smokeloader | c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861

Analysis

max time kernel
178s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
14-03-2022 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe
Size

3.5MB
MD5

988e4ebcc1111c323a4b14e3ec730deb
SHA1

70f8495f3714046b35408685e3bb78c74bf1a598
SHA256

c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861
SHA512

60799f483ddf182899b656c285429a5afd98440ca14285b9b7a83230c16cce915f095ccae304d29826d8a0e7387cf969be8d76cb66d787ecf37204f79b55f168

Score

10^/10

smokeloader socelars vidar 890 backdoor evasion persistence spyware stealer trojan upx

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Extracted

Family

vidar

Version

38.6

Botnet

890

https://HAL9THapi.faceit.comsslamlssa

Attributes

profile_id
890

Extracted

Family

smokeloader

Version

2020

http://khaleelahmed.com/upload/

http://twvickiassociation.com/upload/

http://www20833.com/upload/

http://cocinasintonterias.com/upload/

http://masaofukunaga.com/upload/

http://gnckids.com/upload/

rc4.i32

Signatures

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\agdsk.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2640-216-0x00000000006F0000-0x0000000000787000-memory.dmp	family_vidar
behavioral2/memory/2640-217-0x0000000000400000-0x000000000049A000-memory.dmp	family_vidar

Executes dropped EXE 10 IoCs

Processes:

agdsk.exejg2_2qua.exeKRSetp.exewf-game.exeFiles.exepzyh.exepub2.exeFile.exejfiag3g_gg.exejfiag3g_gg.exe

pid	process
3796	agdsk.exe
1952	jg2_2qua.exe
1476	KRSetp.exe
4304	wf-game.exe
4188	Files.exe
1492	pzyh.exe
1328	pub2.exe
2640	File.exe
3052	jfiag3g_gg.exe
2616	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exeFiles.exewf-game.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	wf-game.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exepub2.exe

pid process

3552 rundll32.exe
1328 pub2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3552	rundll32.exe
1328	pub2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exepzyh.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.e"	pzyh.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

jg2_2qua.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jg2_2qua.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

35 ip-api.com

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg2_2qua.exe

flow	ioc
35	ip-api.com

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\672940b4-acbf-4b07-ae4a-d2420e6753f8.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220314144435.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2668 3552 WerFault.exe rundll32.exe
1520 2640 WerFault.exe File.exe
4564 3552 WerFault.exe rundll32.exe

pid	pid_target	process	target process
2668	3552	WerFault.exe	rundll32.exe
1520	2640	WerFault.exe	File.exe
4564	3552	WerFault.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4680 taskkill.exe

pid	process
4680	taskkill.exe

Modifies registry class 4 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exe

pid	process
1328	pub2.exe
1328	pub2.exe
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752
2752

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

pub2.exe

pid process

1328 pub2.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

3076 msedge.exe
3076 msedge.exe
3076 msedge.exe
3076 msedge.exe
3076 msedge.exe

pid	process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

agdsk.exeKRSetp.exetaskkill.exejg2_2qua.exe

description	pid	process
Token: SeCreateTokenPrivilege	3796	agdsk.exe
Token: SeAssignPrimaryTokenPrivilege	3796	agdsk.exe
Token: SeLockMemoryPrivilege	3796	agdsk.exe
Token: SeIncreaseQuotaPrivilege	3796	agdsk.exe
Token: SeMachineAccountPrivilege	3796	agdsk.exe
Token: SeTcbPrivilege	3796	agdsk.exe
Token: SeSecurityPrivilege	3796	agdsk.exe
Token: SeTakeOwnershipPrivilege	3796	agdsk.exe
Token: SeLoadDriverPrivilege	3796	agdsk.exe
Token: SeSystemProfilePrivilege	3796	agdsk.exe
Token: SeSystemtimePrivilege	3796	agdsk.exe
Token: SeProfSingleProcessPrivilege	3796	agdsk.exe
Token: SeIncBasePriorityPrivilege	3796	agdsk.exe
Token: SeCreatePagefilePrivilege	3796	agdsk.exe
Token: SeCreatePermanentPrivilege	3796	agdsk.exe
Token: SeBackupPrivilege	3796	agdsk.exe
Token: SeRestorePrivilege	3796	agdsk.exe
Token: SeShutdownPrivilege	3796	agdsk.exe
Token: SeDebugPrivilege	3796	agdsk.exe
Token: SeAuditPrivilege	3796	agdsk.exe
Token: SeSystemEnvironmentPrivilege	3796	agdsk.exe
Token: SeChangeNotifyPrivilege	3796	agdsk.exe
Token: SeRemoteShutdownPrivilege	3796	agdsk.exe
Token: SeUndockPrivilege	3796	agdsk.exe
Token: SeSyncAgentPrivilege	3796	agdsk.exe
Token: SeEnableDelegationPrivilege	3796	agdsk.exe
Token: SeManageVolumePrivilege	3796	agdsk.exe
Token: SeImpersonatePrivilege	3796	agdsk.exe
Token: SeCreateGlobalPrivilege	3796	agdsk.exe
Token: 31	3796	agdsk.exe
Token: 32	3796	agdsk.exe
Token: 33	3796	agdsk.exe
Token: 34	3796	agdsk.exe
Token: 35	3796	agdsk.exe
Token: SeDebugPrivilege	1476	KRSetp.exe
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeManageVolumePrivilege	1952	jg2_2qua.exe
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeManageVolumePrivilege	1952	jg2_2qua.exe
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752
Token: SeShutdownPrivilege	2752
Token: SeCreatePagefilePrivilege	2752

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

msedge.exe

pid process

2752
2752
3076 msedge.exe
2752
3076 msedge.exe
2752
2752
2752
2752
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wf-game.exe

pid process

4304 wf-game.exe
4304 wf-game.exe

pid	process
2752
2752
3076	msedge.exe
2752
3076	msedge.exe
2752
2752
2752
2752

pid	process
4304	wf-game.exe
4304	wf-game.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exeFiles.exewf-game.exepzyh.exemsedge.exerundll32.exeagdsk.execmd.exe

description	pid	process	target process
PID 5096 wrote to memory of 3796	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	agdsk.exe
PID 5096 wrote to memory of 3796	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	agdsk.exe
PID 5096 wrote to memory of 3796	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	agdsk.exe
PID 5096 wrote to memory of 1952	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	jg2_2qua.exe
PID 5096 wrote to memory of 1952	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	jg2_2qua.exe
PID 5096 wrote to memory of 1952	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	jg2_2qua.exe
PID 5096 wrote to memory of 1476	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	KRSetp.exe
PID 5096 wrote to memory of 1476	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	KRSetp.exe
PID 5096 wrote to memory of 3076	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	msedge.exe
PID 5096 wrote to memory of 3076	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	msedge.exe
PID 5096 wrote to memory of 4304	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	wf-game.exe
PID 5096 wrote to memory of 4304	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	wf-game.exe
PID 5096 wrote to memory of 4304	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	wf-game.exe
PID 5096 wrote to memory of 4188	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	Files.exe
PID 5096 wrote to memory of 4188	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	Files.exe
PID 5096 wrote to memory of 4188	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	Files.exe
PID 5096 wrote to memory of 1492	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pzyh.exe
PID 5096 wrote to memory of 1492	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pzyh.exe
PID 5096 wrote to memory of 1492	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pzyh.exe
PID 5096 wrote to memory of 1328	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pub2.exe
PID 5096 wrote to memory of 1328	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pub2.exe
PID 5096 wrote to memory of 1328	5096	c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe	pub2.exe
PID 4188 wrote to memory of 2640	4188	Files.exe	File.exe
PID 4188 wrote to memory of 2640	4188	Files.exe	File.exe
PID 4188 wrote to memory of 2640	4188	Files.exe	File.exe
PID 4304 wrote to memory of 3552	4304	wf-game.exe	rundll32.exe
PID 4304 wrote to memory of 3552	4304	wf-game.exe	rundll32.exe
PID 4304 wrote to memory of 3552	4304	wf-game.exe	rundll32.exe
PID 1492 wrote to memory of 3052	1492	pzyh.exe	jfiag3g_gg.exe
PID 1492 wrote to memory of 3052	1492	pzyh.exe	jfiag3g_gg.exe
PID 1492 wrote to memory of 3052	1492	pzyh.exe	jfiag3g_gg.exe
PID 3076 wrote to memory of 1280	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1280	3076	msedge.exe	msedge.exe
PID 1492 wrote to memory of 2616	1492	pzyh.exe	jfiag3g_gg.exe
PID 1492 wrote to memory of 2616	1492	pzyh.exe	jfiag3g_gg.exe
PID 1492 wrote to memory of 2616	1492	pzyh.exe	jfiag3g_gg.exe
PID 3552 wrote to memory of 2668	3552	rundll32.exe	WerFault.exe
PID 3552 wrote to memory of 2668	3552	rundll32.exe	WerFault.exe
PID 3552 wrote to memory of 2668	3552	rundll32.exe	WerFault.exe
PID 3796 wrote to memory of 3968	3796	agdsk.exe	cmd.exe
PID 3796 wrote to memory of 3968	3796	agdsk.exe	cmd.exe
PID 3796 wrote to memory of 3968	3796	agdsk.exe	cmd.exe
PID 3968 wrote to memory of 4680	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 4680	3968	cmd.exe	taskkill.exe
PID 3968 wrote to memory of 4680	3968	cmd.exe	taskkill.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe
PID 3076 wrote to memory of 1364	3076	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe
"C:\Users\Admin\AppData\Local\Temp\c61aefcd8b9a4f8623a65aba9ac1af61a9676f52e3c3dffa382afbec1f10d861.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\agdsk.exe
"C:\Users\Admin\AppData\Local\Temp\agdsk.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
"C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
"C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1wNij7
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0xfc,0x100,0x40,0x104,0x7ffeb7fc46f8,0x7ffeb7fc4708,0x7ffeb7fc4718
3⤵
PID:1280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
3⤵
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
3⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3148 /prefetch:8
3⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3772 /prefetch:1
3⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
3⤵
PID:2464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
3⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4544 /prefetch:8
3⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
3⤵
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
3⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4271370708344472892,13810049479505968166,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
3⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
3⤵
- Drops file in Program Files directory
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff6bf395460,0x7ff6bf395470,0x7ff6bf395480
4⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\wf-game.exe
"C:\Users\Admin\AppData\Local\Temp\wf-game.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4304

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 600
4⤵
- Program crash
PID:2668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 600
4⤵
- Program crash
PID:4564

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
3⤵
- Executes dropped EXE
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 996
4⤵
- Program crash
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1jF6h7
3⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffeb7fc46f8,0x7ffeb7fc4708,0x7ffeb7fc4718
4⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\pzyh.exe
"C:\Users\Admin\AppData\Local\Temp\pzyh.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1492

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:2616

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3552 -ip 3552
1⤵
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2640 -ip 2640
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
afc3071e7435267d87abfaf343327ca5

SHA1
d6eea44dac29b6520ece81710c018e5ded56a336

SHA256
8973a97b0fffdbf415aa211ff8512f9066dac9e30dbff60858c04c0451a2779f

SHA512
af6dd724f99386148aa1a558688ab7f1b95a98e97978b378dfd83b3bf6b65452037e426996e3d3479b161e2424a7ee2254b311f955a49553f590acc8ed5dc9e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f2b526f8b06d1befe13ac9df5f196d0

SHA1
5312747fc37ddad74957388f3aab556cffb08c3e

SHA256
9dbb8343e2da49863a8abfe10867dccfd9956ef8af848ab3aca54d9cd17a5845

SHA512
2ed4a83537a583825d77b43f8d6428c02e598e8b54cc1c66f0280acbcdbe76729718274b518cd68906c266cc1565b82fb7445aee62a063c0f2a273ca0cb5a01f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
8f5ef916a365f7914ccdf2bb21c88798

SHA1
ae1727f61e3b2ffa7204070227abcd31bf02a892

SHA256
e20f18f2f2156034646bef695a2732428e23ed57b888790135ad706088781bc4

SHA512
111e172896797eefbf193175fdd0381e038f19539de4cc5352f38c280f5707363a5c31b5a12a9db4ad506c0441d33f7c56d31991d48497a9264707996daa2193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp
MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
f62578201889751ffca5a5500c1045a0

SHA1
69c8e36689558eab6ce99ce747024f0281f4945c

SHA256
9bc30f9c353be276069d3331dfe59c4441efd0384ff5be648364696d7374b152

SHA512
bdc4fd64264aa428f0633f687febce50de2c017fdd8573b2348ba1197f04325669ae6a4063f1ebc482878a128941b03c1cccf13cc69e2f9321a5c4b837769e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
f62578201889751ffca5a5500c1045a0

SHA1
69c8e36689558eab6ce99ce747024f0281f4945c

SHA256
9bc30f9c353be276069d3331dfe59c4441efd0384ff5be648364696d7374b152

SHA512
bdc4fd64264aa428f0633f687febce50de2c017fdd8573b2348ba1197f04325669ae6a4063f1ebc482878a128941b03c1cccf13cc69e2f9321a5c4b837769e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
05631ee9c2dfd02f83f2ad7941db9ddd

SHA1
bd78ea5c93d1e9db59d6725b5e3a667b7bee3a57

SHA256
caeb1209883d492f6f77c05dd2bb3a76b54aa4522509bb90bceceae17999718f

SHA512
6fecc0b9614e2dff69945d6bb32bdbcab0d2446b9e1a6c9643372116835bbe3204d575476e1a4605734dcc45407a26e1fa64c60e15d8a251a925279a47dbb74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
MD5
05631ee9c2dfd02f83f2ad7941db9ddd

SHA1
bd78ea5c93d1e9db59d6725b5e3a667b7bee3a57

SHA256
caeb1209883d492f6f77c05dd2bb3a76b54aa4522509bb90bceceae17999718f

SHA512
6fecc0b9614e2dff69945d6bb32bdbcab0d2446b9e1a6c9643372116835bbe3204d575476e1a4605734dcc45407a26e1fa64c60e15d8a251a925279a47dbb74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
dd17e8448cb787fe91c08277a5ea2b67

SHA1
30377eb32abcf7b54e99d5a6f1560d3096b533b2

SHA256
c658beeb1e9d021b989c0769817c228b8299b63ac82699634e36fedec546a003

SHA512
afdd8fb3347c7e58dc0c186e357dee4f856dbd85612aa7a2e7f47f217457710e2b6d5ee91baa6d940eabfd4bde7d131c171400c7591c35b27c79b8112d798663

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
dd17e8448cb787fe91c08277a5ea2b67

SHA1
30377eb32abcf7b54e99d5a6f1560d3096b533b2

SHA256
c658beeb1e9d021b989c0769817c228b8299b63ac82699634e36fedec546a003

SHA512
afdd8fb3347c7e58dc0c186e357dee4f856dbd85612aa7a2e7f47f217457710e2b6d5ee91baa6d940eabfd4bde7d131c171400c7591c35b27c79b8112d798663

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
d1d8c494cb32a73606583ba984cd0856

SHA1
e7370e27576c4255d2efcf460b1a0cdb8f369f50

SHA256
06bac4443259fccdc17ea72e88b71f7528732f1fe58e13231c68e301f65d9e23

SHA512
8c2747fee33a822875d23a4b9f74c43bc8dc989198f370827b9768b1480839cc8658d65cf1a1483a68f100f3fa6a48921d87080478c6de8f6b94826118ef49b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\agdsk.exe
MD5
d1d8c494cb32a73606583ba984cd0856

SHA1
e7370e27576c4255d2efcf460b1a0cdb8f369f50

SHA256
06bac4443259fccdc17ea72e88b71f7528732f1fe58e13231c68e301f65d9e23

SHA512
8c2747fee33a822875d23a4b9f74c43bc8dc989198f370827b9768b1480839cc8658d65cf1a1483a68f100f3fa6a48921d87080478c6de8f6b94826118ef49b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
673fc6f98424e512ffdeed5f5f923cf6

SHA1
3e344c0fee64ecff983d3746aaf3258c47f49a72

SHA256
f57f1f1b5ac595ea6636c7d5a3ab7ab81faf136058190d44ec2a6cb009893aa2

SHA512
6f38798ed17814b4c4099d428d40d5ab9958cd4ac3ef4b191e07bf5ee67435b7428e068cb058de2942145a8a084c8394308886104480ffa53949ca48b238de07

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dat
MD5
83df536f22197802c67688aec85a63a8

SHA1
e804152d946fd5dcb51bacbf192744b7bf85d71f

SHA256
e3c5591919b3baa85a4b38eb02b605d4c0e51634b5c9385863a9672e87a711a4

SHA512
1a862072d473e7820ecf04d0404955b79df4187a9278eccd214f9fd635b15c466a77846e306b05a7e2143c7ea272289867dc8c77b5a4fd3f6752398934328dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
b29f18a79fee5bd89a7ddf3b4be8aa23

SHA1
0396814e95dd6410e16f8dd0131ec492718b88da

SHA256
9d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e

SHA512
f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.dll
MD5
b29f18a79fee5bd89a7ddf3b4be8aa23

SHA1
0396814e95dd6410e16f8dd0131ec492718b88da

SHA256
9d4eac47f833f3f02f2f1c295c91928f55e2e5ac1189743ffff680f4f745950e

SHA512
f47861ceb9f73ea9ff74d6c65b363005b6931086ae36a25599bf644649f84ff1769c78cb7fd48a51352baf28ef7d3f1dd36414bb15365ed04605c488d11d08cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
89fb392ec3853d2a2d24327f8b0bc1bf

SHA1
a3ed6ebabee8e336ad3d7bc13cf74d65987745bc

SHA256
3557708821a5acf4b8390a8ea4c6f0b3abd0996e716f07fac2a5fd357628a98b

SHA512
574b2dd4efdb749cecb89bf90fcd61154813d23a5bb2e2c30d194c8d4f26bf24b634a39cb66dd7dc3068746d46d65662f3d5ab0788a4c37815fe35939fe05b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg2_2qua.exe
MD5
89fb392ec3853d2a2d24327f8b0bc1bf

SHA1
a3ed6ebabee8e336ad3d7bc13cf74d65987745bc

SHA256
3557708821a5acf4b8390a8ea4c6f0b3abd0996e716f07fac2a5fd357628a98b

SHA512
574b2dd4efdb749cecb89bf90fcd61154813d23a5bb2e2c30d194c8d4f26bf24b634a39cb66dd7dc3068746d46d65662f3d5ab0788a4c37815fe35939fe05b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
1fbe1d383ef599132d4a8e890933423d

SHA1
21eeeecb1ae66b4461b48dc0ea4096837ae8f2da

SHA256
5231b6a6e7ee9f696d0fa114d52fc9451dac46e0c1e6199bb16ea0f96f73de9e

SHA512
e62a7f37af1af8904fb0ed3da5b9ae2e658851c0a231f7ed6c6b9e91f6f3aea1357f0b7dd6bd5e8451e6d3cae7e252705afa452763157a9624a39272d622e2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
1fbe1d383ef599132d4a8e890933423d

SHA1
21eeeecb1ae66b4461b48dc0ea4096837ae8f2da

SHA256
5231b6a6e7ee9f696d0fa114d52fc9451dac46e0c1e6199bb16ea0f96f73de9e

SHA512
e62a7f37af1af8904fb0ed3da5b9ae2e658851c0a231f7ed6c6b9e91f6f3aea1357f0b7dd6bd5e8451e6d3cae7e252705afa452763157a9624a39272d622e2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pzyh.exe
MD5
8cbde3982249e20a6f564eb414f06fe4

SHA1
6d040b6c0f9d10b07f0b63797aa7bfabf0703925

SHA256
4a8a37d0010b2a946e9b202ea07d8b93a29a3ea9a56852678307076e10999c83

SHA512
d84863489b5fb2d17ee1df47de735a88d510bb8f5e378126243e34edb017d3ed82807c7dbd5cf6a977601f0e440be12e680679f1ce472619fd0ebbe9579c3e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c257b4bc919bb8879e93d8bda00d33a8

SHA1
3ddec6c642927192dd18f2d537aaa1543353309f

SHA256
ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a

SHA512
7a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86

Download Submit
C:\Users\Admin\AppData\Local\Temp\wf-game.exe
MD5
c257b4bc919bb8879e93d8bda00d33a8

SHA1
3ddec6c642927192dd18f2d537aaa1543353309f

SHA256
ba049c72c711c97dcd741fdbbba21544c74808ac37fb64fb2a1e45e4dcc0f48a

SHA512
7a1b09fa5abd064d28bd6c13c850ceac707a9e2f670829957520d81917a110fc25e4f95d213a1b26e2f87afbdbc638785adeeaa3112bf31d9a9e59749b7bac86

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk
MD5
e67c6b3cd97b89b000ad6c18ce05251c

SHA1
5044ab7d3c7516d759677f1cd6e3900bf7fa2e02

SHA256
1cf55f51cbdea183750ac52945e15de934ae7f2260dec0b7bac9e5e34f0098de

SHA512
c40559c11a59bf5636db7e00632866b2d9a2c50b3c5ce1b70cf115742c86988af82836f238a8c85f724cd885efcc93e8b4fc22230c5a504bf5629cddad949ab8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
MD5
32333703aca65c00ae2712f9b717861c

SHA1
ab64c4fbd1213e6885dd6d9bc31ce79a4ac11621

SHA256
87f2f60665bd2fae081204d7ea8dd88ac92d6a29982b8a5d5413919ee5049dbf

SHA512
a3f1e326ce46b8134c9742e2f878d8b34dc44baee25d627a237b3f3fd3968b3a086ddf010408344fb66eb91b7d65e7304a1c5dd86c41bef409d7568854835e13

Download Submit
\??\pipe\LOCAL\crashpad_3076_ACUJWBYAWVSQYKNF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1328-162-0x0000000000590000-0x0000000000599000-memory.dmp

Filesize
36KB

Download
memory/1328-151-0x000000000061D000-0x0000000000626000-memory.dmp

Filesize
36KB

Download
memory/1328-161-0x000000000061D000-0x0000000000626000-memory.dmp

Filesize
36KB

Download
memory/1328-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1364-185-0x00007FFED59E0000-0x00007FFED59E1000-memory.dmp

Filesize
4KB

Download
memory/1476-159-0x00007FFEB5EF0000-0x00007FFEB69B1000-memory.dmp

Filesize
10.8MB

Download
memory/1476-140-0x00000000001F0000-0x000000000022E000-memory.dmp

Filesize
248KB

Download
memory/1952-180-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/1952-183-0x00000000044F0000-0x00000000044F8000-memory.dmp

Filesize
32KB

Download
memory/1952-190-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/1952-173-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/1952-182-0x00000000044D0000-0x00000000044D8000-memory.dmp

Filesize
32KB

Download
memory/1952-255-0x0000000000400000-0x0000000000510000-memory.dmp

Filesize
1.1MB

Download
memory/1952-189-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/1952-181-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/1952-167-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/1952-179-0x0000000004180000-0x0000000004188000-memory.dmp

Filesize
32KB

Download
memory/2640-216-0x00000000006F0000-0x0000000000787000-memory.dmp

Filesize
604KB

Download
memory/2640-152-0x00000000007B9000-0x000000000081B000-memory.dmp

Filesize
392KB

Download
memory/2640-217-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2640-215-0x00000000007B9000-0x000000000081B000-memory.dmp

Filesize
392KB

Download
memory/2752-256-0x0000000003000000-0x0000000003016000-memory.dmp

Filesize
88KB

Download