glupteba | 0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b

Analysis

max time kernel
160s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
22-02-2022 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe
Size

8.1MB
MD5

7d034f3d89aafef3ad084fb5a28894bc
SHA1

ed6862ce52e15d175856664a089264b09a83d5b5
SHA256

0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b
SHA512

07fb39e0c9e150c15ecbda2bcc01a520e20a68e234e0c114e30e0c8da5ed6ec63b5a793a7fcdb94d212f9a52c6c32b10e47674d2aebb8e3128714f4a83441c82

Score

10^/10

glupteba metasploit smokeloader socelars backdoor discovery dropper evasion loader persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Signatures

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1624-191-0x00000000052D0000-0x0000000005BF6000-memory.dmp	family_glupteba
behavioral2/memory/1624-192-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/2984-197-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba
behavioral2/memory/2840-212-0x0000000000400000-0x0000000000D41000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4952 4304 rUNdlL32.eXe
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4304	rUNdlL32.eXe

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 1740 created 2504 1740 WerFault.exe rundll32.exe
PID 6044 created 1592 6044 WerFault.exe File.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3916 created 1624 3916 svchost.exe Info.exe
PID 3916 created 2840 3916 svchost.exe csrss.exe
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
Downloads MZ/PE file

description	pid	process	target process
PID 1740 created 2504	1740	WerFault.exe	rundll32.exe
PID 6044 created 1592	6044	WerFault.exe	File.exe

description	pid	process	target process
PID 3916 created 1624	3916	svchost.exe	Info.exe
PID 3916 created 2840	3916	svchost.exe	csrss.exe

Executes dropped EXE 17 IoCs

Processes:

Updbdate.exeInfo.exeFolder.exemd9_1sjm.exeInstall.exeFolder.exeFile.exepub2.exejamesold.exeFiles.exeKRSetp.exejfiag3g_gg.exejfiag3g_gg.exeInfo.execsrss.exeNqXQ59fxedQNSevjeseMwP6F.exeinjector.exe

pid	process
4392	Updbdate.exe
1624	Info.exe
984	Folder.exe
1112	md9_1sjm.exe
2440	Install.exe
1924	Folder.exe
1592	File.exe
3480	pub2.exe
4704	jamesold.exe
4984	Files.exe
444	KRSetp.exe
4160	jfiag3g_gg.exe
4700	jfiag3g_gg.exe
2984	Info.exe
2840	csrss.exe
5168	NqXQ59fxedQNSevjeseMwP6F.exe
5224	injector.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exeFolder.exeFile.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2504 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2504	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ColdShadow = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

md9_1sjm.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA md9_1sjm.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 ip-api.com
169 ipinfo.io
170 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe

flow	ioc
36	ip-api.com
169	ipinfo.io
170	ipinfo.io

autoit_exe 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jamesold.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\jamesold.exe	autoit_exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7aaf7767-7c9b-4306-9004-4b7f0caeaa0e.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220222213656.pma	setup.exe

Drops file in Windows directory 3 IoCs

Processes:

WerFault.exeInfo.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1168	2504	WerFault.exe	rundll32.exe
4832	1624	WerFault.exe	Info.exe
5104	2984	WerFault.exe	Info.exe
6064	1592	WerFault.exe	File.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2460 schtasks.exe

pid	process
2460	schtasks.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1320 taskkill.exe

pid	process
1320	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time"	Info.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exemsedge.exemsedge.exejfiag3g_gg.exe

pid	process
3480	pub2.exe
3480	pub2.exe
1508	msedge.exe
1508	msedge.exe
860	msedge.exe
860	msedge.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
4700	jfiag3g_gg.exe
4700	jfiag3g_gg.exe
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060
2060

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

3480 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

860 msedge.exe
860 msedge.exe
860 msedge.exe
860 msedge.exe

pid	process
860	msedge.exe
860	msedge.exe
860	msedge.exe
860	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Install.exeKRSetp.exeWerFault.exetaskkill.exemd9_1sjm.exeInfo.exesvchost.exeUpdbdate.exeInfo.execsrss.exe

description	pid	process
Token: SeCreateTokenPrivilege	2440	Install.exe
Token: SeAssignPrimaryTokenPrivilege	2440	Install.exe
Token: SeLockMemoryPrivilege	2440	Install.exe
Token: SeIncreaseQuotaPrivilege	2440	Install.exe
Token: SeMachineAccountPrivilege	2440	Install.exe
Token: SeTcbPrivilege	2440	Install.exe
Token: SeSecurityPrivilege	2440	Install.exe
Token: SeTakeOwnershipPrivilege	2440	Install.exe
Token: SeLoadDriverPrivilege	2440	Install.exe
Token: SeSystemProfilePrivilege	2440	Install.exe
Token: SeSystemtimePrivilege	2440	Install.exe
Token: SeProfSingleProcessPrivilege	2440	Install.exe
Token: SeIncBasePriorityPrivilege	2440	Install.exe
Token: SeCreatePagefilePrivilege	2440	Install.exe
Token: SeCreatePermanentPrivilege	2440	Install.exe
Token: SeBackupPrivilege	2440	Install.exe
Token: SeRestorePrivilege	2440	Install.exe
Token: SeShutdownPrivilege	2440	Install.exe
Token: SeDebugPrivilege	2440	Install.exe
Token: SeAuditPrivilege	2440	Install.exe
Token: SeSystemEnvironmentPrivilege	2440	Install.exe
Token: SeChangeNotifyPrivilege	2440	Install.exe
Token: SeRemoteShutdownPrivilege	2440	Install.exe
Token: SeUndockPrivilege	2440	Install.exe
Token: SeSyncAgentPrivilege	2440	Install.exe
Token: SeEnableDelegationPrivilege	2440	Install.exe
Token: SeManageVolumePrivilege	2440	Install.exe
Token: SeImpersonatePrivilege	2440	Install.exe
Token: SeCreateGlobalPrivilege	2440	Install.exe
Token: 31	2440	Install.exe
Token: 32	2440	Install.exe
Token: 33	2440	Install.exe
Token: 34	2440	Install.exe
Token: 35	2440	Install.exe
Token: SeDebugPrivilege	444	KRSetp.exe
Token: SeRestorePrivilege	1168	WerFault.exe
Token: SeBackupPrivilege	1168	WerFault.exe
Token: SeBackupPrivilege	1168	WerFault.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeManageVolumePrivilege	1112	md9_1sjm.exe
Token: SeDebugPrivilege	1624	Info.exe
Token: SeImpersonatePrivilege	1624	Info.exe
Token: SeTcbPrivilege	3916	svchost.exe
Token: SeTcbPrivilege	3916	svchost.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeDebugPrivilege	4392	Updbdate.exe
Token: SeSystemEnvironmentPrivilege	2984	Info.exe
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeShutdownPrivilege	2060
Token: SeCreatePagefilePrivilege	2060
Token: SeManageVolumePrivilege	1112	md9_1sjm.exe
Token: SeBackupPrivilege	3916	svchost.exe
Token: SeRestorePrivilege	3916	svchost.exe
Token: SeSystemEnvironmentPrivilege	2840	csrss.exe
Token: SeBackupPrivilege	3916	svchost.exe
Token: SeRestorePrivilege	3916	svchost.exe

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

jamesold.exemsedge.exe

pid	process
4704	jamesold.exe
4704	jamesold.exe
4704	jamesold.exe
4704	jamesold.exe
4704	jamesold.exe
4704	jamesold.exe
860	msedge.exe
2060
860	msedge.exe
2060
2060
2060
2060

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

jamesold.exe

pid process

4704 jamesold.exe
4704 jamesold.exe
4704 jamesold.exe
4704 jamesold.exe
4704 jamesold.exe
4704 jamesold.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

File.exe

pid process

1592 File.exe

pid	process
1592	File.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exemsedge.exeFolder.exerUNdlL32.eXeFiles.exeInstall.exe

description	pid	process	target process
PID 2752 wrote to memory of 4392	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Updbdate.exe
PID 2752 wrote to memory of 4392	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Updbdate.exe
PID 2752 wrote to memory of 4392	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Updbdate.exe
PID 2752 wrote to memory of 1624	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Info.exe
PID 2752 wrote to memory of 1624	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Info.exe
PID 2752 wrote to memory of 1624	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Info.exe
PID 2752 wrote to memory of 860	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	msedge.exe
PID 2752 wrote to memory of 860	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	msedge.exe
PID 2752 wrote to memory of 984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Folder.exe
PID 2752 wrote to memory of 984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Folder.exe
PID 2752 wrote to memory of 984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Folder.exe
PID 860 wrote to memory of 4368	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 4368	860	msedge.exe	msedge.exe
PID 2752 wrote to memory of 1112	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	md9_1sjm.exe
PID 2752 wrote to memory of 1112	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	md9_1sjm.exe
PID 2752 wrote to memory of 1112	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	md9_1sjm.exe
PID 2752 wrote to memory of 2440	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Install.exe
PID 2752 wrote to memory of 2440	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Install.exe
PID 2752 wrote to memory of 2440	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Install.exe
PID 2752 wrote to memory of 1592	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	File.exe
PID 2752 wrote to memory of 1592	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	File.exe
PID 2752 wrote to memory of 1592	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	File.exe
PID 984 wrote to memory of 1924	984	Folder.exe	Folder.exe
PID 984 wrote to memory of 1924	984	Folder.exe	Folder.exe
PID 984 wrote to memory of 1924	984	Folder.exe	Folder.exe
PID 2752 wrote to memory of 3480	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	pub2.exe
PID 2752 wrote to memory of 3480	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	pub2.exe
PID 2752 wrote to memory of 3480	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	pub2.exe
PID 2752 wrote to memory of 4704	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	jamesold.exe
PID 2752 wrote to memory of 4704	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	jamesold.exe
PID 2752 wrote to memory of 4704	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	jamesold.exe
PID 2752 wrote to memory of 4984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Files.exe
PID 2752 wrote to memory of 4984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Files.exe
PID 2752 wrote to memory of 4984	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	Files.exe
PID 4952 wrote to memory of 2504	4952	rUNdlL32.eXe	rundll32.exe
PID 4952 wrote to memory of 2504	4952	rUNdlL32.eXe	rundll32.exe
PID 4952 wrote to memory of 2504	4952	rUNdlL32.eXe	rundll32.exe
PID 2752 wrote to memory of 444	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	KRSetp.exe
PID 2752 wrote to memory of 444	2752	0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe	KRSetp.exe
PID 4984 wrote to memory of 4160	4984	Files.exe	jfiag3g_gg.exe
PID 4984 wrote to memory of 4160	4984	Files.exe	jfiag3g_gg.exe
PID 4984 wrote to memory of 4160	4984	Files.exe	jfiag3g_gg.exe
PID 2440 wrote to memory of 1632	2440	Install.exe	cmd.exe
PID 2440 wrote to memory of 1632	2440	Install.exe	cmd.exe
PID 2440 wrote to memory of 1632	2440	Install.exe	cmd.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe
PID 860 wrote to memory of 1980	860	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe
"C:\Users\Admin\AppData\Local\Temp\0a3fd127a47f8bf1d338741ed6233b72c4b948b2d39207006c3b9be26effb19b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2752

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:1860

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:3392

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:2460

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 800
4⤵
- Program crash
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 960
3⤵
- Program crash
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffb2c0e46f8,0x7ffb2c0e4708,0x7ffb2c0e4718
3⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
3⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
3⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
3⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
3⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5276 /prefetch:8
3⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
3⤵
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
3⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
3⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff748935460,0x7ff748935470,0x7ff748935480
4⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8
3⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6696 /prefetch:8
3⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,8307886025626833364,4944322338707858544,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6556 /prefetch:2
3⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:984

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:1924

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:1632

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Users\Admin\Pictures\Adobe Films\NqXQ59fxedQNSevjeseMwP6F.exe
"C:\Users\Admin\Pictures\Adobe Films\NqXQ59fxedQNSevjeseMwP6F.exe"
3⤵
- Executes dropped EXE
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1592 -s 1968
3⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6064

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3480

C:\Users\Admin\AppData\Local\Temp\jamesold.exe
"C:\Users\Admin\AppData\Local\Temp\jamesold.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4704

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4984

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4160

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4952

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:2504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 604
3⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 2504 -ip 2504
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1624 -ip 1624
1⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2984 -ip 2984
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1592 -ip 1592
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:6044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
32a430bc15b50683c59ec20ab5c14464

SHA1
d67645e8bc1194d966ff4e21cc4c3270c8f7c03d

SHA256
55c61149c78aac8c7f8e0c2353ad196bebb40c14ebe15bb545691ade77630b09

SHA512
e09efe3d3568f5c284083a7288b278cb5fd0a8fb4f6c9bffa9963fd1765012ba617d425c1fa2f74e3f32a576bcfd3108591842c93db46bcaca507c775c70d7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
cbafd60beffb18c666ff85f1517a76f9

SHA1
9e015cba7168b610969bfc299a4ffe4763f4fd5f

SHA256
d31f2d2d991acee74d9be732c8180f37cea12aceaba324804fbcf2d0d2891a3d

SHA512
ba61ac5f49827b0fba2c72f4b19540b91f8bceb8b441a713b7de00317059955ad592c88af8f9c94093077503ab3b4c4c522b0e577599ca5020ad1b0f254066ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
79ebad47271a88a3bbcd3c9ec28b2cfd

SHA1
c36eb00bb3453fefb4b5bfa0708731841754993a

SHA256
74b952db76e55532023a5d6d4df00b401adfc8225bc3a790ad1ffe83aee270bc

SHA512
8f23cfe718cc1b6ce1a77833fa49da1dae983e573016bab950fad2f232ecdff6c2f23de9c91982965b35c7513643aac007ceafa5d45cae539eac145721004435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
79ebad47271a88a3bbcd3c9ec28b2cfd

SHA1
c36eb00bb3453fefb4b5bfa0708731841754993a

SHA256
74b952db76e55532023a5d6d4df00b401adfc8225bc3a790ad1ffe83aee270bc

SHA512
8f23cfe718cc1b6ce1a77833fa49da1dae983e573016bab950fad2f232ecdff6c2f23de9c91982965b35c7513643aac007ceafa5d45cae539eac145721004435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
79ebad47271a88a3bbcd3c9ec28b2cfd

SHA1
c36eb00bb3453fefb4b5bfa0708731841754993a

SHA256
74b952db76e55532023a5d6d4df00b401adfc8225bc3a790ad1ffe83aee270bc

SHA512
8f23cfe718cc1b6ce1a77833fa49da1dae983e573016bab950fad2f232ecdff6c2f23de9c91982965b35c7513643aac007ceafa5d45cae539eac145721004435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
90096f351094db9413d7b93d344fde3e

SHA1
b47a2fb351dee04527949ebfb9b2283ec5557933

SHA256
6e518ec9828c733f090a206d478916a6b339fe6cd7731fdd3c2c77977111a094

SHA512
e0e0b29fcd208f1d043597f7b23bc329fa677bbff20bff5b506c86cf23629747d1093851b05f3d87c4f7309124d078257ede3212cca7fac638836c5bd106aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
90096f351094db9413d7b93d344fde3e

SHA1
b47a2fb351dee04527949ebfb9b2283ec5557933

SHA256
6e518ec9828c733f090a206d478916a6b339fe6cd7731fdd3c2c77977111a094

SHA512
e0e0b29fcd208f1d043597f7b23bc329fa677bbff20bff5b506c86cf23629747d1093851b05f3d87c4f7309124d078257ede3212cca7fac638836c5bd106aee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
6added42c4e94c96a981158186207339

SHA1
4ea844314b64051e662b9b72884d449afedcfe95

SHA256
11aca9a45080878b29e95029fb474c17d35726e57bb81f4438601f2713a6d863

SHA512
6ea3904730824346c3557a127b8f6840c62891ef12ca7463d24d8854e93302f0556be8f594cd1e7b54dfc1b20b7242d90dbe05e1e93ae41b0faea5c1af70aa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
6added42c4e94c96a981158186207339

SHA1
4ea844314b64051e662b9b72884d449afedcfe95

SHA256
11aca9a45080878b29e95029fb474c17d35726e57bb81f4438601f2713a6d863

SHA512
6ea3904730824346c3557a127b8f6840c62891ef12ca7463d24d8854e93302f0556be8f594cd1e7b54dfc1b20b7242d90dbe05e1e93ae41b0faea5c1af70aa00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8b937890d3a56d65ce63c7a4731268ee

SHA1
1f6fd32335cdf644aeb066aea50c07b136bd0289

SHA256
ded54e32e001681241748608651b0035ac9a19baa36036d17ffaf9c5e1aa9714

SHA512
8e5aa2af51cddafdadfd8336772dcb23963bea7d9faf9e1fc54f842ffb203c6faee13f5f0689fd8b491c56ba9cceda85352282f4c87e00cd75e9fc2573807aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
8b937890d3a56d65ce63c7a4731268ee

SHA1
1f6fd32335cdf644aeb066aea50c07b136bd0289

SHA256
ded54e32e001681241748608651b0035ac9a19baa36036d17ffaf9c5e1aa9714

SHA512
8e5aa2af51cddafdadfd8336772dcb23963bea7d9faf9e1fc54f842ffb203c6faee13f5f0689fd8b491c56ba9cceda85352282f4c87e00cd75e9fc2573807aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
67914af4b4abf7b101da6a579e3477e5

SHA1
55691ee46fc9fde74d026ebcadbe74897609fa74

SHA256
33b913651d8bc02e6eafdc642b515f454c5c37f6b9954d51d27102bf31f4c7a0

SHA512
185df8b589caa4cec5a1100dcfe806d618634c61a830915880bbef06a5017ad6b9d2f221e658bb9c3bcb893d068dffa614f75e2e4a5e24de0663ea6afdaf93e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesold.exe
MD5
af85533456a042c6ed3216f22a8a4c7c

SHA1
4e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78

SHA256
5149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a

SHA512
a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jamesold.exe
MD5
af85533456a042c6ed3216f22a8a4c7c

SHA1
4e61ea1ce8ab3c8f36f9e4ee1ae61b04fe11de78

SHA256
5149fc574b84e6842f5f11edd50ad7d4336bd6dd7ef3c4f3d7151256f0632a3a

SHA512
a22bec47f3c03732cdeaf126a2a51b2683f0ba1b86a1c6caa648a829218a64354adf8975f5b236957d99da1c9a03a78d2f0899377c90cf6d0cbdb27ce995cdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
ecd7365422db60cf4f55f3c6f4ed49bf

SHA1
e4b914e366e854fc076b0faa955d4f52ae6f840d

SHA256
77041a33e4f52b86a78b12d80a21e48ba25e4d4c430090f33ba69a08f12a83a7

SHA512
a6a3b539765c31957564ee166dd8f2539ff4cfb73e76eda3cae1120f15abea410cc735bd8b0e759d69971ed788e58191b8d1c6f18081236aa7a431c8f88b0a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
3efd864bd37b9955722897500d65da9f

SHA1
76f9d06b99a955575796b35a4fd6939ac8726295

SHA256
2e51b63eb2451a0be63b850eb129ac7a0bc4da63316c15ddeed50c819e6a51ad

SHA512
8c4d012297eb265a14de6e81c5f4ad665b5053dd0415f55d4d26acec0a2f34f2f07b11db88d1ae3fb5896dcf8c76819c1774dd160d9b1e74ff2f73164f9e3fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
3efd864bd37b9955722897500d65da9f

SHA1
76f9d06b99a955575796b35a4fd6939ac8726295

SHA256
2e51b63eb2451a0be63b850eb129ac7a0bc4da63316c15ddeed50c819e6a51ad

SHA512
8c4d012297eb265a14de6e81c5f4ad665b5053dd0415f55d4d26acec0a2f34f2f07b11db88d1ae3fb5896dcf8c76819c1774dd160d9b1e74ff2f73164f9e3fe0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
c6eb1164fc53e19cdf0a295f60a93215

SHA1
95e0808e75337786175bf2bd691e48000e73d97b

SHA256
2f538d99ca82d785809f37265f2253544392083939d8acd0e107c936ca0d8680

SHA512
1d323d6cc906f3e5bdf3b4a60e6b5cc95c4fe622594227774bc9bf302f48093b319051e81aa541e1e874aba6014905236502cc41a903d239f74bb39471b8b060

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
670cd440d2796b9f0575d6a8b7285285

SHA1
c220b9b8b44d0dd67161d98c5111e2c34fbaa78f

SHA256
e0385931027a8eac4605fe76f1f55c7d338ba57ab2734e32280fa8885ff154bc

SHA512
9f6c1d0e00f89da1b90f0283bfd6c9adc31771c41576d244ca51f8528e15f79d30ae120e09bb846fde348fb11535510e1c70d22dc28ebda987c8aab70d91aa58

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NqXQ59fxedQNSevjeseMwP6F.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NqXQ59fxedQNSevjeseMwP6F.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Windows\rss\csrss.exe
MD5
79ebad47271a88a3bbcd3c9ec28b2cfd

SHA1
c36eb00bb3453fefb4b5bfa0708731841754993a

SHA256
74b952db76e55532023a5d6d4df00b401adfc8225bc3a790ad1ffe83aee270bc

SHA512
8f23cfe718cc1b6ce1a77833fa49da1dae983e573016bab950fad2f232ecdff6c2f23de9c91982965b35c7513643aac007ceafa5d45cae539eac145721004435

Download Submit
C:\Windows\rss\csrss.exe
MD5
79ebad47271a88a3bbcd3c9ec28b2cfd

SHA1
c36eb00bb3453fefb4b5bfa0708731841754993a

SHA256
74b952db76e55532023a5d6d4df00b401adfc8225bc3a790ad1ffe83aee270bc

SHA512
8f23cfe718cc1b6ce1a77833fa49da1dae983e573016bab950fad2f232ecdff6c2f23de9c91982965b35c7513643aac007ceafa5d45cae539eac145721004435

Download Submit
\??\pipe\LOCAL\crashpad_860_WZPHNQLLTVWXEBQO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/444-154-0x0000000000950000-0x0000000000974000-memory.dmp

Filesize
144KB

Download
memory/1112-206-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/1112-204-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/1112-203-0x0000000004570000-0x0000000004578000-memory.dmp

Filesize
32KB

Download
memory/1112-198-0x0000000004690000-0x0000000004698000-memory.dmp

Filesize
32KB

Download
memory/1536-164-0x00007FFB48E40000-0x00007FFB48E41000-memory.dmp

Filesize
4KB

Download
memory/1592-205-0x0000000003E50000-0x000000000400D000-memory.dmp

Filesize
1.7MB

Download
memory/1624-192-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/1624-191-0x00000000052D0000-0x0000000005BF6000-memory.dmp

Filesize
9.1MB

Download
memory/1624-190-0x0000000004E89000-0x00000000052C5000-memory.dmp

Filesize
4.2MB

Download
memory/2060-217-0x00000000081B0000-0x00000000081C6000-memory.dmp

Filesize
88KB

Download
memory/2840-208-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/2840-212-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2984-196-0x0000000004ECE000-0x000000000530A000-memory.dmp

Filesize
4.2MB

Download
memory/2984-197-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/3480-175-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/3480-146-0x0000000000CB3000-0x0000000000CC3000-memory.dmp

Filesize
64KB

Download
memory/3480-173-0x0000000000CB3000-0x0000000000CC3000-memory.dmp

Filesize
64KB

Download
memory/3480-174-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4392-159-0x00000000073F0000-0x0000000007994000-memory.dmp

Filesize
5.6MB

Download
memory/4392-193-0x00000000080E0000-0x00000000081EA000-memory.dmp

Filesize
1.0MB

Download
memory/4392-207-0x0000000002D8F000-0x0000000002DB1000-memory.dmp

Filesize
136KB

Download
memory/4392-160-0x00000000079A0000-0x0000000007FB8000-memory.dmp

Filesize
6.1MB

Download
memory/4392-209-0x00000000048E0000-0x000000000490F000-memory.dmp

Filesize
188KB

Download
memory/4392-210-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4392-211-0x0000000071D2E000-0x0000000071D2F000-memory.dmp

Filesize
4KB

Download
memory/4392-162-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4392-213-0x00000000073E0000-0x00000000073E1000-memory.dmp

Filesize
4KB

Download
memory/4392-134-0x0000000002D8F000-0x0000000002DB1000-memory.dmp

Filesize
136KB

Download
memory/4392-215-0x00000000073E2000-0x00000000073E3000-memory.dmp

Filesize
4KB

Download
memory/4392-216-0x00000000073E3000-0x00000000073E4000-memory.dmp

Filesize
4KB

Download
memory/4392-167-0x0000000007310000-0x000000000734C000-memory.dmp

Filesize
240KB

Download
memory/4392-218-0x00000000073E4000-0x00000000073E6000-memory.dmp

Filesize
8KB

Download