cf5a4df51d17d07d5242035a7cf484aaf00a5254985f430e32f0ce5d9178b7baaa973172d46067a61c2e3a421600ebf6310b1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE571.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\askinstall4.exe

Filesize
521KB

MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\proz.exe

Filesize
669KB

MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2192_1001899842\plugins-chrome.crx

Filesize
216KB

MD5
a09ae6f990f1f74ed06f630452453543

SHA1
3aa2c034b8b9f87f2b32820d92238723d88988a6

SHA256
fd0c617436b18ee14356fb7e73eb51fcb9bd886280d3c1b34f73b5f5e6d7b317

SHA512
241f266a0a60c3989e92454f537eb53d0a1e436744c2fb16a2dbdbe8985aba48b58ff12ec48e08c993f58ca9d0e5f8b6246108d7af20274c2f28cbc22bbc9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

Filesize
95KB

MD5
b67329b80bfd63ade39502ed2bb40461

SHA1
938241aa090691a8ad760daeaedceb1fdad25060

SHA256
30836e6af2e56811bcf49cf312182a570a0be7a2c7bbcf09f444ec88d13758fe

SHA512
3af16cc8642dddf768890f6aedc699afdacf3ff0bbfb94cf2d8013cf36f9ef6c766bfd9bac890e3c903d7f1ae15facb6e4d611f509a736bcb93898b2ce4f3395

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF21B9DFB4E9BF8CA5.TMP

Filesize
16KB

MD5
5e960afe91c76e69f0085547b7fe013e

SHA1
cc3ec1f7b2daab52ecf5d484ca432ba48be6cff5

SHA256
a5924e55257c9ea45fea92359563ac9d1ad655fffebe14af02944a567bae4167

SHA512
060886a9e1b1f0d9a2829852466f8bc5f8000cdd3dafc4524a5b86bc2b7acde048d12f4db70105c888bf6242585bcf09cdb7d5f6b350ad3210667d02625ee888

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe

Filesize
534KB

MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\customer2.exe

Filesize
990KB

MD5
fd14b427bca16dad79e1a1d483c0374e

SHA1
c9a0e931481a295ca18f6cb54956bfce35512f8e

SHA256
48e1b3ced99ff07cbd81beb4f341408696cf41f06bf412bdbbecd110a98fd3e9

SHA512
4c7362169e1ff87ee3ec2acc22658495b3717536f35f6bb689aa9ef1d92e35cb734d59e1507a75f48ceb3d4a6a1f12b787044dd4d6d4373cfbe4b239d4ead6e6

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

Filesize
545KB

MD5
2a6699d3b8c242efc377879d41b7d8fe

SHA1
8c158d6f7ebd3a4db2f287efb4fe85914ad0ddf4

SHA256
ed9774db908e75850dbf85f665f1fc6a7ccf3c8a1ff8e22375860581fe9b8f75

SHA512
038f0311b8150b33bd6a5851c3ff06b8b6723b519ea83c1f5c46bffc61ab7f459b5d15717a461f5489d0f63a1644336778cdc7ba22e0e3dc51ef019e87ab39eb

Download Submit
\Users\Admin\AppData\Local\Temp\piyyy.exe

Filesize
972KB

MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
702KB

MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
memory/1312-137-0x0000000003430000-0x0000000003432000-memory.dmp

Filesize
8KB

Download
memory/2008-105-0x0000000000E10000-0x0000000000E4A000-memory.dmp

Filesize
232KB

Download
memory/2096-47-0x0000000003D20000-0x0000000003E9D000-memory.dmp

Filesize
1.5MB

Download
memory/2096-49-0x0000000003D20000-0x0000000003E9D000-memory.dmp

Filesize
1.5MB

Download
memory/2096-469-0x0000000003740000-0x0000000003742000-memory.dmp

Filesize
8KB

Download
memory/2192-71-0x0000000000250000-0x000000000028A000-memory.dmp

Filesize
232KB

Download
memory/2192-89-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2192-90-0x0000000000320000-0x0000000000348000-memory.dmp

Filesize
160KB

Download
memory/2192-91-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2316-510-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2676-93-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/2760-964-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2832-206-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2832-986-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2832-1091-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2892-92-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2892-672-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2892-51-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2892-1041-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2972-135-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/2992-94-0x0000000003CB0000-0x00000000080B1000-memory.dmp

Filesize
68.0MB

Download
memory/2992-88-0x0000000003CB0000-0x00000000080B1000-memory.dmp

Filesize
68.0MB

Download