Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
10-03-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
Resource
win10v2004-en-20220113
General
-
Target
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
-
Size
3.3MB
-
MD5
e0540d7ccaa8ec50bc5bc3dda4b9f116
-
SHA1
695e7607f8e330bb27a2700c77c16377deedbd29
-
SHA256
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895
-
SHA512
f6afad052b2e3bab54a648e82ef5c4863e2cd5963099e79f0061d342fd11027a1985fce0d7f7c3fc54639186caaa144eff5fc647236a411317d97a8a164c2ca2
Malware Config
Extracted
socelars
http://www.fddnice.pw/
http://www.sokoinfo.pw/
http://www.zzhlike.pw/
http://www.wygexde.xyz/
Extracted
smokeloader
2020
http://al-commandoz.com/upload/
http://antalya-belek.com/upload/
http://luxurysv.com/upload/
http://massagespijkenisse.com/upload/
http://rexgorellhondaevent.com/upload/
Extracted
redline
v10
199.195.251.96:43073
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1276-185-0x0000000000400000-0x000000000041C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\agdsk.exe family_socelars C:\Users\Admin\AppData\Local\Temp\agdsk.exe family_socelars -
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
-
Executes dropped EXE 11 IoCs
Processes:
agdsk.exejg2_2qua.exeKRSetp.exewf-game.exeFiles.exepub2.exepzyh.exeFile.exejfiag3g_gg.exejfiag3g_gg.exewjirudspid process 2676 agdsk.exe 3784 jg2_2qua.exe 4856 KRSetp.exe 2960 wf-game.exe 4720 Files.exe 1560 pub2.exe 4904 pzyh.exe 3704 File.exe 1436 jfiag3g_gg.exe 1748 jfiag3g_gg.exe 3332 wjiruds -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe upx -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exeFiles.exewf-game.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation Files.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation wf-game.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exepub2.exewjirudspid process 3688 rundll32.exe 1560 pub2.exe 3332 wjiruds -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
pzyh.exemsedge.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e" pzyh.exe Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Processes:
jg2_2qua.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
File.exedescription pid process target process PID 3704 set thread context of 1276 3704 File.exe AddInProcess32.exe -
Drops file in Program Files directory 5 IoCs
Processes:
setup.exewf-game.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011019.pma setup.exe File created C:\Program Files\hprof.dll wf-game.exe File created C:\Program Files\install.dat wf-game.exe File created C:\Program Files\install.dll wf-game.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dccbd312-d634-4f0a-902e-da5f62116434.tmp setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2420 3688 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wjirudspub2.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjiruds Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjiruds Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjiruds Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI pub2.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1548 taskkill.exe -
Modifies registry class 4 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exepub2.exejfiag3g_gg.exepid process 308 msedge.exe 308 msedge.exe 2500 msedge.exe 2500 msedge.exe 1560 pub2.exe 1560 pub2.exe 1748 jfiag3g_gg.exe 1748 jfiag3g_gg.exe 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 2600 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
pub2.exewjirudspid process 1560 pub2.exe 3332 wjiruds -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
agdsk.exeKRSetp.exetaskkill.exeFile.exejg2_2qua.exeAddInProcess32.exesvchost.exedescription pid process Token: SeCreateTokenPrivilege 2676 agdsk.exe Token: SeAssignPrimaryTokenPrivilege 2676 agdsk.exe Token: SeLockMemoryPrivilege 2676 agdsk.exe Token: SeIncreaseQuotaPrivilege 2676 agdsk.exe Token: SeMachineAccountPrivilege 2676 agdsk.exe Token: SeTcbPrivilege 2676 agdsk.exe Token: SeSecurityPrivilege 2676 agdsk.exe Token: SeTakeOwnershipPrivilege 2676 agdsk.exe Token: SeLoadDriverPrivilege 2676 agdsk.exe Token: SeSystemProfilePrivilege 2676 agdsk.exe Token: SeSystemtimePrivilege 2676 agdsk.exe Token: SeProfSingleProcessPrivilege 2676 agdsk.exe Token: SeIncBasePriorityPrivilege 2676 agdsk.exe Token: SeCreatePagefilePrivilege 2676 agdsk.exe Token: SeCreatePermanentPrivilege 2676 agdsk.exe Token: SeBackupPrivilege 2676 agdsk.exe Token: SeRestorePrivilege 2676 agdsk.exe Token: SeShutdownPrivilege 2676 agdsk.exe Token: SeDebugPrivilege 2676 agdsk.exe Token: SeAuditPrivilege 2676 agdsk.exe Token: SeSystemEnvironmentPrivilege 2676 agdsk.exe Token: SeChangeNotifyPrivilege 2676 agdsk.exe Token: SeRemoteShutdownPrivilege 2676 agdsk.exe Token: SeUndockPrivilege 2676 agdsk.exe Token: SeSyncAgentPrivilege 2676 agdsk.exe Token: SeEnableDelegationPrivilege 2676 agdsk.exe Token: SeManageVolumePrivilege 2676 agdsk.exe Token: SeImpersonatePrivilege 2676 agdsk.exe Token: SeCreateGlobalPrivilege 2676 agdsk.exe Token: 31 2676 agdsk.exe Token: 32 2676 agdsk.exe Token: 33 2676 agdsk.exe Token: 34 2676 agdsk.exe Token: 35 2676 agdsk.exe Token: SeDebugPrivilege 4856 KRSetp.exe Token: SeDebugPrivilege 1548 taskkill.exe Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeDebugPrivilege 3704 File.exe Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeManageVolumePrivilege 3784 jg2_2qua.exe Token: SeManageVolumePrivilege 3784 jg2_2qua.exe Token: SeDebugPrivilege 1276 AddInProcess32.exe Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeTcbPrivilege 4756 svchost.exe Token: SeTcbPrivilege 4756 svchost.exe Token: SeTcbPrivilege 4756 svchost.exe Token: SeTcbPrivilege 4756 svchost.exe Token: SeTcbPrivilege 4756 svchost.exe Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 Token: SeCreatePagefilePrivilege 2600 Token: SeShutdownPrivilege 2600 -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
msedge.exepid process 2500 msedge.exe 2500 msedge.exe 2500 msedge.exe 2600 2600 2600 2600 -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
wf-game.exepid process 2960 wf-game.exe 2960 wf-game.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exemsedge.exeFiles.exewf-game.exepzyh.exedescription pid process target process PID 1872 wrote to memory of 2676 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe agdsk.exe PID 1872 wrote to memory of 2676 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe agdsk.exe PID 1872 wrote to memory of 2676 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe agdsk.exe PID 1872 wrote to memory of 3784 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe jg2_2qua.exe PID 1872 wrote to memory of 3784 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe jg2_2qua.exe PID 1872 wrote to memory of 3784 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe jg2_2qua.exe PID 1872 wrote to memory of 4856 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe KRSetp.exe PID 1872 wrote to memory of 4856 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe KRSetp.exe PID 1872 wrote to memory of 2500 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe msedge.exe PID 1872 wrote to memory of 2500 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe msedge.exe PID 1872 wrote to memory of 2960 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe wf-game.exe PID 1872 wrote to memory of 2960 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe wf-game.exe PID 1872 wrote to memory of 2960 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe wf-game.exe PID 2500 wrote to memory of 2952 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 2952 2500 msedge.exe msedge.exe PID 1872 wrote to memory of 4720 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe Files.exe PID 1872 wrote to memory of 4720 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe Files.exe PID 1872 wrote to memory of 4720 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe Files.exe PID 1872 wrote to memory of 1560 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pub2.exe PID 1872 wrote to memory of 1560 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pub2.exe PID 1872 wrote to memory of 1560 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pub2.exe PID 1872 wrote to memory of 4904 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pzyh.exe PID 1872 wrote to memory of 4904 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pzyh.exe PID 1872 wrote to memory of 4904 1872 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe pzyh.exe PID 4720 wrote to memory of 3704 4720 Files.exe File.exe PID 4720 wrote to memory of 3704 4720 Files.exe File.exe PID 4720 wrote to memory of 3704 4720 Files.exe File.exe PID 2960 wrote to memory of 3688 2960 wf-game.exe rundll32.exe PID 2960 wrote to memory of 3688 2960 wf-game.exe rundll32.exe PID 2960 wrote to memory of 3688 2960 wf-game.exe rundll32.exe PID 4904 wrote to memory of 1436 4904 pzyh.exe jfiag3g_gg.exe PID 4904 wrote to memory of 1436 4904 pzyh.exe jfiag3g_gg.exe PID 4904 wrote to memory of 1436 4904 pzyh.exe jfiag3g_gg.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe PID 2500 wrote to memory of 100 2500 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe"C:\Users\Admin\AppData\Local\Temp\65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exe"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij72⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffc840646f8,0x7ffc84064708,0x7ffc840647183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff75c055460,0x7ff75c055470,0x7ff75c0554804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1932 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:83⤵
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exe"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 6044⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Files.exe"C:\Users\Admin\AppData\Local\Temp\Files.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h73⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc840646f8,0x7ffc84064708,0x7ffc840647184⤵
-
C:\Users\Admin\AppData\Local\Temp\pub2.exe"C:\Users\Admin\AppData\Local\Temp\pub2.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exe"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3688 -ip 36881⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\wjirudsC:\Users\Admin\AppData\Roaming\wjiruds1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\install.datMD5
ce4edc37812280e3dba2ffdc16812e59
SHA1bf120044b67b2615e50c5fb6861aec3bac0be169
SHA2569eb0157b943b5fd9352f4da058af6c2b499b5a4c1296b3d10bc256d36f2b8232
SHA5129eb3a7dc91ebd55409a3a35d2a04f2b00b8c54dba05aafab171e6bda4b9b6f45740347c29d0dce0b7255b6ff99c30acd348775ba5802aec553e82ed85d681cfc
-
C:\Program Files\install.dllMD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
C:\Program Files\install.dllMD5
fe60ddbeab6e50c4f490ddf56b52057c
SHA16a71fdf73761a1192fd9c6961f66754a63d6db17
SHA2569fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d
SHA5120113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
3b3ae2b28ae533bf89071e80738c60b3
SHA1339000c34cbaeced8672524882a69c2e7d87a95d
SHA256d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a
SHA5125eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\CC4F.tmpMD5
4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1e16506f662dc92023bf82def1d621497c8ab5890
SHA256767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA5129da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
ac13fe6fa9e0e88af75769e2e8674f62
SHA16aa959f4370f60aec8974d5db2aafe535740a07c
SHA25611116827e29d4db9fa5e5ae0459c3f418894c327abb5390403f115ee3271085c
SHA512fe63f4b270cdc915dfaea2b28c7f0dacfca451a9b92fe0bd08b5b12b0c47f2b2a0809d1488cf14d2e18077fc6bec5c9694baacb1b3128b42838cea67005c7135
-
C:\Users\Admin\AppData\Local\Temp\Files.exeMD5
ac13fe6fa9e0e88af75769e2e8674f62
SHA16aa959f4370f60aec8974d5db2aafe535740a07c
SHA25611116827e29d4db9fa5e5ae0459c3f418894c327abb5390403f115ee3271085c
SHA512fe63f4b270cdc915dfaea2b28c7f0dacfca451a9b92fe0bd08b5b12b0c47f2b2a0809d1488cf14d2e18077fc6bec5c9694baacb1b3128b42838cea67005c7135
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a199eeae641123b90111db3339e15970
SHA1ae27d9b58ecfb0146121f4a8e53ff66b6e9c200e
SHA25620723de3b8f48e17551a48423d4cc5cb0ace3c6517260cf05107c617652296ea
SHA51250ad556d0bbcea510b26c58436488d44697feaa70f6a36c41d1fe5d07a6c0236899911c89e9af79c52919cd8ef751a471ab21af77c516d97da1b2f44120555ee
-
C:\Users\Admin\AppData\Local\Temp\KRSetp.exeMD5
a199eeae641123b90111db3339e15970
SHA1ae27d9b58ecfb0146121f4a8e53ff66b6e9c200e
SHA25620723de3b8f48e17551a48423d4cc5cb0ace3c6517260cf05107c617652296ea
SHA51250ad556d0bbcea510b26c58436488d44697feaa70f6a36c41d1fe5d07a6c0236899911c89e9af79c52919cd8ef751a471ab21af77c516d97da1b2f44120555ee
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
67c611b3daf797c73cea3e380af677e6
SHA14fc710a0047b19c5d4c1e5d34d9820e3209994b6
SHA25661cc88a82d2ca02a46b69d2c7777ed8926c905caec8d0002ace7e91d83c3bd19
SHA51239ccf07d9787b58c803149c89aa8668ded3c501e07afe397b0439a4219d039d5a4b53d3ce4c91c05f9a880b6fc90f75a5fb0aa2229eb1d0d32b68bd3ca5879c6
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exeMD5
67c611b3daf797c73cea3e380af677e6
SHA14fc710a0047b19c5d4c1e5d34d9820e3209994b6
SHA25661cc88a82d2ca02a46b69d2c7777ed8926c905caec8d0002ace7e91d83c3bd19
SHA51239ccf07d9787b58c803149c89aa8668ded3c501e07afe397b0439a4219d039d5a4b53d3ce4c91c05f9a880b6fc90f75a5fb0aa2229eb1d0d32b68bd3ca5879c6
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exeMD5
53f9570b38f020cfca3f1ff6c274ad3d
SHA196910fbf8a83816c804e2e0daf70d6fcdcc11657
SHA25632ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391
SHA5125e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3
-
C:\Users\Admin\AppData\Local\Temp\agdsk.exeMD5
53f9570b38f020cfca3f1ff6c274ad3d
SHA196910fbf8a83816c804e2e0daf70d6fcdcc11657
SHA25632ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391
SHA5125e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
23cccb28b7513fecb99a7f5af26f8c56
SHA1b1bc8b55c033116252e8304c05b0b0bb5eae711a
SHA25619e395e1160ff1f1dc2b985bd30e858c8ab1739e94996cefef3c8f31a5298b3e
SHA51233965685e6bbcec8f3edfae9131e3f49b29288cb62d9c87b492d8d3c42b850622b3fb4b46ace89b276b320a70f406c60cde3e71459b8f334c5deee1344145038
-
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txtMD5
b7161c0845a64ff6d7345b67ff97f3b0
SHA1d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA51298d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
a6279ec92ff948760ce53bba817d6a77
SHA15345505e12f9e4c6d569a226d50e71b5a572dce2
SHA2568b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeMD5
7fee8223d6e4f82d6cd115a28f0b6d58
SHA11b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA5123ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exeMD5
cab26fc1758257aac89b39dcceeb37b0
SHA1d030ca491156038a4da2c3858e08f0299cf79860
SHA2562493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec
SHA512c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511
-
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exeMD5
cab26fc1758257aac89b39dcceeb37b0
SHA1d030ca491156038a4da2c3858e08f0299cf79860
SHA2562493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec
SHA512c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
24928d3f2feba02122945825c8ec7696
SHA1c9aa0afcbe98a7e7160f6253a3254f87667a6ef8
SHA256b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4
SHA512757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c
-
C:\Users\Admin\AppData\Local\Temp\pub2.exeMD5
24928d3f2feba02122945825c8ec7696
SHA1c9aa0afcbe98a7e7160f6253a3254f87667a6ef8
SHA256b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4
SHA512757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
8cbde3982249e20a6f564eb414f06fe4
SHA16d040b6c0f9d10b07f0b63797aa7bfabf0703925
SHA2564a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
SHA512d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
-
C:\Users\Admin\AppData\Local\Temp\pzyh.exeMD5
8cbde3982249e20a6f564eb414f06fe4
SHA16d040b6c0f9d10b07f0b63797aa7bfabf0703925
SHA2564a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83
SHA512d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exeMD5
c1b25b8c04a1b1d5671967483d5d31e3
SHA18db403d3971f294bfa7956b01d817fffd66d725b
SHA256f48aeb3f828205c83292eb87d3726d39549a329b820908e0251fac875c26fe44
SHA512c26374017700dcf103132c4e8591c931146b063544414fbc8a05426f30e27a9b255cf4b3bf9918c1212d819562dd5bf6ace0113d66be42f31c7409e47475bf2d
-
C:\Users\Admin\AppData\Local\Temp\wf-game.exeMD5
c1b25b8c04a1b1d5671967483d5d31e3
SHA18db403d3971f294bfa7956b01d817fffd66d725b
SHA256f48aeb3f828205c83292eb87d3726d39549a329b820908e0251fac875c26fe44
SHA512c26374017700dcf103132c4e8591c931146b063544414fbc8a05426f30e27a9b255cf4b3bf9918c1212d819562dd5bf6ace0113d66be42f31c7409e47475bf2d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnkMD5
e00b7c372a28412a16509516ef57ddb0
SHA184b1a84932a75ca14bf1a66580f8a49032526228
SHA25689015d68f0eae20faa7c7dc74b23e976b6a55e2f0131c83ae93277c3fa9b6544
SHA512b988cbf3942649c97710dca26adb07271eabfbb39a02329aba59d0d2d05f8450136cb7ff945ee4b34cfe12748e9281f7792c476512c7b7147f82521e3c279bef
-
C:\Users\Admin\AppData\Roaming\wjirudsMD5
24928d3f2feba02122945825c8ec7696
SHA1c9aa0afcbe98a7e7160f6253a3254f87667a6ef8
SHA256b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4
SHA512757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c
-
C:\Users\Admin\AppData\Roaming\wjirudsMD5
24928d3f2feba02122945825c8ec7696
SHA1c9aa0afcbe98a7e7160f6253a3254f87667a6ef8
SHA256b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4
SHA512757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkMD5
d1874d5d3b8163e51d601e30faf9ac77
SHA19b6204a85225990545fe53c4e12fe327dba93233
SHA256a6f054e89ea186d107a04a170e389b79cebcf9e1e3edbeb552b736d2898a1fa5
SHA5123241998f655e008332fe13d0b3c2af0ee20c18c2cf91dd3470aa7daee05078c42d1cadde24e87ae5a4da057164f52e57bd29651c3fbc4320bafc5f7a53109ca5
-
\??\c:\users\admin\appdata\local\microsoft\edge\user data\default\edge profile.icoMD5
e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
\??\pipe\LOCAL\crashpad_2500_CXAIJVXSBZIXSOYNMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/100-161-0x00007FFCA2B90000-0x00007FFCA2B91000-memory.dmpFilesize
4KB
-
memory/1276-187-0x0000000005540000-0x0000000005552000-memory.dmpFilesize
72KB
-
memory/1276-191-0x0000000071100000-0x00000000718B0000-memory.dmpFilesize
7.7MB
-
memory/1276-185-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1276-186-0x0000000005B20000-0x0000000006138000-memory.dmpFilesize
6.1MB
-
memory/1276-193-0x0000000005850000-0x000000000595A000-memory.dmpFilesize
1.0MB
-
memory/1276-188-0x00000000055A0000-0x00000000055DC000-memory.dmpFilesize
240KB
-
memory/1276-192-0x0000000005500000-0x0000000005B18000-memory.dmpFilesize
6.1MB
-
memory/1560-175-0x00000000004E0000-0x00000000004E9000-memory.dmpFilesize
36KB
-
memory/1560-173-0x0000000000529000-0x0000000000532000-memory.dmpFilesize
36KB
-
memory/1560-158-0x0000000000529000-0x0000000000532000-memory.dmpFilesize
36KB
-
memory/1560-176-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/2600-179-0x0000000002270000-0x0000000002285000-memory.dmpFilesize
84KB
-
memory/2600-307-0x0000000000840000-0x0000000000855000-memory.dmpFilesize
84KB
-
memory/3332-303-0x0000000000530000-0x0000000000630000-memory.dmpFilesize
1024KB
-
memory/3332-304-0x0000000000400000-0x00000000004A8000-memory.dmpFilesize
672KB
-
memory/3704-156-0x00000000056B0000-0x0000000005742000-memory.dmpFilesize
584KB
-
memory/3704-159-0x00000000055F0000-0x00000000055FA000-memory.dmpFilesize
40KB
-
memory/3704-184-0x0000000006840000-0x0000000006D6C000-memory.dmpFilesize
5.2MB
-
memory/3704-152-0x0000000000D10000-0x0000000000D88000-memory.dmpFilesize
480KB
-
memory/3704-155-0x0000000005C60000-0x0000000006204000-memory.dmpFilesize
5.6MB
-
memory/3704-157-0x0000000071100000-0x00000000718B0000-memory.dmpFilesize
7.7MB
-
memory/3784-211-0x00000000043C0000-0x00000000043C8000-memory.dmpFilesize
32KB
-
memory/3784-213-0x0000000004070000-0x0000000004078000-memory.dmpFilesize
32KB
-
memory/3784-212-0x0000000004070000-0x0000000004078000-memory.dmpFilesize
32KB
-
memory/3784-200-0x0000000003760000-0x0000000003770000-memory.dmpFilesize
64KB
-
memory/3784-194-0x0000000003400000-0x0000000003410000-memory.dmpFilesize
64KB
-
memory/3784-245-0x0000000004190000-0x0000000004198000-memory.dmpFilesize
32KB
-
memory/3784-207-0x0000000004050000-0x0000000004058000-memory.dmpFilesize
32KB
-
memory/3784-210-0x00000000043A0000-0x00000000043A8000-memory.dmpFilesize
32KB
-
memory/3784-209-0x0000000004110000-0x0000000004118000-memory.dmpFilesize
32KB
-
memory/3784-208-0x0000000004070000-0x0000000004078000-memory.dmpFilesize
32KB
-
memory/4856-145-0x00007FFC830B0000-0x00007FFC83B71000-memory.dmpFilesize
10.8MB
-
memory/4856-136-0x0000000000210000-0x0000000000240000-memory.dmpFilesize
192KB
-
memory/4856-146-0x0000000002360000-0x0000000002362000-memory.dmpFilesize
8KB