fabookie | 0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442

Analysis

max time kernel
74s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Size

3.4MB
MD5

99ca4fb276c60eb9c9a57c168d36d9fd
SHA1

2f1451025754967e328337bd21498fc991bdeed7
SHA256

0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442
SHA512

1469cd4714ef8afa9293f77e61207f0ec0a65e947f1182fce6f7557529fe517de20fe7ff2ab049b74c56de2d82eb9edae5fece7a87a67e0ccfa86f86ef757aca
SSDEEP

98304:qaKslt88xE2TXCzBA8intj5IVySsKmj+OO8u3:93t8+UFAvjCiMV

Score

10^/10

fabookie ffdroider raccoon discovery evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Signatures

Detect Fabookie payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001600000001866d-206.dat	family_fabookie

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
Ffdroider family
ffdroider
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 2 IoCs

resource	yara_rule
behavioral1/memory/2584-94-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1
behavioral1/memory/1552-136-0x0000000000400000-0x0000000004801000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/1512-306-0x0000000000400000-0x000000000045B000-memory.dmp	Nirsoft
behavioral1/memory/1232-385-0x0000000000400000-0x0000000000422000-memory.dmp	Nirsoft

Executes dropped EXE 15 IoCs

pid	Process
2716	KRSetp.exe
2724	jg7_7wjg.exe
2712	proz.exe
2584	Pas.exe
1880	KRSetp.exe
1744	jg7_7wjg.exe
2284	proz.exe
1552	Pas.exe
2832	askinstall4.exe
2620	piyyy.exe
1852	customer2.exe
1788	setup.exe
1308	main.exe
1512	jfiag3g_gg.exe
1232	jfiag3g_gg.exe

Loads dropped DLL 56 IoCs

pid	Process
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2712	proz.exe
2712	proz.exe
2712	proz.exe
2712	proz.exe
2712	proz.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2284	proz.exe
2284	proz.exe
2284	proz.exe
2284	proz.exe
2284	proz.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
1852	customer2.exe
1308	main.exe
2620	piyyy.exe
2620	piyyy.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2588	WerFault.exe
2620	piyyy.exe
2620	piyyy.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	piyyy.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	proz.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
22	iplogger.org
23	iplogger.org
35	iplogger.org
36	iplogger.org
39	iplogger.org
9	iplogger.org
10	iplogger.org
19	iplogger.org

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ip-api.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00060000000193df-84.dat	upx
behavioral1/files/0x000500000001a0b3-304.dat	upx
behavioral1/memory/1512-306-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral1/files/0x000600000001a0b3-380.dat	upx
behavioral1/memory/1232-385-0x0000000000400000-0x0000000000422000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2588	2832	WerFault.exe	44

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfiag3g_gg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askinstall4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jg7_7wjg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	proz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piyyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	customer2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1680	PING.EXE
2360	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1488	taskkill.exe
1760	TASKKILL.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd76049274b724d87bba28884a6e4eb0000000002000000000010660000000100002000000093e11bad28848896714ca29e79e6649e0cc08902a2514866e0d8ad11ac1abf79000000000e8000000002000020000000ddcaf0f94ac1da1d0db8c73629b0377e6bb524f1bc3134f3cd8d8d3da39c10f690000000de17dea778edbc7f339cde1630e8b1ae248811d18ae17f64609e5007fa277b11da24d17b884cfdf536a1d35e35243c3b5b8c1bff1b7e9c35261b1fd40e1bc7193b6f227256b7e4b33c9466c59e36f0368813ec809d2242945564cab732ab654b447597b1912b31ad8726172bf005601fe2d492f3f79ea6acabdbc9c4100728844d4f03f1748c722ebe250a6fbaa3807540000000fb0745a8b3a627ef47fa3038256ed266d7db24ee7219fe8f4a308ac5d1480ea973b6a9c0c39174e6d3a7b18896212135746cf8ec28be5be35bc5aa620c4fa365	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0f6e14d4f52db01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85817EB1-BE42-11EF-B788-5A85C185DB3E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd76049274b724d87bba28884a6e4eb000000000200000000001066000000010000200000004acf8768b6d492171bab52308ea3b4e386e345ae657c19e7ca71d52eb28f193d000000000e80000000020000200000007b33c76e111d8200e961efb613f5e42166e89ff44271400f09851fdfac00da59200000006e0b2c4917c7e1d5f8d8b2c5bc362e946ebd8106656d2f3312c07ea6ffdfec2140000000a4458e68d6ba02e9bac71639af84cf224987ea45f441104782a2d74f244eecf6d65a77b8dc375ac4e1ff8f2d23cb3da86ea50b0452f65a0c826d58d2cc4e7e73	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pro.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www3AF0.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\Shaksd.url:favicon	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\www4BE1.tmp\:favicon:$DATA	IEXPLORE.EXE

Runs .reg file with regedit 2 IoCs

pid	Process
2260	regedit.exe
2600	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1680	PING.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1232	jfiag3g_gg.exe
1212	chrome.exe
1212	chrome.exe

Suspicious use of AdjustPrivilegeToken 52 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	KRSetp.exe
Token: SeDebugPrivilege	1880	KRSetp.exe
Token: SeDebugPrivilege	1488	taskkill.exe
Token: SeDebugPrivilege	1760	TASKKILL.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe
Token: SeShutdownPrivilege	1212	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2028	iexplore.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe
1212	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2028	iexplore.exe
2028	iexplore.exe
1796	IEXPLORE.EXE
1796	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2716	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2948 wrote to memory of 2716	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2948 wrote to memory of 2716	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2948 wrote to memory of 2716	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	31
PID 2948 wrote to memory of 2724	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2948 wrote to memory of 2724	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2948 wrote to memory of 2724	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2948 wrote to memory of 2724	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	32
PID 2948 wrote to memory of 2712	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	33
PID 2948 wrote to memory of 2712	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	33
PID 2948 wrote to memory of 2712	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	33
PID 2948 wrote to memory of 2712	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	33
PID 2712 wrote to memory of 2584	2712	proz.exe	34
PID 2712 wrote to memory of 2584	2712	proz.exe	34
PID 2712 wrote to memory of 2584	2712	proz.exe	34
PID 2712 wrote to memory of 2584	2712	proz.exe	34
PID 2716 wrote to memory of 856	2716	KRSetp.exe	35
PID 2716 wrote to memory of 856	2716	KRSetp.exe	35
PID 2716 wrote to memory of 856	2716	KRSetp.exe	35
PID 2948 wrote to memory of 1880	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2948 wrote to memory of 1880	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2948 wrote to memory of 1880	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2948 wrote to memory of 1880	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	36
PID 2948 wrote to memory of 1744	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2948 wrote to memory of 1744	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2948 wrote to memory of 1744	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2948 wrote to memory of 1744	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	37
PID 2948 wrote to memory of 2284	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	38
PID 2948 wrote to memory of 2284	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	38
PID 2948 wrote to memory of 2284	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	38
PID 2948 wrote to memory of 2284	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	38
PID 2284 wrote to memory of 1552	2284	proz.exe	39
PID 2284 wrote to memory of 1552	2284	proz.exe	39
PID 2284 wrote to memory of 1552	2284	proz.exe	39
PID 2284 wrote to memory of 1552	2284	proz.exe	39
PID 2028 wrote to memory of 1796	2028	iexplore.exe	41
PID 2028 wrote to memory of 1796	2028	iexplore.exe	41
PID 2028 wrote to memory of 1796	2028	iexplore.exe	41
PID 2028 wrote to memory of 1796	2028	iexplore.exe	41
PID 1880 wrote to memory of 900	1880	KRSetp.exe	42
PID 1880 wrote to memory of 900	1880	KRSetp.exe	42
PID 1880 wrote to memory of 900	1880	KRSetp.exe	42
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2832	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	44
PID 2948 wrote to memory of 2620	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2948 wrote to memory of 2620	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2948 wrote to memory of 2620	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2948 wrote to memory of 2620	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	45
PID 2948 wrote to memory of 1852	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2948 wrote to memory of 1852	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2948 wrote to memory of 1852	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2948 wrote to memory of 1852	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	46
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47
PID 2948 wrote to memory of 1788	2948	0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe	47

C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe
"C:\Users\Admin\AppData\Local\Temp\0577fa4481dced3714707a1af75103f94288d146088361f6ba52baa282b2e442.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2716 -s 1612
    3⤵
    PID:856
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2584
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 1880 -s 1616
    3⤵
    PID:900
- C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe
  "C:\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1744
- C:\Users\Admin\AppData\Local\Temp\proz.exe
  "C:\Users\Admin\AppData\Local\Temp\proz.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pas.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pas.exe"
    3⤵
    - Executes dropped EXE
    PID:1552
- C:\Users\Admin\AppData\Local\Temp\askinstall4.exe
  "C:\Users\Admin\AppData\Local\Temp\askinstall4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3060
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1488
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1324
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2588
- C:\Users\Admin\AppData\Local\Temp\piyyy.exe
  "C:\Users\Admin\AppData\Local\Temp\piyyy.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2620
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1232
- C:\Users\Admin\AppData\Local\Temp\customer2.exe
  "C:\Users\Admin\AppData\Local\Temp\customer2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1308
  - - C:\Windows\system32\TASKKILL.exe
      TASKKILL /F /IM chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1760
  - - C:\Windows\regedit.exe
      regedit /s chrome.reg
      4⤵
      Runs .reg file with regedit
      PID:2600
  - - C:\Windows\system32\cmd.exe
      cmd /c chrome64.bat
      4⤵
      PID:1744
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("wscript.shell").run("chrome64.bat h",0)(window.close)
        5⤵
        Modifies Internet Explorer settings
        
        PID:1140
      - C:\Windows\system32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\chrome64.bat" h"
        6⤵
        
        PID:2332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:/Program Files/Google/Chrome/Application/chrome.exe"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6ed9758,0x7fef6ed9768,0x7fef6ed9778
        8⤵
        
        PID:1688
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:2
        8⤵
        
        PID:2132
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:2852
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:1680
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:1
        8⤵
        
        PID:2500
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2260 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:1
        8⤵
        
        PID:2956
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:2672
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2560 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:2860
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:480
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3084 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:2332
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1408 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:2
        8⤵
        
        PID:3016
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3512 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:1
        8⤵
        
        PID:2988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2796 --field-trial-handle=1280,i,26712870843844974,2413863692358363923,131072 /prefetch:8
        8⤵
        
        PID:1628
  - - C:\Windows\regedit.exe
      regedit /s chrome-set.reg
      4⤵
      Runs .reg file with regedit
      PID:2260
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2360
  - - C:\Windows\SysWOW64\PING.EXE
      ping 1.1.1.1 -n 1 -w 3000
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1680

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:603141 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2408

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
fa566e3f24a84806011467e96dc15768

SHA1
a4348270503dfaece6783ed84efb1b6ea0bd64cf

SHA256
4f53490ce5c90d0cecea8e21bdc5547aaf302c5e01db071465bd7a30280495fa

SHA512
b647dd08ff07980ecb6eaa15afcf43d7263b8677ef187d2da6f83e70549f40e4b227122b00cde5e0c0dee403060d7ba65f3439b28e5535622a5504401543359e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
640d0447ea7f74f91ed2070c1595b12a

SHA1
ff07de50b6b23c6325b8166bfeb8dea06f56ae49

SHA256
703777cb84cf52699907334f87489b2b57cfb0f06be64016784ea7c50fbdae16

SHA512
64a913d45a96b21400dc695c5830dcd3267d1934fbcd9261dcf483c5088bbf59f4c884929aa0a65baed9aa2690496ce53913931b6cbf1b4f8dfe54b079fedfb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ceca93a443e9daf4ef7ef753747778d2

SHA1
9dabec14d0545825a302e28aa96de2bc9241d208

SHA256
04f76aa7a31fffac2e14b6837831e7f0d466caa140dd729d98c260a8bd977f69

SHA512
694e4325a091be46328030e31a3268a2de003c8e39f6cf5c0e320bdf73e7a4f707399e156313b2b04d2729fb6861fc6a20ca3b2c57803a708bfd611b0e274995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eecb1c14ff000745778a2d83dced734

SHA1
c9cabbb7098d7d1d7bd0d4087ff1ba4811f4ca2d

SHA256
0716c4ca3bdb6fef96c78b4244d4dd3ba8061633fed03de14fbd7e2dacbae4cf

SHA512
dc8bef48b3ea0def6571fca79ef6d95a66d3d192ecce358d3df14b167f1c840b28ddb3c071d064d92130e8fa60e1885639569e593bd09258dbc0b5836e617314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99d8ba20ccc866b2ad56fecc9a9ba91f

SHA1
7a67845d8aac4a454e4b1d36ef0679cffd23589f

SHA256
af8e8fd4d5495e634b636664f213b20cae2097191bcba86b5c46fb455aaf0562

SHA512
73b73e5a12b43d877c6ef63c2e4f5c2df6338f2bfbac23eb8d9c613c8474d039a35f6534cb1bd151123bbf6fc9b3eb3e74e2f7cf930390349643db696f785506

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bbc9615ef1c8a04b2402661f8b79c01

SHA1
27e319b7fe827666d196cb5ccca0ff5e967625d2

SHA256
b8b4931f0367311d857267953760df78c73bf6a0481bd85be3bd99c93f78ae29

SHA512
86fbf62765c674912d868acf28e3826c81278c0d84af8d312329d224aee646da8c5e7e5157ec2254579232b17945fa52bde451830b784d17b9ee89a6132237d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add25c76a26657e0c4bc466083e5b067

SHA1
dbf638cef2770621b6438bfbbf240752f5222f48

SHA256
490269a2c2f940a851614c8e9c193b6b7d52f1b4610fda15182996b2f40042f9

SHA512
ec9d2895e4b897196af0565cae10736f4935703240ae3ae4b3eb023fc6628f7dad16fb903624e4b6f85fe7ec31894a18575dc58af75b956dbede3267a53bcd01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4007eeef83e573952d22b1b10ca36819

SHA1
61ac3c373277e340793fb1ce2ba57a2f3abe1e51

SHA256
b369f03bb1d0478b4462d6bedee4e22b69956391bec188a85f7a457bf5eb8d18

SHA512
7ca81e2339caa37d43522c89f8d3663f7acac72c6291174d6ae855c068c940ae08d4a535926d0ba6d4308328e9d6f33394660409dc934753f943526a8845b28e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d329fbdbf4d0a559ed517aae1ffc1765

SHA1
4badf9f891a5ce5b0b80ad9ff51169341b8c4bf7

SHA256
3ca276075eb87bd07419cca2b53e6f187845d17d364daf6af7ee30bf6ed16583

SHA512
7d7783126249946d709d86bcd05e02efb424fbe43bf74ae52a03a97130cfae0de4f34f7166ca30221820a6432ce59480e840cf0ae1ff9b3a0d5e5e84f8e675af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f622914e9a0d4266f76b3142958f239

SHA1
c485c06d02b5eeb2ab825dd28dbc80460e9de86a

SHA256
5057b87b166ee253be39665967b29c1d58167971505a7d619f95148efed681e9

SHA512
713584a0b9bf0ca3b45437e5110b7b276d25727d6c8659d61220f4a16da82ca70156c77af502795db7131294fe1cddd5e95fed8655a60ccbf703b611fe565430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5328c4b2d74aca279198274ad0275ce

SHA1
fe8566da7ec052f8e3a784a6f6a0d921b734bdcb

SHA256
e0b7e6cbe91a0e238540d9a508dc94b5bfb8d6f76b5332fe9407b90a7cfdc0e1

SHA512
bc4fabef6132dde13c835a66d03244c21b23c6dbd5a87cc2c9c24cd14e54b26df8acf9e748f2564b0ae682821e678c2a3c0c80dc7b3d3a4e63b15b83518c95cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
414b54589b462ea96f94d10f06919cd8

SHA1
ab470ebc8918cd9f18cce4f33cc8fa8836c16e31

SHA256
a7db87ef4b658c32f215dcc908dc43f46857b0e32113fe8ad58b24d0797fa255

SHA512
e857249ee57d1be883c4be1acc5fae31ccb278ffa502316b0baace8c86bca89cecfb17ee9f78c33254d68d74fb6e395d14812de2fa485dd6683103a722f5bf4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c980d63b8c0d76df915a35c6b2068948

SHA1
d688098ed515cf01e1c871a4df483a7899b64483

SHA256
864fa85b4aeea079a6be6a1f91930abd4dc12dbab72ef5b965312efc377c6a08

SHA512
4da07e931dcb51483f45ad6fe90dde7623153e5a047abb644296adaf146606fa6ccc2a7ac0cd7f812f6a06334e3222bc285216d1d5d77c362a016cbfe87795fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d10e64002e8ac6500236fd53f1b5489b

SHA1
335ee705fd6dd5ecfc9d9b83e017faca73351892

SHA256
1bcce46db3593efebcac4ea918d60e14986d9d8a5af6d13164f1beb13e736367

SHA512
c070b3350ff23f8089adae5d4053917c44876d2e5c92954f06762231edaf6bfd65d9cec98287552e11b043897d65e7b653d39c520bf7500ebf7a2dd63b1a8ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
29acfb8fcac59a640ba07775d7e56243

SHA1
a36b894c63249f6d8d9a8d6e727164ef0c3fad75

SHA256
adb1f36a805a1c764cecaf1bf97dd8ee07f0eafdfe4d7b6c3cfc32a27210b408

SHA512
57827279d4256e3aa540a676d6692de4bdc8b2231247d79213ce2a8ad94badef3758343e0b1753fc4e47c9443d92d95ad1ad61494854d7b460c923d3829879f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a9f3e4877f243ec794370b0942c3c6a9

SHA1
2ad29aaace0a88db9a6727cca3b2809e4fcacc9e

SHA256
97f5372d698edc8a48744100363edbc8df16dc47f3e43356b885d6239c2908fc

SHA512
0f2d9b3b4dc2fabc374259f72e331f61a98ee99f358a825ac90d1baf028b2945c151f1b3de4cce27fd64c801c0550eef57bf327754f443a542ec532d581f01b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5c935b5783d6d265f8f05d2db90a8774

SHA1
19b29b1b730f2381a33a8cbd6a99b534c7d271ef

SHA256
fbe80c2f18c93c62650bd080d1c44ed63e5428b344184eaada75ae791ce50b75

SHA512
b6130cf0d52a0e6383f65c9d1fb541493a46c42a87ed8e016e9564a7a5d37237c53a6fd83ef07fc36826548c798c5730320bf359e3906ab8ad7378401a0ca1df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1da31fad4bc14c61d0cfe23cf8338f92

SHA1
7656f476c5ef52869efb842ac4198d56359b39de

SHA256
ae23c64b834d1cc57beb216f74cca14777100cd1e4e6d82dcd1cd0a68559b83a

SHA512
a6db4a060ce930a9a6270db6183f993872a896039f44946cda61d00fe801028797561d5bb9335cfcec1d045881188452042a65a026fe2161447506aee8e5c6eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\guoemn1\imagestore.dat

Filesize
2KB

MD5
f7342b9f908a16673b0b92ebdb34c28a

SHA1
fafce5a6ade737b22884279cc24c814b17f1766d

SHA256
7eb2c9bc914fa91dd3c5c5342de8e65f310872bff374f4a70bc3a7da62388f0a

SHA512
6663611b577ddd32e9475eec5ad10e3d7a904373df19cb3704c0d9351fa3c82f4f798216c1b564eafcc2be573e09be472e924190e8e69eaefb73c6ec3d6d7ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EB0KZ1Y4\favicon[1].png

Filesize
2KB

MD5
18c023bc439b446f91bf942270882422

SHA1
768d59e3085976dba252232a65a4af562675f782

SHA256
e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482

SHA512
a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4615.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\Pro.url

Filesize
117B

MD5
d26381a6de8cbec244d5620206e5a5e9

SHA1
0b4d7728c515c31684ae6d32c306362118cafb45

SHA256
2b1db8cfb820f61d2f6ca69447108e297e16a35e46453bef5346d38b7f7ba9b4

SHA512
e2ffd5cdc1041a755d8d06831b1094530da0bb88b795b5d5e9f3778ebf00d74d7ff654f6e3cad075223367ada709591fa7143fd845134e95d491d68b955086ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\main.exe

Filesize
555KB

MD5
668aa42d3487079b49d90a6ce3ffe3b4

SHA1
c3ff2843a977e1c858d3f6a9d8cb353b8b95bfed

SHA256
d35ff5e353ad96f804ae25db081a8fb93d91f52f46d709a6a0827754c39e84a9

SHA512
08532b911b962c7a11c8b9bebc5f5b4105b28efe5f78731ef4775dccce595e01eb5c9e587b656bff0ddc7e27b81ae020991b52a2459fb426b90b792356eeaa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shaksd.url

Filesize
117B

MD5
2bd52feacf54206f58421c6591f8e6c5

SHA1
71a9b6be64c0ad8748098a5f5c7b1fcc759cc04e

SHA256
97dbe7ef7731ad0ef263b36120736bf3bf3de72cbc38186ded115e8190ba6edb

SHA512
e3d354a3fc333fc34b8da424cf5a4df51d17d07d5242035a7cf484aaf00a5254985f430e32f0ce5d9178b7baaa973172d46067a61c2e3a421600ebf6310b1576

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar479C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\customer2.exe

Filesize
990KB

MD5
fd14b427bca16dad79e1a1d483c0374e

SHA1
c9a0e931481a295ca18f6cb54956bfce35512f8e

SHA256
48e1b3ced99ff07cbd81beb4f341408696cf41f06bf412bdbbecd110a98fd3e9

SHA512
4c7362169e1ff87ee3ec2acc22658495b3717536f35f6bb689aa9ef1d92e35cb734d59e1507a75f48ceb3d4a6a1f12b787044dd4d6d4373cfbe4b239d4ead6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
184KB

MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Filesize
61KB

MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1212_348146008\plugins-chrome.crx

Filesize
216KB

MD5
a09ae6f990f1f74ed06f630452453543

SHA1
3aa2c034b8b9f87f2b32820d92238723d88988a6

SHA256
fd0c617436b18ee14356fb7e73eb51fcb9bd886280d3c1b34f73b5f5e6d7b317

SHA512
241f266a0a60c3989e92454f537eb53d0a1e436744c2fb16a2dbdbe8985aba48b58ff12ec48e08c993f58ca9d0e5f8b6246108d7af20274c2f28cbc22bbc9cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ubisoftant.exe

Filesize
95KB

MD5
b67329b80bfd63ade39502ed2bb40461

SHA1
938241aa090691a8ad760daeaedceb1fdad25060

SHA256
30836e6af2e56811bcf49cf312182a570a0be7a2c7bbcf09f444ec88d13758fe

SHA512
3af16cc8642dddf768890f6aedc699afdacf3ff0bbfb94cf2d8013cf36f9ef6c766bfd9bac890e3c903d7f1ae15facb6e4d611f509a736bcb93898b2ce4f3395

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF20FA6F1A6DA51A8A.TMP

Filesize
16KB

MD5
a255c93fde4bf7b6d3de8f78654de26e

SHA1
6020ceb6bd3bff93a58446cac6e637b7ae468bd9

SHA256
557e6f781b8c1bf11f8cd1905fe4b82b4d775af1849ab1cd648245e433d9d810

SHA512
b9f1ac9a8b35b0d5eb27d41bf17868f67d9f0e3a84275d92e7a4fa51b8aad04038792790ecba9f17782c13d2984f36ea500969e585c873abfc615288a58b6334

Download Submit
\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
207KB

MD5
ce82da74721b73ebca106db3d6c03101

SHA1
07dd2f58f2bfaec2aded4e380f57804c2ffe60bf

SHA256
2e21d96491d3f3f352d472e11064718fa6b8bf855ba11d167a8c6df42ced6181

SHA512
9752aadf0d83fa1df14ce4418b8b7a9b2e7c7530afd19fc6a8d5d4e908b89a5f51f945a7f0b4bcfba87e44fd130540e079ee9244c9658c94db187c748683ddde

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Pas.exe

Filesize
534KB

MD5
db2e9f9b8807458226ca4cb9a52ff5c4

SHA1
94b8b1e0b9c617d370ad5d1445d410692529d23b

SHA256
a0f2ff7cb28c9f9c4e4d7583d2fbbcf89b5a2320f2dc8e82749a0f59e6ba197b

SHA512
68406f390ccb28893dcd7e36ec290f59ae9f86f2cd1e36e1596815ac664cda83ff3a8b833c963492bcadcd3620c844c28e87fb398444970e82418de02147ecf7

Download Submit
\Users\Admin\AppData\Local\Temp\askinstall4.exe

Filesize
521KB

MD5
53801ac3d522650a7c9a2f3e03b5c0a1

SHA1
b533a5eed14ecdc19159961df60e8aae58aee74b

SHA256
e28ff4f4b3871ebf761118f6ee0a8c1f600c90e54931f2e25030976906ed6568

SHA512
1e19561dae72756e7859298581ad859d844e879db8fd6e6f91a719a06b5dbf4f8cb690ab8adef3619f6ed9925bca39ae94609d071fdf043f7b85e1d5e6764c1c

Download Submit
\Users\Admin\AppData\Local\Temp\jg7_7wjg.exe

Filesize
545KB

MD5
2a6699d3b8c242efc377879d41b7d8fe

SHA1
8c158d6f7ebd3a4db2f287efb4fe85914ad0ddf4

SHA256
ed9774db908e75850dbf85f665f1fc6a7ccf3c8a1ff8e22375860581fe9b8f75

SHA512
038f0311b8150b33bd6a5851c3ff06b8b6723b519ea83c1f5c46bffc61ab7f459b5d15717a461f5489d0f63a1644336778cdc7ba22e0e3dc51ef019e87ab39eb

Download Submit
\Users\Admin\AppData\Local\Temp\piyyy.exe

Filesize
972KB

MD5
49939240c51965f0527297a3127b6c32

SHA1
78ab6d6f31a1b552a1a493b9f41690b6c47a28c3

SHA256
a7a20ca4cdcfd0e7b281e379889638207acd4b35e902caac95b894f02706129c

SHA512
abbd7a728a4dfc6b0ac04a9354172ef67e190f7b313e5cf7719e1240b4e2de12118ced45a1e7cd3494e4aad5420a28f01758b779269de8864b0f063e790b78ac

Download Submit
\Users\Admin\AppData\Local\Temp\proz.exe

Filesize
669KB

MD5
87930a2af638eab739a4925e5efb66be

SHA1
faa3701185a42c844020947407aec0c642fb96db

SHA256
5ea59c6498dd18d506f324a8b61f1a7c9008380f37ea6af60c308c05dfa0c371

SHA512
764928f88b53a5ccae09a1dee134fadcea6105c036dd6a53b97b57e7ef0577782ea569bcf8dfc6371fbb6ec9f1569c28fa3602de3ca669134febb0f039341ea5

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
702KB

MD5
931a67fffb696d947a1cf5de4e02193a

SHA1
04d185b5641c394bf16ee0712c503622c81021bd

SHA256
36fcc164264719077c074a60132a51627f4f2fdd5ff775a549685349945c0bf9

SHA512
51c608c8b7ca11ba05b051aca54e9fbccad321f34a1ddb22619e687a5a86c9f7020299383ef90792da87941086943489a0bc2d1af10287ce69cd99f56a168f02

Download Submit
memory/1232-385-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1512-306-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1552-136-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/1744-406-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1744-298-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/1880-110-0x00000000001D0000-0x000000000020A000-memory.dmp

Filesize
232KB

Download
memory/2284-138-0x0000000003480000-0x0000000003482000-memory.dmp

Filesize
8KB

Download
memory/2584-94-0x0000000000400000-0x0000000004801000-memory.dmp

Filesize
68.0MB

Download
memory/2712-95-0x0000000003D80000-0x0000000008181000-memory.dmp

Filesize
68.0MB

Download
memory/2712-90-0x0000000003D80000-0x0000000008181000-memory.dmp

Filesize
68.0MB

Download
memory/2716-68-0x0000000000960000-0x000000000099A000-memory.dmp

Filesize
232KB

Download
memory/2716-92-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/2716-91-0x00000000007F0000-0x0000000000818000-memory.dmp

Filesize
160KB

Download
memory/2716-89-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2716-49-0x000007FEF6513000-0x000007FEF6514000-memory.dmp

Filesize
4KB

Download
memory/2724-93-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2724-347-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2724-960-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2724-52-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download
memory/2948-241-0x0000000003970000-0x0000000003972000-memory.dmp

Filesize
8KB

Download
memory/2948-47-0x0000000003B10000-0x0000000003C8D000-memory.dmp

Filesize
1.5MB

Download
memory/2948-48-0x0000000003B10000-0x0000000003C8D000-memory.dmp

Filesize
1.5MB

Download