redline | 65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895

Analysis

max time kernel
153s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10-03-2022 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
Size

3.3MB
MD5

e0540d7ccaa8ec50bc5bc3dda4b9f116
SHA1

695e7607f8e330bb27a2700c77c16377deedbd29
SHA256

65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895
SHA512

f6afad052b2e3bab54a648e82ef5c4863e2cd5963099e79f0061d342fd11027a1985fce0d7f7c3fc54639186caaa144eff5fc647236a411317d97a8a164c2ca2

Score

10^/10

redline smokeloader socelars v10 backdoor evasion infostealer persistence spyware stealer suricata trojan upx

Malware Config

Extracted

Family

socelars

http://www.fddnice.pw/

http://www.sokoinfo.pw/

http://www.zzhlike.pw/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://al-commandoz.com/upload/

http://antalya-belek.com/upload/

http://luxurysv.com/upload/

http://massagespijkenisse.com/upload/

http://rexgorellhondaevent.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

v10

199.195.251.96:43073

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1276-185-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
suricata

Executes dropped EXE 11 IoCs

Processes:

agdsk.exejg2_2qua.exeKRSetp.exewf-game.exeFiles.exepub2.exepzyh.exeFile.exejfiag3g_gg.exejfiag3g_gg.exewjiruds

pid	process
2676	agdsk.exe
3784	jg2_2qua.exe
4856	KRSetp.exe
2960	wf-game.exe
4720	Files.exe
1560	pub2.exe
4904	pzyh.exe
3704	File.exe
1436	jfiag3g_gg.exe
1748	jfiag3g_gg.exe
3332	wjiruds

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exeFiles.exewf-game.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	wf-game.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exepub2.exewjiruds

pid process

3688 rundll32.exe
1560 pub2.exe
3332 wjiruds
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3688	rundll32.exe
1560	pub2.exe
3332	wjiruds

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

pzyh.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg2_2qua.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

8 ip-api.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

File.exe

description pid process target process

PID 3704 set thread context of 1276 3704 File.exe AddInProcess32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

flow	ioc
8	ip-api.com

description	pid	process	target process
PID 3704 set thread context of 1276	3704	File.exe	AddInProcess32.exe

Drops file in Program Files directory 5 IoCs

Processes:

setup.exewf-game.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220129011019.pma	setup.exe
File created	C:\Program Files\hprof.dll	wf-game.exe
File created	C:\Program Files\install.dat	wf-game.exe
File created	C:\Program Files\install.dll	wf-game.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dccbd312-d634-4f0a-902e-da5f62116434.tmp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2420 3688 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2420	3688	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wjirudspub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjiruds
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjiruds
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	wjiruds
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1548 taskkill.exe

pid	process
1548	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exepub2.exejfiag3g_gg.exe

pid	process
308	msedge.exe
308	msedge.exe
2500	msedge.exe
2500	msedge.exe
1560	pub2.exe
1560	pub2.exe
1748	jfiag3g_gg.exe
1748	jfiag3g_gg.exe
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600
2600

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exewjiruds

pid process

1560 pub2.exe
3332 wjiruds
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
2500 msedge.exe

pid	process
1560	pub2.exe
3332	wjiruds

pid	process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

agdsk.exeKRSetp.exetaskkill.exeFile.exejg2_2qua.exeAddInProcess32.exesvchost.exe

description	pid	process
Token: SeCreateTokenPrivilege	2676	agdsk.exe
Token: SeAssignPrimaryTokenPrivilege	2676	agdsk.exe
Token: SeLockMemoryPrivilege	2676	agdsk.exe
Token: SeIncreaseQuotaPrivilege	2676	agdsk.exe
Token: SeMachineAccountPrivilege	2676	agdsk.exe
Token: SeTcbPrivilege	2676	agdsk.exe
Token: SeSecurityPrivilege	2676	agdsk.exe
Token: SeTakeOwnershipPrivilege	2676	agdsk.exe
Token: SeLoadDriverPrivilege	2676	agdsk.exe
Token: SeSystemProfilePrivilege	2676	agdsk.exe
Token: SeSystemtimePrivilege	2676	agdsk.exe
Token: SeProfSingleProcessPrivilege	2676	agdsk.exe
Token: SeIncBasePriorityPrivilege	2676	agdsk.exe
Token: SeCreatePagefilePrivilege	2676	agdsk.exe
Token: SeCreatePermanentPrivilege	2676	agdsk.exe
Token: SeBackupPrivilege	2676	agdsk.exe
Token: SeRestorePrivilege	2676	agdsk.exe
Token: SeShutdownPrivilege	2676	agdsk.exe
Token: SeDebugPrivilege	2676	agdsk.exe
Token: SeAuditPrivilege	2676	agdsk.exe
Token: SeSystemEnvironmentPrivilege	2676	agdsk.exe
Token: SeChangeNotifyPrivilege	2676	agdsk.exe
Token: SeRemoteShutdownPrivilege	2676	agdsk.exe
Token: SeUndockPrivilege	2676	agdsk.exe
Token: SeSyncAgentPrivilege	2676	agdsk.exe
Token: SeEnableDelegationPrivilege	2676	agdsk.exe
Token: SeManageVolumePrivilege	2676	agdsk.exe
Token: SeImpersonatePrivilege	2676	agdsk.exe
Token: SeCreateGlobalPrivilege	2676	agdsk.exe
Token: 31	2676	agdsk.exe
Token: 32	2676	agdsk.exe
Token: 33	2676	agdsk.exe
Token: 34	2676	agdsk.exe
Token: 35	2676	agdsk.exe
Token: SeDebugPrivilege	4856	KRSetp.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeDebugPrivilege	3704	File.exe
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeManageVolumePrivilege	3784	jg2_2qua.exe
Token: SeManageVolumePrivilege	3784	jg2_2qua.exe
Token: SeDebugPrivilege	1276	AddInProcess32.exe
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeTcbPrivilege	4756	svchost.exe
Token: SeTcbPrivilege	4756	svchost.exe
Token: SeTcbPrivilege	4756	svchost.exe
Token: SeTcbPrivilege	4756	svchost.exe
Token: SeTcbPrivilege	4756	svchost.exe
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600
Token: SeCreatePagefilePrivilege	2600
Token: SeShutdownPrivilege	2600

Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

msedge.exe

pid process

2500 msedge.exe
2500 msedge.exe
2500 msedge.exe
2600
2600
2600
2600
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wf-game.exe

pid process

2960 wf-game.exe
2960 wf-game.exe

pid	process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2600
2600
2600
2600

pid	process
2960	wf-game.exe
2960	wf-game.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exemsedge.exeFiles.exewf-game.exepzyh.exe

description	pid	process	target process
PID 1872 wrote to memory of 2676	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	agdsk.exe
PID 1872 wrote to memory of 2676	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	agdsk.exe
PID 1872 wrote to memory of 2676	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	agdsk.exe
PID 1872 wrote to memory of 3784	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	jg2_2qua.exe
PID 1872 wrote to memory of 3784	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	jg2_2qua.exe
PID 1872 wrote to memory of 3784	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	jg2_2qua.exe
PID 1872 wrote to memory of 4856	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	KRSetp.exe
PID 1872 wrote to memory of 4856	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	KRSetp.exe
PID 1872 wrote to memory of 2500	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	msedge.exe
PID 1872 wrote to memory of 2500	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	msedge.exe
PID 1872 wrote to memory of 2960	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	wf-game.exe
PID 1872 wrote to memory of 2960	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	wf-game.exe
PID 1872 wrote to memory of 2960	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	wf-game.exe
PID 2500 wrote to memory of 2952	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 2952	2500	msedge.exe	msedge.exe
PID 1872 wrote to memory of 4720	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	Files.exe
PID 1872 wrote to memory of 4720	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	Files.exe
PID 1872 wrote to memory of 4720	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	Files.exe
PID 1872 wrote to memory of 1560	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pub2.exe
PID 1872 wrote to memory of 1560	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pub2.exe
PID 1872 wrote to memory of 1560	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pub2.exe
PID 1872 wrote to memory of 4904	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pzyh.exe
PID 1872 wrote to memory of 4904	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pzyh.exe
PID 1872 wrote to memory of 4904	1872	65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe	pzyh.exe
PID 4720 wrote to memory of 3704	4720	Files.exe	File.exe
PID 4720 wrote to memory of 3704	4720	Files.exe	File.exe
PID 4720 wrote to memory of 3704	4720	Files.exe	File.exe
PID 2960 wrote to memory of 3688	2960	wf-game.exe	rundll32.exe
PID 2960 wrote to memory of 3688	2960	wf-game.exe	rundll32.exe
PID 2960 wrote to memory of 3688	2960	wf-game.exe	rundll32.exe
PID 4904 wrote to memory of 1436	4904	pzyh.exe	jfiag3g_gg.exe
PID 4904 wrote to memory of 1436	4904	pzyh.exe	jfiag3g_gg.exe
PID 4904 wrote to memory of 1436	4904	pzyh.exe	jfiag3g_gg.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe
PID 2500 wrote to memory of 100	2500	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe
"C:\Users\Admin\AppData\Local\Temp\65a18ab8105d99073a22fa64a5adf61852829046019e47e9cc5a20c37271d895.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\agdsk.exe
"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
PID:3268

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3784

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffc840646f8,0x7ffc84064708,0x7ffc84064718
3⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
3⤵
PID:100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
3⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
3⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
3⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5520 /prefetch:8
3⤵
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
3⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
3⤵
PID:1920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
3⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
3⤵
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff75c055460,0x7ff75c055470,0x7ff75c055480
4⤵
PID:2136

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6348 /prefetch:8
3⤵
PID:4120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1932 /prefetch:8
3⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
3⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1844 /prefetch:8
3⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
3⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2108,10384733685519274797,12872205311401849406,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 /prefetch:8
3⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\wf-game.exe
"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Program Files\install.dll",install
3⤵
- Loads dropped DLL
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3688 -s 604
4⤵
- Program crash
PID:2420

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3704

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
PID:4620

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h7
3⤵
PID:1080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc840646f8,0x7ffc84064708,0x7ffc84064718
4⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1560

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4904

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:1436

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3688 -ip 3688
1⤵
PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Users\Admin\AppData\Roaming\wjiruds
C:\Users\Admin\AppData\Roaming\wjiruds
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\install.dat
MD5
ce4edc37812280e3dba2ffdc16812e59

SHA1
bf120044b67b2615e50c5fb6861aec3bac0be169

SHA256
9eb0157b943b5fd9352f4da058af6c2b499b5a4c1296b3d10bc256d36f2b8232

SHA512
9eb3a7dc91ebd55409a3a35d2a04f2b00b8c54dba05aafab171e6bda4b9b6f45740347c29d0dce0b7255b6ff99c30acd348775ba5802aec553e82ed85d681cfc

Download Submit
C:\Program Files\install.dll
MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Program Files\install.dll
MD5
fe60ddbeab6e50c4f490ddf56b52057c

SHA1
6a71fdf73761a1192fd9c6961f66754a63d6db17

SHA256
9fcfa73600ff1b588015ffa20779cec6714e48ee6ae15db8766f7ffd5ee3031d

SHA512
0113b47ba1a33a2f597a26c9b66435483373cde4edb183e0e92abef8ed003743f426ba5ffe25a5807c030cc14d8a95d73aa6af95a85f44a86dd40264ecb96536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
3b3ae2b28ae533bf89071e80738c60b3

SHA1
339000c34cbaeced8672524882a69c2e7d87a95d

SHA256
d8723fc8a20413de9be784f0903c3a1e663b482b6a192238aebc3c3fd096813a

SHA512
5eee26d2d12e9169816d9a14e00972f93e1c6272e6c3a427667a92ffe7bfb403bbbb2269aedba57969473b98bc807f2e5c7f52635d8ce54d03c62aa2bec7a6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
ac13fe6fa9e0e88af75769e2e8674f62

SHA1
6aa959f4370f60aec8974d5db2aafe535740a07c

SHA256
11116827e29d4db9fa5e5ae0459c3f418894c327abb5390403f115ee3271085c

SHA512
fe63f4b270cdc915dfaea2b28c7f0dacfca451a9b92fe0bd08b5b12b0c47f2b2a0809d1488cf14d2e18077fc6bec5c9694baacb1b3128b42838cea67005c7135

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
ac13fe6fa9e0e88af75769e2e8674f62

SHA1
6aa959f4370f60aec8974d5db2aafe535740a07c

SHA256
11116827e29d4db9fa5e5ae0459c3f418894c327abb5390403f115ee3271085c

SHA512
fe63f4b270cdc915dfaea2b28c7f0dacfca451a9b92fe0bd08b5b12b0c47f2b2a0809d1488cf14d2e18077fc6bec5c9694baacb1b3128b42838cea67005c7135

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
a199eeae641123b90111db3339e15970

SHA1
ae27d9b58ecfb0146121f4a8e53ff66b6e9c200e

SHA256
20723de3b8f48e17551a48423d4cc5cb0ace3c6517260cf05107c617652296ea

SHA512
50ad556d0bbcea510b26c58436488d44697feaa70f6a36c41d1fe5d07a6c0236899911c89e9af79c52919cd8ef751a471ab21af77c516d97da1b2f44120555ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
a199eeae641123b90111db3339e15970

SHA1
ae27d9b58ecfb0146121f4a8e53ff66b6e9c200e

SHA256
20723de3b8f48e17551a48423d4cc5cb0ace3c6517260cf05107c617652296ea

SHA512
50ad556d0bbcea510b26c58436488d44697feaa70f6a36c41d1fe5d07a6c0236899911c89e9af79c52919cd8ef751a471ab21af77c516d97da1b2f44120555ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
67c611b3daf797c73cea3e380af677e6

SHA1
4fc710a0047b19c5d4c1e5d34d9820e3209994b6

SHA256
61cc88a82d2ca02a46b69d2c7777ed8926c905caec8d0002ace7e91d83c3bd19

SHA512
39ccf07d9787b58c803149c89aa8668ded3c501e07afe397b0439a4219d039d5a4b53d3ce4c91c05f9a880b6fc90f75a5fb0aa2229eb1d0d32b68bd3ca5879c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
67c611b3daf797c73cea3e380af677e6

SHA1
4fc710a0047b19c5d4c1e5d34d9820e3209994b6

SHA256
61cc88a82d2ca02a46b69d2c7777ed8926c905caec8d0002ace7e91d83c3bd19

SHA512
39ccf07d9787b58c803149c89aa8668ded3c501e07afe397b0439a4219d039d5a4b53d3ce4c91c05f9a880b6fc90f75a5fb0aa2229eb1d0d32b68bd3ca5879c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
53f9570b38f020cfca3f1ff6c274ad3d

SHA1
96910fbf8a83816c804e2e0daf70d6fcdcc11657

SHA256
32ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391

SHA512
5e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
53f9570b38f020cfca3f1ff6c274ad3d

SHA1
96910fbf8a83816c804e2e0daf70d6fcdcc11657

SHA256
32ac26c29131d682d7d02accf5235858e249f792b76e5a34b153f05a3c97e391

SHA512
5e86af31fe8f9f09fc510fdb593adc4d4b7bf6fb02c8deec9c157acbd4c248e7a62d2f90eedfd396e9c8b2dd2429486561a7742e38eb64fe3e2b9874d3b0edb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
23cccb28b7513fecb99a7f5af26f8c56

SHA1
b1bc8b55c033116252e8304c05b0b0bb5eae711a

SHA256
19e395e1160ff1f1dc2b985bd30e858c8ab1739e94996cefef3c8f31a5298b3e

SHA512
33965685e6bbcec8f3edfae9131e3f49b29288cb62d9c87b492d8d3c42b850622b3fb4b46ace89b276b320a70f406c60cde3e71459b8f334c5deee1344145038

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
cab26fc1758257aac89b39dcceeb37b0

SHA1
d030ca491156038a4da2c3858e08f0299cf79860

SHA256
2493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec

SHA512
c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
cab26fc1758257aac89b39dcceeb37b0

SHA1
d030ca491156038a4da2c3858e08f0299cf79860

SHA256
2493a872d48776117481536841a532b347705c289af4f5aaf87b86e51718a8ec

SHA512
c88a0b96f5037af4e15daefc7450baa9fa68ecc387995233cdcde5b6057f3804c862aaa1347014058dcdbc96f2d90f54b1bfd903cf6a7b77750abefa80c76511

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
24928d3f2feba02122945825c8ec7696

SHA1
c9aa0afcbe98a7e7160f6253a3254f87667a6ef8

SHA256
b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4

SHA512
757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
24928d3f2feba02122945825c8ec7696

SHA1
c9aa0afcbe98a7e7160f6253a3254f87667a6ef8

SHA256
b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4

SHA512
757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c1b25b8c04a1b1d5671967483d5d31e3

SHA1
8db403d3971f294bfa7956b01d817fffd66d725b

SHA256
f48aeb3f828205c83292eb87d3726d39549a329b820908e0251fac875c26fe44

SHA512
c26374017700dcf103132c4e8591c931146b063544414fbc8a05426f30e27a9b255cf4b3bf9918c1212d819562dd5bf6ace0113d66be42f31c7409e47475bf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c1b25b8c04a1b1d5671967483d5d31e3

SHA1
8db403d3971f294bfa7956b01d817fffd66d725b

SHA256
f48aeb3f828205c83292eb87d3726d39549a329b820908e0251fac875c26fe44

SHA512
c26374017700dcf103132c4e8591c931146b063544414fbc8a05426f30e27a9b255cf4b3bf9918c1212d819562dd5bf6ace0113d66be42f31c7409e47475bf2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
e00b7c372a28412a16509516ef57ddb0

SHA1
84b1a84932a75ca14bf1a66580f8a49032526228

SHA256
89015d68f0eae20faa7c7dc74b23e976b6a55e2f0131c83ae93277c3fa9b6544

SHA512
b988cbf3942649c97710dca26adb07271eabfbb39a02329aba59d0d2d05f8450136cb7ff945ee4b34cfe12748e9281f7792c476512c7b7147f82521e3c279bef

Download Submit
C:\Users\Admin\AppData\Roaming\wjiruds
MD5
24928d3f2feba02122945825c8ec7696

SHA1
c9aa0afcbe98a7e7160f6253a3254f87667a6ef8

SHA256
b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4

SHA512
757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c

Download Submit
C:\Users\Admin\AppData\Roaming\wjiruds
MD5
24928d3f2feba02122945825c8ec7696

SHA1
c9aa0afcbe98a7e7160f6253a3254f87667a6ef8

SHA256
b1e3975d018e0e08f5f36712be5715206d71b0929d62063e38505018c65e85e4

SHA512
757b3ee16070457cc55d66f5409f55e9bcf06f09d3255a660176ecaa9740a3829d6ce598daa0855ff7a35837d7ffd6f1e1c75941d1f297fc2c930b58ecf9c87c

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
d1874d5d3b8163e51d601e30faf9ac77

SHA1
9b6204a85225990545fe53c4e12fe327dba93233

SHA256
a6f054e89ea186d107a04a170e389b79cebcf9e1e3edbeb552b736d2898a1fa5

SHA512
3241998f655e008332fe13d0b3c2af0ee20c18c2cf91dd3470aa7daee05078c42d1cadde24e87ae5a4da057164f52e57bd29651c3fbc4320bafc5f7a53109ca5

Download Submit
\??\c:\users\admin\appdata\local\microsoft\edge\user data\default\edge profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
\??\pipe\LOCAL\crashpad_2500_CXAIJVXSBZIXSOYN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/100-161-0x00007FFCA2B90000-0x00007FFCA2B91000-memory.dmp

Filesize
4KB

Download
memory/1276-187-0x0000000005540000-0x0000000005552000-memory.dmp

Filesize
72KB

Download
memory/1276-191-0x0000000071100000-0x00000000718B0000-memory.dmp

Filesize
7.7MB

Download
memory/1276-185-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1276-186-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/1276-193-0x0000000005850000-0x000000000595A000-memory.dmp

Filesize
1.0MB

Download
memory/1276-188-0x00000000055A0000-0x00000000055DC000-memory.dmp

Filesize
240KB

Download
memory/1276-192-0x0000000005500000-0x0000000005B18000-memory.dmp

Filesize
6.1MB

Download
memory/1560-175-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/1560-173-0x0000000000529000-0x0000000000532000-memory.dmp

Filesize
36KB

Download
memory/1560-158-0x0000000000529000-0x0000000000532000-memory.dmp

Filesize
36KB

Download
memory/1560-176-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2600-179-0x0000000002270000-0x0000000002285000-memory.dmp

Filesize
84KB

Download
memory/2600-307-0x0000000000840000-0x0000000000855000-memory.dmp

Filesize
84KB

Download
memory/3332-303-0x0000000000530000-0x0000000000630000-memory.dmp

Filesize
1024KB

Download
memory/3332-304-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/3704-156-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/3704-159-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/3704-184-0x0000000006840000-0x0000000006D6C000-memory.dmp

Filesize
5.2MB

Download
memory/3704-152-0x0000000000D10000-0x0000000000D88000-memory.dmp

Filesize
480KB

Download
memory/3704-155-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/3704-157-0x0000000071100000-0x00000000718B0000-memory.dmp

Filesize
7.7MB

Download
memory/3784-211-0x00000000043C0000-0x00000000043C8000-memory.dmp

Filesize
32KB

Download
memory/3784-213-0x0000000004070000-0x0000000004078000-memory.dmp

Filesize
32KB

Download
memory/3784-212-0x0000000004070000-0x0000000004078000-memory.dmp

Filesize
32KB

Download
memory/3784-200-0x0000000003760000-0x0000000003770000-memory.dmp

Filesize
64KB

Download
memory/3784-194-0x0000000003400000-0x0000000003410000-memory.dmp

Filesize
64KB

Download
memory/3784-245-0x0000000004190000-0x0000000004198000-memory.dmp

Filesize
32KB

Download
memory/3784-207-0x0000000004050000-0x0000000004058000-memory.dmp

Filesize
32KB

Download
memory/3784-210-0x00000000043A0000-0x00000000043A8000-memory.dmp

Filesize
32KB

Download
memory/3784-209-0x0000000004110000-0x0000000004118000-memory.dmp

Filesize
32KB

Download
memory/3784-208-0x0000000004070000-0x0000000004078000-memory.dmp

Filesize
32KB

Download
memory/4856-145-0x00007FFC830B0000-0x00007FFC83B71000-memory.dmp

Filesize
10.8MB

Download
memory/4856-136-0x0000000000210000-0x0000000000240000-memory.dmp

Filesize
192KB

Download
memory/4856-146-0x0000000002360000-0x0000000002362000-memory.dmp

Filesize
8KB

Download