redline | f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b

Analysis

max time kernel
157s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
13-03-2022 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe
Size

3.6MB
MD5

194f6a0db8c9a7f9f3383fd3286e7d85
SHA1

9f72802d8af3b6f095548ebb9691f031753b4d84
SHA256

f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b
SHA512

65ce8c86041b148e2a93e22139ab1af64617ede613debeda6e08ba06c16ada6c789a01eeb14876127f3442c2008860f6f08dff6f42db9b2f45f2cc46b16e35f2

Score

10^/10

redline smokeloader socelars source1 backdoor evasion infostealer persistence spyware stealer trojan upx vmprotect

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

smokeloader

Version

2020

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

source1

199.195.251.96:43073

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3884-171-0x0000000000400000-0x000000000041C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars

Executes dropped EXE 10 IoCs

Processes:

jg2_2qua.exeFiles.exeFile.exeKRSetp.exewf-game.exeagdsk.exepzyh.exepub2.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
4608	jg2_2qua.exe
556	Files.exe
1100	File.exe
1516	KRSetp.exe
1768	wf-game.exe
3832	agdsk.exe
3700	pzyh.exe
4760	pub2.exe
4740	jfiag3g_gg.exe
3604	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe	vmprotect
behavioral2/memory/4608-138-0x0000000000400000-0x000000000065D000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exeFiles.exewf-game.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	wf-game.exe

Loads dropped DLL 2 IoCs

Processes:

rUNdlL32.eXepub2.exe

pid process

228 rUNdlL32.eXe
4760 pub2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
228	rUNdlL32.eXe
4760	pub2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exepzyh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg2_2qua.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

13 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

File.exe

description pid process target process

PID 1100 set thread context of 3884 1100 File.exe AddInProcess32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

flow	ioc
13	ip-api.com

description	pid	process	target process
PID 1100 set thread context of 3884	1100	File.exe	AddInProcess32.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a9561c41-2115-43e1-9bd2-302fbcc67051.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220313110123.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2444 228 WerFault.exe rUNdlL32.eXe

pid	pid_target	process	target process
2444	228	WerFault.exe	rUNdlL32.eXe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

232 taskkill.exe

pid	process
232	taskkill.exe

Modifies registry class 5 IoCs

Processes:

wf-game.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	wf-game.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
4760	pub2.exe
4760	pub2.exe
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676
2676

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

4760 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

1424 msedge.exe
1424 msedge.exe
1424 msedge.exe
1424 msedge.exe
1424 msedge.exe

pid	process
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe
1424	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

agdsk.exeKRSetp.exetaskkill.exeFile.exeAddInProcess32.exejg2_2qua.exe

description	pid	process
Token: SeCreateTokenPrivilege	3832	agdsk.exe
Token: SeAssignPrimaryTokenPrivilege	3832	agdsk.exe
Token: SeLockMemoryPrivilege	3832	agdsk.exe
Token: SeIncreaseQuotaPrivilege	3832	agdsk.exe
Token: SeMachineAccountPrivilege	3832	agdsk.exe
Token: SeTcbPrivilege	3832	agdsk.exe
Token: SeSecurityPrivilege	3832	agdsk.exe
Token: SeTakeOwnershipPrivilege	3832	agdsk.exe
Token: SeLoadDriverPrivilege	3832	agdsk.exe
Token: SeSystemProfilePrivilege	3832	agdsk.exe
Token: SeSystemtimePrivilege	3832	agdsk.exe
Token: SeProfSingleProcessPrivilege	3832	agdsk.exe
Token: SeIncBasePriorityPrivilege	3832	agdsk.exe
Token: SeCreatePagefilePrivilege	3832	agdsk.exe
Token: SeCreatePermanentPrivilege	3832	agdsk.exe
Token: SeBackupPrivilege	3832	agdsk.exe
Token: SeRestorePrivilege	3832	agdsk.exe
Token: SeShutdownPrivilege	3832	agdsk.exe
Token: SeDebugPrivilege	3832	agdsk.exe
Token: SeAuditPrivilege	3832	agdsk.exe
Token: SeSystemEnvironmentPrivilege	3832	agdsk.exe
Token: SeChangeNotifyPrivilege	3832	agdsk.exe
Token: SeRemoteShutdownPrivilege	3832	agdsk.exe
Token: SeUndockPrivilege	3832	agdsk.exe
Token: SeSyncAgentPrivilege	3832	agdsk.exe
Token: SeEnableDelegationPrivilege	3832	agdsk.exe
Token: SeManageVolumePrivilege	3832	agdsk.exe
Token: SeImpersonatePrivilege	3832	agdsk.exe
Token: SeCreateGlobalPrivilege	3832	agdsk.exe
Token: 31	3832	agdsk.exe
Token: 32	3832	agdsk.exe
Token: 33	3832	agdsk.exe
Token: 34	3832	agdsk.exe
Token: 35	3832	agdsk.exe
Token: SeDebugPrivilege	1516	KRSetp.exe
Token: SeDebugPrivilege	232	taskkill.exe
Token: SeDebugPrivilege	1100	File.exe
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeDebugPrivilege	3884	AddInProcess32.exe
Token: SeManageVolumePrivilege	4608	jg2_2qua.exe
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676
Token: SeCreatePagefilePrivilege	2676
Token: SeShutdownPrivilege	2676

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

2676
2676
1424 msedge.exe
2676
1424 msedge.exe
2676
2676
2676
2676

pid	process
2676
2676
1424	msedge.exe
2676
1424	msedge.exe
2676
2676
2676
2676

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exeFiles.exemsedge.exeagdsk.execmd.exewf-game.exeFile.exemsedge.exe

description	pid	process	target process
PID 3948 wrote to memory of 4608	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	jg2_2qua.exe
PID 3948 wrote to memory of 4608	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	jg2_2qua.exe
PID 3948 wrote to memory of 4608	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	jg2_2qua.exe
PID 3948 wrote to memory of 556	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	Files.exe
PID 3948 wrote to memory of 556	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	Files.exe
PID 3948 wrote to memory of 556	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	Files.exe
PID 556 wrote to memory of 1100	556	Files.exe	File.exe
PID 556 wrote to memory of 1100	556	Files.exe	File.exe
PID 556 wrote to memory of 1100	556	Files.exe	File.exe
PID 3948 wrote to memory of 1424	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	msedge.exe
PID 3948 wrote to memory of 1424	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	msedge.exe
PID 3948 wrote to memory of 1516	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	KRSetp.exe
PID 3948 wrote to memory of 1516	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	KRSetp.exe
PID 3948 wrote to memory of 1768	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	wf-game.exe
PID 3948 wrote to memory of 1768	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	wf-game.exe
PID 3948 wrote to memory of 1768	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	wf-game.exe
PID 3948 wrote to memory of 3832	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	agdsk.exe
PID 3948 wrote to memory of 3832	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	agdsk.exe
PID 3948 wrote to memory of 3832	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	agdsk.exe
PID 3948 wrote to memory of 3700	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pzyh.exe
PID 3948 wrote to memory of 3700	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pzyh.exe
PID 3948 wrote to memory of 3700	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pzyh.exe
PID 3948 wrote to memory of 4760	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pub2.exe
PID 3948 wrote to memory of 4760	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pub2.exe
PID 3948 wrote to memory of 4760	3948	f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe	pub2.exe
PID 1424 wrote to memory of 4240	1424	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4240	1424	msedge.exe	msedge.exe
PID 3832 wrote to memory of 2872	3832	agdsk.exe	cmd.exe
PID 3832 wrote to memory of 2872	3832	agdsk.exe	cmd.exe
PID 3832 wrote to memory of 2872	3832	agdsk.exe	cmd.exe
PID 2872 wrote to memory of 232	2872	cmd.exe	taskkill.exe
PID 2872 wrote to memory of 232	2872	cmd.exe	taskkill.exe
PID 2872 wrote to memory of 232	2872	cmd.exe	taskkill.exe
PID 1768 wrote to memory of 228	1768	wf-game.exe	rUNdlL32.eXe
PID 1768 wrote to memory of 228	1768	wf-game.exe	rUNdlL32.eXe
PID 1768 wrote to memory of 228	1768	wf-game.exe	rUNdlL32.eXe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 1100 wrote to memory of 3884	1100	File.exe	AddInProcess32.exe
PID 556 wrote to memory of 1112	556	Files.exe	msedge.exe
PID 556 wrote to memory of 1112	556	Files.exe	msedge.exe
PID 1112 wrote to memory of 1104	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 1104	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe
PID 1112 wrote to memory of 3560	1112	msedge.exe	msedge.exe
PID 1424 wrote to memory of 4432	1424	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe
"C:\Users\Admin\AppData\Local\Temp\f288eee569784b91fac86e89f084f64a6c362a5c2465b8897eee2c368214ab7b.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3948

C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h7
3⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffde0f446f8,0x7ffde0f44708,0x7ffde0f44718
4⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,8269896833306511659,3809318764598198367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
4⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,8269896833306511659,3809318764598198367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
4⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffde0f446f8,0x7ffde0f44708,0x7ffde0f44718
3⤵
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
3⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
3⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
3⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
3⤵
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
3⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
3⤵
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5300 /prefetch:8
3⤵
PID:1180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
3⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
3⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
3⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff69dd75460,0x7ff69dd75470,0x7ff69dd75480
4⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
3⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,3667522418322648473,7087770025927243890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1344 /prefetch:8
3⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Users\Admin\AppData\Local\Temp\wf-game.exe
"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
3⤵
- Loads dropped DLL
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 608
4⤵
- Program crash
PID:2444

C:\Users\Admin\AppData\Local\Temp\agdsk.exe
"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3700

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3604

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 228 -ip 228
1⤵
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:2300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
35a74ac5fa8d011f82513080d2c224de

SHA1
0f9387b6deb7405d14927604c78126d467ea558a

SHA256
6d8089b4967d675027432a84f64e938daedc0b0243e94dddfca3d4e6f573d728

SHA512
dc3beab9a9c207c3a7aa09be43ad123ebd1f464155bb6479423ab3732430b989f5d4edf7022a3ca35ef22385d278e51e523d83a92d6ff4b2ed7aaac91659d098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
48688eaeffde1c7101b1bdc72a72b9a3

SHA1
c086a6b8524aedae9bfd2863067a75088b7a1972

SHA256
6383d0e79eb153ccf1004b3b65da09989d1d5fe62ae1935a3c42ca5102a7d9af

SHA512
f778710d5fc3a7a9657b1fd7c69d7e1e325376217eb86578c85155547804f2c9efb60cf786f0ccf0dc7a6ce169fbbe913c8b662f155213139f1e2701ddc800c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
752e3fad21e5862696f8779e1cc4eb5f

SHA1
6d74e6ee1c87e018873bde881e6d0def0bb4ce15

SHA256
e4c75f164c84b9d14d65dcb71604d1d1ecf02779eb7643448cdce06885884bf1

SHA512
9f12b7336b70b95b00771a196c41a7b2a9ced47f544fb597a2432c2765d975fccbd251524253c648c5e8a15177680d2100b37490cd22232d0e9eb729bab2ec0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings
MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1
MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris
MD5
130cbf4e6a0709f3adaa8c22f3ba50b0

SHA1
1056473e0da5ce901a5c8b21928aa9f7b72317df

SHA256
1007b1dd0c2f44c636b6399aac3bea089c31fea11817655dc1cddb90e6e766d1

SHA512
92e310f2af59e422e79785009c20da1f4b136ea775f2118bbcb54325acc709f92eea6443681c31f0e0fe485fac30f5482d9e206cda541757181877e16ec597ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_637827592599384676
MD5
8ead605b2f1e488158c171ee4953e429

SHA1
5a65db7f97ac0a36a08ac21576135daa9d636fde

SHA256
9d8b3aceedcc1ac0c05ec1f1ce206b8005d15c5e32a596a9dfef9655dcd31716

SHA512
03041a6101a90d603bee4530d43e1070eb08e59ee619270917ec7a00e3d1c291a36684f81524f493f3bced908257aba50bea5f53820be7aabbedee948f8ea699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic
MD5
ce545b52b20b2f56ffb26d2ca2ed4491

SHA1
ebe904c20bb43891db4560f458e66663826aa885

SHA256
e9d5684e543b573010f8b55b11bf571caf0a225cdea03f520091525978023899

SHA512
1ea06c8e3f03efdd67779969b4cdf7d8e08f8327298668a7cffd67d1753f33cf19e6995a3d83fe45185c55b950f41e48ac71b422b91e8d0180b5bdd07cfacfe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_637811103879324684
MD5
a7aab197b91381bcdec092e1910a3d62

SHA1
35794f2d2df163223391a2b21e1610f14f46a78f

SHA256
6337fe4e6e7464e319dfcdadf472987592013cf80d44916f5151950b4a4ca14b

SHA512
cffd7350d1e69ada5f64cafe42a9d77e3192927e129f2903088b66b6efc9626b5d525aedca08d473ad8fa415af1d816594b243609237dc23716d70a2ca0eb774

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
bc174d64e8e8f6aa4100dea8b2617966

SHA1
db904d01b83203a46622200a4637714bbc1cadc3

SHA256
47281a31c161d6e79555a206a6ea3be6c25065a50c859d776e0f2a55c16ff111

SHA512
43b6b771c506a1af5b1341408e2b5a1138e613af50b1d9fc5d24484838cca01621530dfa03f79b6095400ef6a4633b705dc41941d58068793918fee6ad423597

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
bc174d64e8e8f6aa4100dea8b2617966

SHA1
db904d01b83203a46622200a4637714bbc1cadc3

SHA256
47281a31c161d6e79555a206a6ea3be6c25065a50c859d776e0f2a55c16ff111

SHA512
43b6b771c506a1af5b1341408e2b5a1138e613af50b1d9fc5d24484838cca01621530dfa03f79b6095400ef6a4633b705dc41941d58068793918fee6ad423597

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
d91a5523a19368a08baaa2d3cad806e4

SHA1
bbd679ffe5a227ce28859e331995176d7bee54e2

SHA256
22dc4acfd7546d9a15dfeaa359ccac8fc33ed85b4247fcb1d08b2ecd37f01dde

SHA512
396e362ec2fd60e293e544a3f7daf56adef1678c40071ce4818b7c04f641dc4814a2e1731befa6339c893b6d3cc7f345cccd553042bc657fd71dee3f1f75b421

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
d91a5523a19368a08baaa2d3cad806e4

SHA1
bbd679ffe5a227ce28859e331995176d7bee54e2

SHA256
22dc4acfd7546d9a15dfeaa359ccac8fc33ed85b4247fcb1d08b2ecd37f01dde

SHA512
396e362ec2fd60e293e544a3f7daf56adef1678c40071ce4818b7c04f641dc4814a2e1731befa6339c893b6d3cc7f345cccd553042bc657fd71dee3f1f75b421

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
b13e035f8c5c8c30c40033165017508e

SHA1
075cc57e58640fdde4cb8ac199d3b5978129ac14

SHA256
2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

SHA512
4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
b13e035f8c5c8c30c40033165017508e

SHA1
075cc57e58640fdde4cb8ac199d3b5978129ac14

SHA256
2a48eaec94fd1d0b2ae2b0d420d2ae8810d5ddd2b43018745725a2fa2c4d5e7b

SHA512
4bb837346d85ef16d442b89a77404c22c6654904fb0c839abb8477c99cc628b8bc17d7fa01271b05a53c3407fd596b764f50561543b3ef6bfc0e941488624d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
8591defbfe32d84ec1e9dbd3460ef379

SHA1
6ebd38ceff10e370917494bbd6bb8add6ca8c2ed

SHA256
dd4bce739edb709cdb1d8a7dc3d800564600495145ad531a4860c0cdef3774ae

SHA512
bd40f1a8a09e844fb6a542afc180bdd8867b6774a90f45993873c8e6138853a7fd731497988c341efb399d87136196d291a9e138f285c4f5ac050f54065910c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
8591defbfe32d84ec1e9dbd3460ef379

SHA1
6ebd38ceff10e370917494bbd6bb8add6ca8c2ed

SHA256
dd4bce739edb709cdb1d8a7dc3d800564600495145ad531a4860c0cdef3774ae

SHA512
bd40f1a8a09e844fb6a542afc180bdd8867b6774a90f45993873c8e6138853a7fd731497988c341efb399d87136196d291a9e138f285c4f5ac050f54065910c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\edge_BITS_1424_1703056144\c502e396-3183-40d0-bc8b-e6f0d4fa22da
MD5
6c337c4eaac9b4685fbd6ee53785e190

SHA1
af6c2a5c97a4da837e1546083593b5002fd3a4fb

SHA256
ca3a4f89d6a3eb5632a2e6b0a6b0f375c0a45a8dcde57b16ca0a56b932794f50

SHA512
caf0ad840d12c44be60de1abfb72373e4eef263a397cb3cc3d7ed3e0bbb2da4a72674d137a02c10f71b352270a48fe287fd5a8972d26234fb0da10acd16b1e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
4ecd2d63eaea66529cab4a947381b7a2

SHA1
c313d8b58a3d19dbe86480b6874203c532b6f92a

SHA256
522e3c504264a3695403f8e723673a6d1a5b530849718f908b28ee68b815004d

SHA512
a1e8de913bce1595c250e88b92b7a34f93385faf068d21fa1cd0eb357ec51ba02a2271dfa45df27f59e6f55976050bef122d41119f47aa9cfef0ec94f313fa32

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dat
MD5
8276da14d3a16a1bc8722d2254c30527

SHA1
738d3e4c3ec39476e4796f9af6396bdd98758a69

SHA256
b4fcb4be68989512505fbbeb7fbb1fb3299c61ca37ff0774e8ec35b43fef4bf5

SHA512
ddc9f1ed101d44b501db69e35e63a835ca1f3267b3a6faac085bd99d142e7e143f4728bd91f71bd13a9f42598f7f10c546bcdb51b1f9256ce88dc710b3306646

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
5e6df381ce1c9102799350b7033e41df

SHA1
f8a4012c9547d9bb2faecfba75fc69407aaec288

SHA256
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

SHA512
a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
5e6df381ce1c9102799350b7033e41df

SHA1
f8a4012c9547d9bb2faecfba75fc69407aaec288

SHA256
01808f7bce25db18bce99e432555fcfff148a1d931128edebc816975145cabd7

SHA512
a27ca6d1643fbbbb13e46f35d06fe8a5414a8ddaedd9e417cbb1636ad96228ccadee928d5204123f2221a20fe7c416587d78967b47ffcbcf3c6ac4b7a1ca887d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
b72ca731ce917c0cf7893702be1e30af

SHA1
d77a405a51e88c75b3bee2ab29662101ffb3e0a3

SHA256
783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

SHA512
a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
b72ca731ce917c0cf7893702be1e30af

SHA1
d77a405a51e88c75b3bee2ab29662101ffb3e0a3

SHA256
783d47c446d1e482c19fbc6ded572ea16d5784dc775073662827c31f32d9a0ef

SHA512
a2f5ab9c3b846a115fec99aa0eb3ee9cfb8bd4daec5d95a69f29441db81f7137d78bddbd2dbd7cf4690581d43147d43300196f24add334fd6db5d53213d33158

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
0ba5fefab21f2506342341ad6c6c5cbe

SHA1
c931e9032100d8d866790c7812adb724c3b53440

SHA256
1b57079dc9aa45b0f71b35d6cc33976caa6ceaba93e0b12bde551e288f07279e

SHA512
85f4fd50fbfbced7ef2fa35560b0a5c3c27dab0709275b52fa9ebda7908b0b5ec18c5849752392c5d802275b40af155188417ac6dc6d4b42b73bfd21a3c4d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
0ba5fefab21f2506342341ad6c6c5cbe

SHA1
c931e9032100d8d866790c7812adb724c3b53440

SHA256
1b57079dc9aa45b0f71b35d6cc33976caa6ceaba93e0b12bde551e288f07279e

SHA512
85f4fd50fbfbced7ef2fa35560b0a5c3c27dab0709275b52fa9ebda7908b0b5ec18c5849752392c5d802275b40af155188417ac6dc6d4b42b73bfd21a3c4d755

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
eb5cb5e68e0882e6497d722821ead86d

SHA1
b3d2c65965841af5155f6786b9f472283d500dd4

SHA256
2363a501aac0259bae0b7047ff7e0059f0406b85f260c7292326ead0eace4959

SHA512
5dc113cbe9ebbace3c94ada71adc711d014d5fe3207ba17923ebb2751792434dab46b4e507d04d99800cb60056420ce39522a33e3b5a2c3234c7bed4f30addba

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
eb5cb5e68e0882e6497d722821ead86d

SHA1
b3d2c65965841af5155f6786b9f472283d500dd4

SHA256
2363a501aac0259bae0b7047ff7e0059f0406b85f260c7292326ead0eace4959

SHA512
5dc113cbe9ebbace3c94ada71adc711d014d5fe3207ba17923ebb2751792434dab46b4e507d04d99800cb60056420ce39522a33e3b5a2c3234c7bed4f30addba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
1f47d7eb0460bcabd91b532b9a9a4a64

SHA1
a7b05121a7ddfc01b9a2a50f56923b65eb3a7e12

SHA256
3329e162e5b7552adcc18a7aeddb3b3f7e0924cd939b8caf5d0e197a726356f1

SHA512
5d09d063b58e07246ca473d9cbbd3bde30ad923d91c2b4f4c6038778d9cea43a59369b2bd58605147bd9f5654f54a57673c2332b3fbe03b7fc391acc226bf82d

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
3792feb129639ecaf6ef268a3cf3d261

SHA1
c6ca8d07b7872b76c9007cf850d46a5edbf13af5

SHA256
9f8ee0dd667bbf42aba1306d2f6b6bb03f9655529ecfd48d8d743a2f1bd21b5f

SHA512
d6d1137de58d74503896d6f020f139d19c9e4f39a7148648ba175ea30ba0117ead68a1aa4d1adc3cdadf8817087d1749b5ee36519f3e7f52595b28a2d203fbd7

Download Submit
\??\pipe\LOCAL\crashpad_1112_PRVRWQTZAWHQCFGT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1424_ARAYNFASQNAFMFSK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1100-168-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/1100-167-0x0000000005520000-0x0000000005AC4000-memory.dmp

Filesize
5.6MB

Download
memory/1100-155-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/1100-156-0x0000000000B00000-0x0000000000B82000-memory.dmp

Filesize
520KB

Download
memory/1100-157-0x0000000005AD0000-0x0000000006074000-memory.dmp

Filesize
5.6MB

Download
memory/1100-170-0x00000000066C0000-0x0000000006BEC000-memory.dmp

Filesize
5.2MB

Download
memory/1100-159-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/1516-154-0x00007FFDDE720000-0x00007FFDDF1E1000-memory.dmp

Filesize
10.8MB

Download
memory/1516-145-0x00000000007C0000-0x00000000007EC000-memory.dmp

Filesize
176KB

Download
memory/1516-158-0x000000001CA70000-0x000000001CA72000-memory.dmp

Filesize
8KB

Download
memory/2676-207-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-184-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-194-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2676-196-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-193-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-198-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-200-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-201-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-202-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download
memory/2676-205-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-203-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-206-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-169-0x0000000002070000-0x0000000002086000-memory.dmp

Filesize
88KB

Download
memory/2676-209-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-210-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-208-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-177-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-191-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-192-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-178-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-190-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-188-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-179-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-180-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-181-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-185-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-186-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-189-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-183-0x0000000002690000-0x00000000026A0000-memory.dmp

Filesize
64KB

Download
memory/2676-182-0x00000000026A0000-0x00000000026B0000-memory.dmp

Filesize
64KB

Download
memory/3884-175-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/3884-211-0x0000000005680000-0x000000000578A000-memory.dmp

Filesize
1.0MB

Download
memory/3884-187-0x00000000052B0000-0x00000000058C8000-memory.dmp

Filesize
6.1MB

Download
memory/3884-171-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3884-173-0x0000000071350000-0x0000000071B00000-memory.dmp

Filesize
7.7MB

Download
memory/3884-174-0x00000000058D0000-0x0000000005EE8000-memory.dmp

Filesize
6.1MB

Download
memory/3884-176-0x00000000053D0000-0x000000000540C000-memory.dmp

Filesize
240KB

Download
memory/4432-216-0x00007FFDFD970000-0x00007FFDFD971000-memory.dmp

Filesize
4KB

Download
memory/4608-244-0x00000000048A0000-0x00000000048A8000-memory.dmp

Filesize
32KB

Download
memory/4608-238-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/4608-235-0x00000000042D0000-0x00000000042D8000-memory.dmp

Filesize
32KB

Download
memory/4608-241-0x0000000004390000-0x0000000004398000-memory.dmp

Filesize
32KB

Download
memory/4608-221-0x0000000003680000-0x0000000003690000-memory.dmp

Filesize
64KB

Download
memory/4608-253-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/4608-245-0x00000000042F0000-0x00000000042F8000-memory.dmp

Filesize
32KB

Download
memory/4608-227-0x0000000003820000-0x0000000003830000-memory.dmp

Filesize
64KB

Download
memory/4608-138-0x0000000000400000-0x000000000065D000-memory.dmp

Filesize
2.4MB

Download
memory/4608-243-0x00000000044F0000-0x00000000044F8000-memory.dmp

Filesize
32KB

Download
memory/4608-242-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/4760-163-0x0000000000769000-0x0000000000772000-memory.dmp

Filesize
36KB

Download
memory/4760-153-0x0000000000769000-0x0000000000772000-memory.dmp

Filesize
36KB

Download
memory/4760-165-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4760-164-0x00000000005A0000-0x00000000005A9000-memory.dmp

Filesize
36KB

Download