redline | 9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2022 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53d50df7fd45816d60dae9008440e5a.exe
Size

12.0MB
MD5

a53d50df7fd45816d60dae9008440e5a
SHA1

4965f08f4c2013bf1e42c07cc1e10dc4e1d3280a
SHA256

9dfc2b987cfac7d4b2dc842bef5d9680724a0d8a65bef2ef175ad2e5672e429b
SHA512

f4bc8bb64e41e99538e499a537ce495883410891604bd7e31e66a06f69761aabb02eaa9a52cf011ed08881f34a6054254440d8b1028ac5546934af05e15a20e2

Score

10^/10

redline socelars 5 crym nam3 discovery infostealer persistence spyware stealer vmprotect

Malware Config

Extracted

Family

socelars

https://hueduy.s3.eu-west-1.amazonaws.com/nbsdg818/

Extracted

Family

redline

Botnet

Crym

15.235.171.56:30730

Attributes

auth_value
cbe4e2f707ccba3ef47d8390a845041f

Extracted

Family

redline

Botnet

nam3

103.89.90.61:34589

Attributes

auth_value
64b900120bbceaa6a9c60e9079492895

Extracted

Family

redline

Botnet

176.113.115.146:9582

Attributes

auth_value
d38b30c1ccd6c1e5088d9e5bd9e51b0f

Signatures

Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2868 3320 rundll32.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3320	rundll32.exe

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4272-155-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/5236-243-0x0000000000CE0000-0x0000000000D00000-memory.dmp	family_redline
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	family_redline
behavioral2/memory/5476-250-0x00000000009F0000-0x0000000000A34000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe	family_socelars

Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

Crack.exeCrack.exeCrym1.exeCrym.exeL123.exemp3studios_10.exeCrym.exefile.exe00000029..exe00004823..exeiuoytshdgasfcsae.c.exeSetup.exeF0geI.exekukurzka9000.exenamdoitntn.exereal.exesafert44.exeTrustedInstaller.exeUSA1.exeddo1053.exeSETUP_~1.EXE

pid	process
1508	Crack.exe
4204	Crack.exe
4920	Crym1.exe
1560	Crym.exe
1512	L123.exe
2756	mp3studios_10.exe
4272	Crym.exe
4360	file.exe
2200	00000029..exe
2868	00004823..exe
1920	iuoytshdgasfcsae.c.exe
4192	Setup.exe
5128	F0geI.exe
5176	kukurzka9000.exe
5236	namdoitntn.exe
5340	real.exe
5476	safert44.exe
5696	TrustedInstaller.exe
5788	USA1.exe
6888	ddo1053.exe
4480	SETUP_~1.EXE

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/6888-293-0x0000000140000000-0x000000014069A000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Setup.exea53d50df7fd45816d60dae9008440e5a.exeCrack.exeCrym1.exeL123.exefile.exe00000029..exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	a53d50df7fd45816d60dae9008440e5a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Crym1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	L123.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	00000029..exe

Drops startup file 2 IoCs

Processes:

00004823..exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dwf9hEq7FeMtNFji.exe	00004823..exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dwf9hEq7FeMtNFji.exe	00004823..exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2336 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2336	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

TrustedInstaller.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	TrustedInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	TrustedInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

126 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

iuoytshdgasfcsae.c.exe

pid process

1920 iuoytshdgasfcsae.c.exe
1920 iuoytshdgasfcsae.c.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Crym.exe

description pid process target process

PID 1560 set thread context of 4272 1560 Crym.exe Crym.exe

flow	ioc
126	ip-api.com

pid	process
1920	iuoytshdgasfcsae.c.exe
1920	iuoytshdgasfcsae.c.exe

description	pid	process	target process
PID 1560 set thread context of 4272	1560	Crym.exe	Crym.exe

Drops file in Program Files directory 19 IoCs

Processes:

Setup.exesetup.exemp3studios_10.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Company\NewProduct\captain09876.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220823142710.pma	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_10.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_10.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\291abc4e-51a0-49c2-9e5d-dfb003e26995.tmp	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_10.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\USA1.exe	Setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_10.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\safert44.exe	Setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_10.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\F0geI.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\Company\NewProduct\real.exe	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 9 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1956	1512	WerFault.exe	L123.exe
1288	2336	WerFault.exe	rundll32.exe
4512	1920	WerFault.exe	iuoytshdgasfcsae.c.exe
1328	3500	WerFault.exe	PING.EXE
5140	528	WerFault.exe	timeout.exe
5308	5128	WerFault.exe	F0geI.exe
5872	5340	WerFault.exe	real.exe
6172	5788	WerFault.exe	USA1.exe
7356	4480	WerFault.exe	SETUP_~1.EXE

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeWerFault.exeWerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

528 timeout.exe

pid	process
528	timeout.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exemsedge.exeWerFault.exeWerFault.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3856 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3500 PING.EXE
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 27 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
3856	taskkill.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
3500	PING.EXE

description	flow	ioc
HTTP User-Agent header	27	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe00004823..exea53d50df7fd45816d60dae9008440e5a.exeCrym.exe00000029..exeWerFault.exeSetup.exe

pid	process
760	chrome.exe
760	chrome.exe
3592	chrome.exe
3592	chrome.exe
4012	chrome.exe
4012	chrome.exe
2404	chrome.exe
2404	chrome.exe
2868	00004823..exe
2868	00004823..exe
4300	a53d50df7fd45816d60dae9008440e5a.exe
4300	a53d50df7fd45816d60dae9008440e5a.exe
4272	Crym.exe
4272	Crym.exe
2200	00000029..exe
2200	00000029..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
1328	WerFault.exe
1328	WerFault.exe
2868	00004823..exe
2868	00004823..exe
4192	Setup.exe
4192	Setup.exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe
2868	00004823..exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe
1784	msedge.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

Processes:

L123.exemp3studios_10.exeCrym.exetaskkill.exe00000029..exeCrym.exeSETUP_~1.EXEsafert44.exenamdoitntn.exe

description	pid	process
Token: SeDebugPrivilege	1512	L123.exe
Token: SeCreateTokenPrivilege	2756	mp3studios_10.exe
Token: SeAssignPrimaryTokenPrivilege	2756	mp3studios_10.exe
Token: SeLockMemoryPrivilege	2756	mp3studios_10.exe
Token: SeIncreaseQuotaPrivilege	2756	mp3studios_10.exe
Token: SeMachineAccountPrivilege	2756	mp3studios_10.exe
Token: SeTcbPrivilege	2756	mp3studios_10.exe
Token: SeSecurityPrivilege	2756	mp3studios_10.exe
Token: SeTakeOwnershipPrivilege	2756	mp3studios_10.exe
Token: SeLoadDriverPrivilege	2756	mp3studios_10.exe
Token: SeSystemProfilePrivilege	2756	mp3studios_10.exe
Token: SeSystemtimePrivilege	2756	mp3studios_10.exe
Token: SeProfSingleProcessPrivilege	2756	mp3studios_10.exe
Token: SeIncBasePriorityPrivilege	2756	mp3studios_10.exe
Token: SeCreatePagefilePrivilege	2756	mp3studios_10.exe
Token: SeCreatePermanentPrivilege	2756	mp3studios_10.exe
Token: SeBackupPrivilege	2756	mp3studios_10.exe
Token: SeRestorePrivilege	2756	mp3studios_10.exe
Token: SeShutdownPrivilege	2756	mp3studios_10.exe
Token: SeDebugPrivilege	2756	mp3studios_10.exe
Token: SeAuditPrivilege	2756	mp3studios_10.exe
Token: SeSystemEnvironmentPrivilege	2756	mp3studios_10.exe
Token: SeChangeNotifyPrivilege	2756	mp3studios_10.exe
Token: SeRemoteShutdownPrivilege	2756	mp3studios_10.exe
Token: SeUndockPrivilege	2756	mp3studios_10.exe
Token: SeSyncAgentPrivilege	2756	mp3studios_10.exe
Token: SeEnableDelegationPrivilege	2756	mp3studios_10.exe
Token: SeManageVolumePrivilege	2756	mp3studios_10.exe
Token: SeImpersonatePrivilege	2756	mp3studios_10.exe
Token: SeCreateGlobalPrivilege	2756	mp3studios_10.exe
Token: 31	2756	mp3studios_10.exe
Token: 32	2756	mp3studios_10.exe
Token: 33	2756	mp3studios_10.exe
Token: 34	2756	mp3studios_10.exe
Token: 35	2756	mp3studios_10.exe
Token: SeDebugPrivilege	1560	Crym.exe
Token: SeDebugPrivilege	3856	taskkill.exe
Token: SeDebugPrivilege	2200	00000029..exe
Token: SeDebugPrivilege	4272	Crym.exe
Token: SeDebugPrivilege	4480	SETUP_~1.EXE
Token: SeDebugPrivilege	5476	safert44.exe
Token: SeDebugPrivilege	5236	namdoitntn.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

chrome.exemsedge.exe

pid	process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
1784	msedge.exe
1784	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe
3592	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Setup.exeF0geI.exekukurzka9000.exeTrustedInstaller.exe

pid process

4192 Setup.exe
5128 F0geI.exe
5176 kukurzka9000.exe
5696 TrustedInstaller.exe

pid	process
4192	Setup.exe
5128	F0geI.exe
5176	kukurzka9000.exe
5696	TrustedInstaller.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a53d50df7fd45816d60dae9008440e5a.exeCrack.exeCrym1.exeCrym.exemp3studios_10.execmd.exechrome.exe

description	pid	process	target process
PID 4300 wrote to memory of 1508	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crack.exe
PID 4300 wrote to memory of 1508	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crack.exe
PID 4300 wrote to memory of 1508	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crack.exe
PID 1508 wrote to memory of 4204	1508	Crack.exe	Crack.exe
PID 1508 wrote to memory of 4204	1508	Crack.exe	Crack.exe
PID 1508 wrote to memory of 4204	1508	Crack.exe	Crack.exe
PID 4300 wrote to memory of 4920	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crym1.exe
PID 4300 wrote to memory of 4920	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crym1.exe
PID 4300 wrote to memory of 4920	4300	a53d50df7fd45816d60dae9008440e5a.exe	Crym1.exe
PID 4920 wrote to memory of 1560	4920	Crym1.exe	Crym.exe
PID 4920 wrote to memory of 1560	4920	Crym1.exe	Crym.exe
PID 4920 wrote to memory of 1560	4920	Crym1.exe	Crym.exe
PID 4920 wrote to memory of 1512	4920	Crym1.exe	L123.exe
PID 4920 wrote to memory of 1512	4920	Crym1.exe	L123.exe
PID 4300 wrote to memory of 2756	4300	a53d50df7fd45816d60dae9008440e5a.exe	mp3studios_10.exe
PID 4300 wrote to memory of 2756	4300	a53d50df7fd45816d60dae9008440e5a.exe	mp3studios_10.exe
PID 4300 wrote to memory of 2756	4300	a53d50df7fd45816d60dae9008440e5a.exe	mp3studios_10.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 1560 wrote to memory of 4272	1560	Crym.exe	Crym.exe
PID 2756 wrote to memory of 3756	2756	mp3studios_10.exe	cmd.exe
PID 2756 wrote to memory of 3756	2756	mp3studios_10.exe	cmd.exe
PID 2756 wrote to memory of 3756	2756	mp3studios_10.exe	cmd.exe
PID 3756 wrote to memory of 3856	3756	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 3856	3756	cmd.exe	taskkill.exe
PID 3756 wrote to memory of 3856	3756	cmd.exe	taskkill.exe
PID 2756 wrote to memory of 3592	2756	mp3studios_10.exe	chrome.exe
PID 2756 wrote to memory of 3592	2756	mp3studios_10.exe	chrome.exe
PID 3592 wrote to memory of 4160	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 4160	3592	chrome.exe	chrome.exe
PID 4300 wrote to memory of 4360	4300	a53d50df7fd45816d60dae9008440e5a.exe	file.exe
PID 4300 wrote to memory of 4360	4300	a53d50df7fd45816d60dae9008440e5a.exe	file.exe
PID 4300 wrote to memory of 4360	4300	a53d50df7fd45816d60dae9008440e5a.exe	file.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe
PID 3592 wrote to memory of 1776	3592	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\a53d50df7fd45816d60dae9008440e5a.exe
"C:\Users\Admin\AppData\Local\Temp\a53d50df7fd45816d60dae9008440e5a.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4300

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe" -h
3⤵
- Executes dropped EXE
PID:4204

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crym1.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crym1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4920

C:\Users\Admin\AppData\Local\Temp\Crym.exe
"C:\Users\Admin\AppData\Local\Temp\Crym.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\Crym.exe
"C:\Users\Admin\AppData\Local\Temp\Crym.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Users\Admin\AppData\Local\Temp\L123.exe
"C:\Users\Admin\AppData\Local\Temp\L123.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1512 -s 2196
4⤵
- Program crash
PID:1956

C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff885734f50,0x7ff885734f60,0x7ff885734f70
4⤵
PID:4160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1664 /prefetch:2
4⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2016 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2324 /prefetch:8
4⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
4⤵
PID:1092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
4⤵
PID:4444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
4⤵
PID:3784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
4⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
4⤵
PID:3000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4852 /prefetch:8
4⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5136 /prefetch:8
4⤵
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5184 /prefetch:8
4⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5164 /prefetch:8
4⤵
PID:3500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5016 /prefetch:8
4⤵
PID:3968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5260 /prefetch:8
4⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
4⤵
PID:4204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
4⤵
PID:6508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2788 /prefetch:8
4⤵
PID:6644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5716 /prefetch:8
4⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1176 /prefetch:8
4⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
4⤵
PID:6088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
4⤵
PID:7784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1628,8106808961211515739,17204789417773424123,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2080 /prefetch:2
4⤵
PID:7696

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4360

C:\Users\Admin\AppData\Roaming\00000029..exe
"C:\Users\Admin\AppData\Roaming\00000029..exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout 2 && del "C:\Users\Admin\AppData\Roaming\00000029..exe"
4⤵
PID:3896

C:\Windows\SysWOW64\timeout.exe
timeout 2
5⤵
- Delays execution with timeout.exe
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 528 -s 304
6⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:5140

C:\Users\Admin\AppData\Roaming\00004823..exe
"C:\Users\Admin\AppData\Roaming\00004823..exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL
3⤵
PID:2276

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
4⤵
- Runs ping.exe
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 368
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iuoytshdgasfcsae.c.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iuoytshdgasfcsae.c.exe"
2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1920 -s 280
3⤵
- Program crash
PID:4512

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RyjC4
3⤵
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
4⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,18226773055383890235,13861068492752386731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
4⤵
PID:5668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,18226773055383890235,13861068492752386731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
4⤵
PID:6180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1A4aK4
3⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
4⤵
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
4⤵
PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
4⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
4⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
4⤵
PID:6592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
4⤵
PID:7116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
4⤵
PID:6812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
4⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
4⤵
PID:6820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4548 /prefetch:1
4⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
4⤵
PID:6908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5788 /prefetch:8
4⤵
PID:7376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6548 /prefetch:8
4⤵
PID:7748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
4⤵
PID:7940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
4⤵
PID:7956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
4⤵
PID:8180

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:8188

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x238,0x23c,0x240,0x1d4,0x244,0x7ff6d3ad5460,0x7ff6d3ad5470,0x7ff6d3ad5480
5⤵
PID:6196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
4⤵
PID:7452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6200 /prefetch:8
4⤵
PID:1308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2160,1763636427761849502,8069599000688060284,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2420 /prefetch:8
4⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RLtX4
3⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf4,0x120,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
4⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,18236585523078556258,806953306560124285,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
4⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,18236585523078556258,806953306560124285,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
4⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1RCgX4
3⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
4⤵
PID:3844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1468,4225267185498442110,10268612026231052272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
4⤵
PID:5768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1468,4225267185498442110,10268612026231052272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
4⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1nXvZ4
3⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x11c,0xf0,0x120,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
4⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12855043196260776297,15048616550464631424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
4⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12855043196260776297,15048616550464631424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
4⤵
PID:6204

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
"C:\Program Files (x86)\Company\NewProduct\F0geI.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5128 -s 284
4⤵
- Program crash
PID:5308

C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
"C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5176

C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
"C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5236

C:\Program Files (x86)\Company\NewProduct\real.exe
"C:\Program Files (x86)\Company\NewProduct\real.exe"
3⤵
- Executes dropped EXE
PID:5340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 228
4⤵
- Program crash
PID:5872

C:\Program Files (x86)\Company\NewProduct\safert44.exe
"C:\Program Files (x86)\Company\NewProduct\safert44.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5476

C:\Program Files (x86)\Company\NewProduct\captain09876.exe
"C:\Program Files (x86)\Company\NewProduct\captain09876.exe"
3⤵
PID:5696

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 636
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:7356

C:\Program Files (x86)\Company\NewProduct\USA1.exe
"C:\Program Files (x86)\Company\NewProduct\USA1.exe"
3⤵
- Executes dropped EXE
PID:5788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5788 -s 228
4⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:6172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
2⤵
PID:6468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8817b46f8,0x7ff8817b4708,0x7ff8817b4718
3⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ddo1053.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ddo1053.exe"
2⤵
- Executes dropped EXE
PID:6888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1512 -ip 1512
1⤵
PID:3476

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
1⤵
- Process spawned unexpected child process
PID:2868

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global
2⤵
- Loads dropped DLL
PID:2336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 600
3⤵
- Program crash
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2336 -ip 2336
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1920 -ip 1920
1⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3500 -ip 3500
1⤵
PID:4340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 528 -ip 528
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5128 -ip 5128
1⤵
PID:5204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5340 -ip 5340
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5788 -ip 5788
1⤵
PID:5544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4480 -ip 4480
1⤵
PID:7244

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\F0geI.exe
Filesize
339KB

MD5
501e0f6fa90340e3d7ff26f276cd582e

SHA1
1bce4a6153f71719e786f8f612fbfcd23d3e130a

SHA256
f07d918c6571f11abf9ab7268ac6e2ecbcd931c3d9d878895c777d15052aae2b

SHA512
dee3aabfca7912f15b628253222cfe8d8e13cd64f0438e8d705b68b0a14b4c9523b7a207583be7b424e444d6b05f237484a0c38bf2e075d347ef937d409a3a69

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
764KB

MD5
8044b9ea12d49d849f8b516ac3d8173b

SHA1
68a078e750dad5befd1212a62c903379c1e3525c

SHA256
22850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81

SHA512
44df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28

Download Submit
C:\Program Files (x86)\Company\NewProduct\kukurzka9000.exe
Filesize
764KB

MD5
8044b9ea12d49d849f8b516ac3d8173b

SHA1
68a078e750dad5befd1212a62c903379c1e3525c

SHA256
22850fcde13fdc68136d790dee2f85d48069a029a618ceddfd4c6f90b9845d81

SHA512
44df6449741275a07f7a3eeb718a1cff7ab6004a5b7501f28fe4269f8601b6ad2a3e6a7beeff0b41e3f2bdf24b6906d49e04b150ae75a33f9537665e4f39eb28

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\namdoitntn.exe
Filesize
107KB

MD5
bbd8ea73b7626e0ca5b91d355df39b7f

SHA1
66e298653beb7f652eb44922010910ced6242879

SHA256
1aa3fdc24e789b01a39944b85c99e4ac08864d2eae7530164cea2821acbf184e

SHA512
625cc9c108b4660030be1282493700e5f0ccfb973f466f61254ed1e1a96f5f042cdeaa94607825a2f694647468e2f525a6451542fe3aac785ebac1ccfe39864f

Download Submit
C:\Program Files (x86)\Company\NewProduct\real.exe
Filesize
275KB

MD5
a2414bb5522d3844b6c9a84537d7ce43

SHA1
56c91fc4fe09ce07320c03f186f3d5d293a6089d

SHA256
31f4715777f3be6a4a7b34baf25ebfc7af32dd9a2aae826fc73dca6c44fda173

SHA512
408ebb002b3bdb77dc243ced28d852801e68e5ff0dbfa450d3e91b89311fe6a3e8473e749619c285c1a5427d8a117350a3798435ed38b56d1a230f0ae270ec60

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
19KB

MD5
b2914e2d6e7a1c583638f9a1b1a8b11d

SHA1
3404d7fcdaba19d33efd7b5a15845256fd647302

SHA256
e5f8edd735b9f9e35efc3bebd2d7a92cb6193ae43d00ae68088b3b96d9887fef

SHA512
c9f3c87c9050b14e6992f2e5968c8f5d29a1c670a2e5932662b3e6636c948987373215ed5c7f2211efe73ab799174762278222c928874852bc6e12ddc7f823fa

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Filesize
332B

MD5
fa3c054ba0569b0fdeed858b3b399228

SHA1
a17e1075eccc7ea06b1f072f4f3c128d4dd180f9

SHA256
1a0bffa93ed2ecbbb8fcbbb2ec100a3045ccffb5711311f1393b47a21d9570ee

SHA512
3e0c556053cb2a0a6c8e168f7e597a136e1e531d1bacee0c16c4f67c963e029c787b4fcf9f09625f5ffe11bc1e305333565574a6c64c7131b0f4fd0fab533d80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
eb12b384d6265240ddbf17207687c61c

SHA1
22b1587468fb41647d620cc4b0a14cc051a1ecc6

SHA256
c86a931924fbfc684cd0d1d34a29bb0a636f8019a7bf349b2f70ab493db89540

SHA512
a714b887b9931b04eefc2d7c6dd3b34d98c26d5bfd0818f07c68c518cd2a8684f138fa128bc83773b48051f86252bc971b74bbd8be188a5f9cfc9ea39ac799ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Crym.exe.log
Filesize
617B

MD5
806dff23883c0aa6dcb04133b1380075

SHA1
ab9c711b18ac9edbd41966b3495f837746dbc146

SHA256
b58a668ac53e656011a581a7c1ce3d763b8120487f3017a5881298a588a34e17

SHA512
42ff1897d652e4bf0467e402a9386501810db93d1e18824bb61ec231d50ae9dabed04043cd60996cd508fd3e495825bb02acb5d7619e20773f9bdc5c453017b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
727230d7b0f8df1633bc043529f5c15d

SHA1
5b24d959d4c5dcf8125125dbee37225d6160af18

SHA256
54961bcb62812886877fcd3ad3896891099cc4bddc51ea6f07a606cf5124d998

SHA512
35735f0dadf7ee69bcccd5e9120d6a55db39138eff58acbe4ea8116fb007c54a024028dccd5f25856ffcf33e1f3bdccfd8d0e2527130a16351debb04c27b8df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crym.exe
Filesize
531KB

MD5
56bd2ddcee32d72e62a9ad0d7363e3c1

SHA1
0ddfcbda9a60ede8c352503d3521099a1dd7f7fb

SHA256
e9357f1183c29fb059e820418c518e103a9dd9ebc3280deadcf6641cd7b242b2

SHA512
99d7d384b9306b9dc84ec59f818ba18625c1e9fefb497823a8f102dc58ef80e11ea0bb9660c0ad294bdc0706390822faf3df7df6b1d84d2ac209d316aeedebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crym.exe
Filesize
531KB

MD5
56bd2ddcee32d72e62a9ad0d7363e3c1

SHA1
0ddfcbda9a60ede8c352503d3521099a1dd7f7fb

SHA256
e9357f1183c29fb059e820418c518e103a9dd9ebc3280deadcf6641cd7b242b2

SHA512
99d7d384b9306b9dc84ec59f818ba18625c1e9fefb497823a8f102dc58ef80e11ea0bb9660c0ad294bdc0706390822faf3df7df6b1d84d2ac209d316aeedebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crym.exe
Filesize
531KB

MD5
56bd2ddcee32d72e62a9ad0d7363e3c1

SHA1
0ddfcbda9a60ede8c352503d3521099a1dd7f7fb

SHA256
e9357f1183c29fb059e820418c518e103a9dd9ebc3280deadcf6641cd7b242b2

SHA512
99d7d384b9306b9dc84ec59f818ba18625c1e9fefb497823a8f102dc58ef80e11ea0bb9660c0ad294bdc0706390822faf3df7df6b1d84d2ac209d316aeedebbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\L123.exe
Filesize
8KB

MD5
a23196109926b0d52f100e36ba5e8095

SHA1
f066fc4d823c902f3f6efa7b32143ef2295cc4f5

SHA256
c6a661321a5bb59da4c32da86141452edbe3e675c64dc83d0ccb17fe9d3f1576

SHA512
66eac84d176b354f9e58694be2cce126b4c77870f011f7f53201d6ad2f73bfa3eb668de987ee94321e56d52bc9b780bf7827ed3caa69d8d6b95a561964feb405

Download Submit
C:\Users\Admin\AppData\Local\Temp\L123.exe
Filesize
8KB

MD5
a23196109926b0d52f100e36ba5e8095

SHA1
f066fc4d823c902f3f6efa7b32143ef2295cc4f5

SHA256
c6a661321a5bb59da4c32da86141452edbe3e675c64dc83d0ccb17fe9d3f1576

SHA512
66eac84d176b354f9e58694be2cce126b4c77870f011f7f53201d6ad2f73bfa3eb668de987ee94321e56d52bc9b780bf7827ed3caa69d8d6b95a561964feb405

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
80KB

MD5
9ca7e6e2164955f0fa10cdfc2700247c

SHA1
3ab0e5e5dbdb3b7d4becab9a3a1790fb569dd83f

SHA256
30e72775e2178b56873f6fd2796c4b8eb461c8324de14881ef93a98054f26fc1

SHA512
91b83dd365d7cef145237b8f30625da79fba50396835d943aa83ec9009f39838aaa1c222029ea241bfd97611c9da0941cf10ed05a82c45a62aac475e108d93db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
80KB

MD5
9ca7e6e2164955f0fa10cdfc2700247c

SHA1
3ab0e5e5dbdb3b7d4becab9a3a1790fb569dd83f

SHA256
30e72775e2178b56873f6fd2796c4b8eb461c8324de14881ef93a98054f26fc1

SHA512
91b83dd365d7cef145237b8f30625da79fba50396835d943aa83ec9009f39838aaa1c222029ea241bfd97611c9da0941cf10ed05a82c45a62aac475e108d93db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
Filesize
80KB

MD5
9ca7e6e2164955f0fa10cdfc2700247c

SHA1
3ab0e5e5dbdb3b7d4becab9a3a1790fb569dd83f

SHA256
30e72775e2178b56873f6fd2796c4b8eb461c8324de14881ef93a98054f26fc1

SHA512
91b83dd365d7cef145237b8f30625da79fba50396835d943aa83ec9009f39838aaa1c222029ea241bfd97611c9da0941cf10ed05a82c45a62aac475e108d93db

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crym1.exe
Filesize
544KB

MD5
406d960fd1f1f53d91c16aac8e845f61

SHA1
3fea63d90873ff0f39bc474cc815d47efa222ef1

SHA256
52eaac7be380a87037437f6a4365e8756629203cf8aa0067565639ff05438c2f

SHA512
1f6a975ac72fa8a6e0f6e126e266213d2bc70a08462b17aa3afe58187ca268b8ff16c9d83687dc314b23234b151b6616190305b81faeb287130eb2b782fa057d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crym1.exe
Filesize
544KB

MD5
406d960fd1f1f53d91c16aac8e845f61

SHA1
3fea63d90873ff0f39bc474cc815d47efa222ef1

SHA256
52eaac7be380a87037437f6a4365e8756629203cf8aa0067565639ff05438c2f

SHA512
1f6a975ac72fa8a6e0f6e126e266213d2bc70a08462b17aa3afe58187ca268b8ff16c9d83687dc314b23234b151b6616190305b81faeb287130eb2b782fa057d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
Filesize
1.1MB

MD5
db2082d65265145d992f05920fcaf442

SHA1
84edb3496b2bb8db9fab5dbfaa388724aa3b2214

SHA256
54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500

SHA512
55b05af2666a47d7728e90c0bacdeef50d1401ef423d63ecf20c0400a6a82f86004f1af166857684a097e0c960a9ba1d18ef86144ed8d2bdf98b477bfcc08ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
Filesize
1.1MB

MD5
db2082d65265145d992f05920fcaf442

SHA1
84edb3496b2bb8db9fab5dbfaa388724aa3b2214

SHA256
54601d45a229469f2909404bc448ce2fcb6d90319d7b62adcbb36d48560b3500

SHA512
55b05af2666a47d7728e90c0bacdeef50d1401ef423d63ecf20c0400a6a82f86004f1af166857684a097e0c960a9ba1d18ef86144ed8d2bdf98b477bfcc08ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
Filesize
78KB

MD5
d39d554fe5e06ab25bf0540ace9e902b

SHA1
33ad114d37baa33444a01b2b10c3278b3e2f44bf

SHA256
163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139

SHA512
30ef9c1a3fa7a6e6b1af2c46a0a1009c8bb64816baa901ef020ee60dd67c671ad8f74a08115927eaced8d3a48053e0a2b63f31e681b80ac1eace113f6097fc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
Filesize
78KB

MD5
d39d554fe5e06ab25bf0540ace9e902b

SHA1
33ad114d37baa33444a01b2b10c3278b3e2f44bf

SHA256
163b127ca6dd39ad16f01e2afeef52e574f315f0b842b57424d36571c5cee139

SHA512
30ef9c1a3fa7a6e6b1af2c46a0a1009c8bb64816baa901ef020ee60dd67c671ad8f74a08115927eaced8d3a48053e0a2b63f31e681b80ac1eace113f6097fc00

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iuoytshdgasfcsae.c.exe
Filesize
6.1MB

MD5
437f49c8548e6a69b1025ee2fe912d89

SHA1
06e2e90afb0de7e08a711f163124778c4771a11f

SHA256
66c26543a4954813811e8d205b9ef51e4024b7dcad720852af1be7cecef32afd

SHA512
1037d77de97ec9a386c2027802a3d16ec53242fb6dc84716dd2113c2593059be17a376aee47113bcc56516691027aa57ca7ffe9407bce3be6eacc2d448284fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iuoytshdgasfcsae.c.exe
Filesize
6.1MB

MD5
437f49c8548e6a69b1025ee2fe912d89

SHA1
06e2e90afb0de7e08a711f163124778c4771a11f

SHA256
66c26543a4954813811e8d205b9ef51e4024b7dcad720852af1be7cecef32afd

SHA512
1037d77de97ec9a386c2027802a3d16ec53242fb6dc84716dd2113c2593059be17a376aee47113bcc56516691027aa57ca7ffe9407bce3be6eacc2d448284fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe
Filesize
1.4MB

MD5
ff68dcfa8c2d722c801268e194e8cdad

SHA1
6a7947b3f4c58bee857907d390e62ccfdc920849

SHA256
3fcf2d80d3bb8fc7ca1cbec968db354fca4cee06a846cbab45136de454cbd56d

SHA512
ee8251233385190d76e7a70bd0ac81db7ca768d2de1927959cd4be6974291c5babf46450e5d071827e2c1e15c1bc1c3108abae6ad1dc442a9de5d5f6bce4c88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\mp3studios_10.exe
Filesize
1.4MB

MD5
ff68dcfa8c2d722c801268e194e8cdad

SHA1
6a7947b3f4c58bee857907d390e62ccfdc920849

SHA256
3fcf2d80d3bb8fc7ca1cbec968db354fca4cee06a846cbab45136de454cbd56d

SHA512
ee8251233385190d76e7a70bd0ac81db7ca768d2de1927959cd4be6974291c5babf46450e5d071827e2c1e15c1bc1c3108abae6ad1dc442a9de5d5f6bce4c88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
b71d82f4b80cab4f6ce8c2ebd0ccaefd

SHA1
f0623edc124711f92e98251f84c5042b947720ba

SHA256
65eaad576ecc5ac2e85c9db0fbedef12119bfb4a97f8055eeecc4c85b13c064f

SHA512
1cd264c03fc1c237629cba5ce0724cf450023c07c9627a77e0db93ad50f35fa32bd6290dbeee1bd2d20048302aefb476bc320f1b10dee70194dfb5e81d61e5f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
6593d63ef0aeaeaaa73b768cde6268d1

SHA1
1c30e4d776d4031e0a40a83590a15369157b73ba

SHA256
0ccbfa243400e47b4025c9ade105bdc311058538303e4606d7efaa819fe23c10

SHA512
18cce6ed9e4311c7b3263ca10670e044e6d3c8765bbddddc6e852a08fecb78b600c15956a0b1c8f595157bd34861e8e55a972909b8ec0e34f061701404b82125

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
60KB

MD5
6593d63ef0aeaeaaa73b768cde6268d1

SHA1
1c30e4d776d4031e0a40a83590a15369157b73ba

SHA256
0ccbfa243400e47b4025c9ade105bdc311058538303e4606d7efaa819fe23c10

SHA512
18cce6ed9e4311c7b3263ca10670e044e6d3c8765bbddddc6e852a08fecb78b600c15956a0b1c8f595157bd34861e8e55a972909b8ec0e34f061701404b82125

Download Submit
C:\Users\Admin\AppData\Roaming\00000029..exe
Filesize
220KB

MD5
67f800932bc7007d1e0bede273816638

SHA1
84094012f9300f080bd2a750cec6b3b449946544

SHA256
76904d50532b13fa6a28a20d8acb7a399f74cf2edfebff3cb9281d4ee3bae877

SHA512
0d3894f847378984f2d20c11540b21df6fbef3524ce370b8631ba7b92f453b6dfa31ca6212474f1085a196e7076f1e7efbc564b8d1af8d18a24a42ac2043cd35

Download Submit
C:\Users\Admin\AppData\Roaming\00000029..exe
Filesize
220KB

MD5
67f800932bc7007d1e0bede273816638

SHA1
84094012f9300f080bd2a750cec6b3b449946544

SHA256
76904d50532b13fa6a28a20d8acb7a399f74cf2edfebff3cb9281d4ee3bae877

SHA512
0d3894f847378984f2d20c11540b21df6fbef3524ce370b8631ba7b92f453b6dfa31ca6212474f1085a196e7076f1e7efbc564b8d1af8d18a24a42ac2043cd35

Download Submit
C:\Users\Admin\AppData\Roaming\00004823..exe
Filesize
15KB

MD5
2a3f53f8d4465003a52ba1ba54b70f6b

SHA1
18ce95e0b90b7dbd8cef78737ea9a58ab9147248

SHA256
c22980115f6078267c7ad73857fc3150c9c9ce514bb05d3367ec65d4ae5ac806

SHA512
764638d085fffb5597189b0bc05b2bf2447c10eb2557ed93d170086adac4994adf6170358eff20bcd7876298b8892ae24bc8f3f6ba4bf04deb4d089f0994bf64

Download Submit
C:\Users\Admin\AppData\Roaming\00004823..exe
Filesize
15KB

MD5
2a3f53f8d4465003a52ba1ba54b70f6b

SHA1
18ce95e0b90b7dbd8cef78737ea9a58ab9147248

SHA256
c22980115f6078267c7ad73857fc3150c9c9ce514bb05d3367ec65d4ae5ac806

SHA512
764638d085fffb5597189b0bc05b2bf2447c10eb2557ed93d170086adac4994adf6170358eff20bcd7876298b8892ae24bc8f3f6ba4bf04deb4d089f0994bf64

Download Submit
\??\UNC\localhost\c$\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_3592_WMVFBRHKPKCLWWDX
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/424-232-0x0000000000000000-mapping.dmp

Download
memory/528-253-0x0000000000B70000-0x0000000000B77000-memory.dmp

Filesize
28KB

Download
memory/528-229-0x0000000000000000-mapping.dmp

Download
memory/528-254-0x0000000000C10000-0x0000000000C17000-memory.dmp

Filesize
28KB

Download
memory/528-246-0x0000000000740000-0x0000000000747000-memory.dmp

Filesize
28KB

Download
memory/1160-265-0x0000000000000000-mapping.dmp

Download
memory/1328-207-0x0000000000D50000-0x0000000000D57000-memory.dmp

Filesize
28KB

Download
memory/1508-132-0x0000000000000000-mapping.dmp

Download
memory/1512-151-0x00007FF8833D0000-0x00007FF883E91000-memory.dmp

Filesize
10.8MB

Download
memory/1512-161-0x00007FF8833D0000-0x00007FF883E91000-memory.dmp

Filesize
10.8MB

Download
memory/1512-142-0x0000000000000000-mapping.dmp

Download
memory/1512-146-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1560-152-0x00000000098B0000-0x0000000009E54000-memory.dmp

Filesize
5.6MB

Download
memory/1560-153-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/1560-150-0x00000000002F0000-0x000000000037E000-memory.dmp

Filesize
568KB

Download
memory/1560-140-0x0000000000000000-mapping.dmp

Download
memory/1784-219-0x0000000000000000-mapping.dmp

Download
memory/1920-196-0x0000000000000000-mapping.dmp

Download
memory/1920-205-0x0000000002BC0000-0x0000000002BC7000-memory.dmp

Filesize
28KB

Download
memory/1920-206-0x0000000000400000-0x0000000000D6A000-memory.dmp

Filesize
9.4MB

Download
memory/1920-204-0x0000000000FC0000-0x0000000000FC7000-memory.dmp

Filesize
28KB

Download
memory/2200-187-0x0000000000000000-mapping.dmp

Download
memory/2200-192-0x0000000005470000-0x00000000054C0000-memory.dmp

Filesize
320KB

Download
memory/2200-201-0x0000000002F30000-0x0000000002F37000-memory.dmp

Filesize
28KB

Download
memory/2236-221-0x0000000000000000-mapping.dmp

Download
memory/2276-203-0x0000000001310000-0x0000000001317000-memory.dmp

Filesize
28KB

Download
memory/2276-195-0x0000000000000000-mapping.dmp

Download
memory/2336-171-0x0000000000000000-mapping.dmp

Download
memory/2352-222-0x0000000000000000-mapping.dmp

Download
memory/2472-226-0x0000000000000000-mapping.dmp

Download
memory/2756-147-0x0000000000000000-mapping.dmp

Download
memory/2756-224-0x0000000000000000-mapping.dmp

Download
memory/2868-190-0x0000000000000000-mapping.dmp

Download
memory/2868-202-0x0000000000EB0000-0x0000000000EB7000-memory.dmp

Filesize
28KB

Download
memory/3500-208-0x0000000000950000-0x0000000000957000-memory.dmp

Filesize
28KB

Download
memory/3500-209-0x0000000000AF0000-0x0000000000AF7000-memory.dmp

Filesize
28KB

Download
memory/3500-199-0x0000000000000000-mapping.dmp

Download
memory/3756-163-0x0000000000000000-mapping.dmp

Download
memory/3844-227-0x0000000000000000-mapping.dmp

Download
memory/3856-164-0x0000000000000000-mapping.dmp

Download
memory/3896-220-0x0000000000000000-mapping.dmp

Download
memory/3896-230-0x00000000008F0000-0x00000000008F7000-memory.dmp

Filesize
28KB

Download
memory/4068-231-0x0000000000000000-mapping.dmp

Download
memory/4192-215-0x0000000000440000-0x0000000000447000-memory.dmp

Filesize
28KB

Download
memory/4192-210-0x0000000000000000-mapping.dmp

Download
memory/4204-135-0x0000000000000000-mapping.dmp

Download
memory/4272-216-0x0000000007DF0000-0x0000000007FB2000-memory.dmp

Filesize
1.8MB

Download
memory/4272-162-0x00000000057C0000-0x00000000057FC000-memory.dmp

Filesize
240KB

Download
memory/4272-218-0x00000000084F0000-0x0000000008A1C000-memory.dmp

Filesize
5.2MB

Download
memory/4272-183-0x0000000006620000-0x00000000066B2000-memory.dmp

Filesize
584KB

Download
memory/4272-186-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/4272-155-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4272-154-0x0000000000000000-mapping.dmp

Download
memory/4272-158-0x0000000005CC0000-0x00000000062D8000-memory.dmp

Filesize
6.1MB

Download
memory/4272-185-0x00000000068B0000-0x0000000006926000-memory.dmp

Filesize
472KB

Download
memory/4272-200-0x00000000070D0000-0x00000000070D7000-memory.dmp

Filesize
28KB

Download
memory/4272-184-0x00000000066C0000-0x0000000006726000-memory.dmp

Filesize
408KB

Download
memory/4272-160-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/4272-159-0x0000000005760000-0x0000000005772000-memory.dmp

Filesize
72KB

Download
memory/4300-194-0x0000000002F80000-0x0000000002F87000-memory.dmp

Filesize
28KB

Download
memory/4360-165-0x0000000000000000-mapping.dmp

Download
memory/4408-223-0x0000000000000000-mapping.dmp

Download
memory/4480-313-0x00000000010B0000-0x00000000010B7000-memory.dmp

Filesize
28KB

Download
memory/4480-305-0x0000000000000000-mapping.dmp

Download
memory/4480-316-0x00000000010B0000-0x00000000010B7000-memory.dmp

Filesize
28KB

Download
memory/4480-314-0x0000000000D60000-0x0000000000D67000-memory.dmp

Filesize
28KB

Download
memory/4480-308-0x0000000000950000-0x00000000009A0000-memory.dmp

Filesize
320KB

Download
memory/4564-217-0x0000000000000000-mapping.dmp

Download
memory/4760-295-0x0000000000000000-mapping.dmp

Download
memory/4920-137-0x0000000000000000-mapping.dmp

Download
memory/5128-247-0x00000000004E0000-0x00000000004E7000-memory.dmp

Filesize
28KB

Download
memory/5128-234-0x0000000000000000-mapping.dmp

Download
memory/5128-251-0x0000000000500000-0x0000000000507000-memory.dmp

Filesize
28KB

Download
memory/5132-269-0x0000000000000000-mapping.dmp

Download
memory/5140-249-0x0000000001090000-0x0000000001097000-memory.dmp

Filesize
28KB

Download
memory/5176-318-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/5176-237-0x0000000000000000-mapping.dmp

Download
memory/5176-276-0x00000000005C0000-0x00000000005C7000-memory.dmp

Filesize
28KB

Download
memory/5176-317-0x0000000002240000-0x0000000002252000-memory.dmp

Filesize
72KB

Download
memory/5228-259-0x0000000000000000-mapping.dmp

Download
memory/5236-240-0x0000000000000000-mapping.dmp

Download
memory/5236-327-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/5236-243-0x0000000000CE0000-0x0000000000D00000-memory.dmp

Filesize
128KB

Download
memory/5236-278-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/5340-258-0x0000000000ED0000-0x0000000000ED7000-memory.dmp

Filesize
28KB

Download
memory/5340-244-0x0000000000000000-mapping.dmp

Download
memory/5340-264-0x0000000000990000-0x0000000000997000-memory.dmp

Filesize
28KB

Download
memory/5340-289-0x0000000000EE0000-0x0000000000EE7000-memory.dmp

Filesize
28KB

Download
memory/5416-262-0x0000000000000000-mapping.dmp

Download
memory/5476-250-0x00000000009F0000-0x0000000000A34000-memory.dmp

Filesize
272KB

Download
memory/5476-248-0x0000000000000000-mapping.dmp

Download
memory/5476-270-0x00000000052A0000-0x00000000052A7000-memory.dmp

Filesize
28KB

Download
memory/5544-302-0x0000000000000000-mapping.dmp

Download
memory/5668-266-0x0000000000000000-mapping.dmp

Download
memory/5696-252-0x0000000000000000-mapping.dmp

Download
memory/5768-267-0x0000000000000000-mapping.dmp

Download
memory/5788-310-0x00000000015A0000-0x00000000015A7000-memory.dmp

Filesize
28KB

Download
memory/5788-303-0x00000000013D0000-0x00000000013D7000-memory.dmp

Filesize
28KB

Download
memory/5788-290-0x0000000000EF0000-0x0000000000EF7000-memory.dmp

Filesize
28KB

Download
memory/5788-280-0x0000000000690000-0x0000000000697000-memory.dmp

Filesize
28KB

Download
memory/5788-292-0x0000000000C00000-0x0000000000C07000-memory.dmp

Filesize
28KB

Download
memory/5788-255-0x0000000000000000-mapping.dmp

Download
memory/5788-309-0x00000000015F0000-0x00000000015F7000-memory.dmp

Filesize
28KB

Download
memory/5788-304-0x0000000001550000-0x0000000001557000-memory.dmp

Filesize
28KB

Download
memory/5832-268-0x0000000000000000-mapping.dmp

Download
memory/5872-284-0x0000000000EF0000-0x0000000000EF7000-memory.dmp

Filesize
28KB

Download
memory/6148-275-0x0000000000000000-mapping.dmp

Download
memory/6172-291-0x00000000007E0000-0x00000000007E7000-memory.dmp

Filesize
28KB

Download
memory/6180-272-0x0000000000000000-mapping.dmp

Download
memory/6192-273-0x0000000000000000-mapping.dmp

Download
memory/6196-326-0x0000000000000000-mapping.dmp

Download
memory/6204-274-0x0000000000000000-mapping.dmp

Download
memory/6468-277-0x0000000000000000-mapping.dmp

Download
memory/6592-281-0x0000000000000000-mapping.dmp

Download
memory/6812-285-0x0000000000000000-mapping.dmp

Download
memory/6820-298-0x0000000000000000-mapping.dmp

Download
memory/6848-283-0x0000000000000000-mapping.dmp

Download
memory/6888-286-0x0000000000000000-mapping.dmp

Download
memory/6888-293-0x0000000140000000-0x000000014069A000-memory.dmp

Filesize
6.6MB

Download
memory/6908-307-0x0000000000000000-mapping.dmp

Download
memory/7116-288-0x0000000000000000-mapping.dmp

Download
memory/7356-315-0x00000000014B0000-0x00000000014B7000-memory.dmp

Filesize
28KB

Download
memory/7376-312-0x0000000000000000-mapping.dmp

Download
memory/7748-320-0x0000000000000000-mapping.dmp

Download
memory/7940-322-0x0000000000000000-mapping.dmp

Download
memory/7956-324-0x0000000000000000-mapping.dmp

Download
memory/8188-325-0x0000000000000000-mapping.dmp

Download