azorult | ea21176ce1adc715a5938555f127b9bb397aa05f62f389ac0bd02f1f8b449370

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
Size

15.5MB
MD5

10d3d31d5947d450f0032afd9a959aaf
SHA1

2f69473e05a64fdc1057280e4b456a79cecbd834
SHA256

ca088abf9c8391811b62b0f22f09ea485130012320b1e1da65bcb8ab7034713e
SHA512

b01cad01355e73cd904ed80c94b308d844ee6990ef21528d397e1ab9088b3124ed6e1d5ca2964b907ea1ca2f31af028faa8c4ce43bc5b71260c91eb137338894
SSDEEP

393216:0YdrXTk08ALp6r764yddhjR1aIeGQkraLyv:XdrDkR764ypjja4raLe

Score

10^/10

azorult nymaim raccoon redline socelars 2bf587c1de64cf778a678dab58c61d3c ust infostealer persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

azorult

http://kvaka.li/1210776429.php

Extracted

Family

redline

Botnet

Ust

15.235.171.56:30730

Attributes

auth_value
8d3bb431e9d30f7506bd612688374540

Extracted

Family

socelars

https://dfgrthres.s3.eu-west-3.amazonaws.com/fdgds919/

Extracted

Family

raccoon

Botnet

2bf587c1de64cf778a678dab58c61d3c

http://89.185.85.53/

rc4.plain

Extracted

Family

nymaim

208.67.104.97

85.31.46.167

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 4368 rundll32.exe
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4368	rundll32.exe

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral4/memory/1492-200-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe	family_socelars

Executes dropped EXE 14 IoCs

Processes:

keygen-pr.exekeygen-step-1.exekeygen-step-5.exekeygen-step-6.exekeygen-step-4.exekey.exeLicense Keys.exeLicense Keys.exeKiffAppE2.exe5YcwGBDBkGCR.exemp3studios_91.exenaterrtasddfghad.c.exekokos.exepb1119.exe

pid	process
4324	keygen-pr.exe
2540	keygen-step-1.exe
4120	keygen-step-5.exe
4248	keygen-step-6.exe
1516	keygen-step-4.exe
2568	key.exe
4512	License Keys.exe
2000	License Keys.exe
3524	KiffAppE2.exe
3880	5YcwGBDBkGCR.exe
4956	mp3studios_91.exe
4512	naterrtasddfghad.c.exe
4460	kokos.exe
2580	pb1119.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe	vmprotect
behavioral4/memory/2580-258-0x0000000140000000-0x000000014060C000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

keygen-step-5.exekeygen-pr.exekeygen-step-4.exeLicense Keys.exekokos.exeAdobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-step-5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-pr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	keygen-step-4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	License Keys.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	kokos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe

Loads dropped DLL 5 IoCs

Processes:

rundll32.exerundll32.exerundll32.exe

pid process

4760 rundll32.exe
4760 rundll32.exe
3924 rundll32.exe
3884 rundll32.exe
3884 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

27 api.ipify.org
28 api.ipify.org
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

naterrtasddfghad.c.exe

pid process

4512 naterrtasddfghad.c.exe
4512 naterrtasddfghad.c.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

5YcwGBDBkGCR.exe

description pid process target process

PID 3880 set thread context of 1492 3880 5YcwGBDBkGCR.exe InstallUtil.exe

pid	process
4760	rundll32.exe
4760	rundll32.exe
3924	rundll32.exe
3884	rundll32.exe
3884	rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

flow	ioc
27	api.ipify.org
28	api.ipify.org

pid	process
4512	naterrtasddfghad.c.exe
4512	naterrtasddfghad.c.exe

description	pid	process	target process
PID 3880 set thread context of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe

Drops file in Program Files directory 12 IoCs

Processes:

mp3studios_91.exesetup.exe

description	ioc	process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_91.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\12371b00-019e-4e65-8f21-a30f43aba2e0.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220930220731.pma	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_91.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_91.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 12 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
536	3924	WerFault.exe	rundll32.exe
1312	4460	WerFault.exe	kokos.exe
1828	4460	WerFault.exe	kokos.exe
4188	4460	WerFault.exe	kokos.exe
5008	4460	WerFault.exe	kokos.exe
32	4460	WerFault.exe	kokos.exe
740	4460	WerFault.exe	kokos.exe
4976	4460	WerFault.exe	kokos.exe
3884	4460	WerFault.exe	kokos.exe
4920	4460	WerFault.exe	kokos.exe
3192	4460	WerFault.exe	kokos.exe
5012	2580	WerFault.exe	pb1119.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

4040 taskkill.exe
2720 taskkill.exe

pid	process
4040	taskkill.exe
2720	taskkill.exe

Modifies registry class 2 IoCs

Processes:

keygen-step-5.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	keygen-step-5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 26 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	26	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

keygen-step-6.exe5YcwGBDBkGCR.exechrome.exechrome.exenaterrtasddfghad.c.exeInstallUtil.exechrome.exechrome.exemsedge.exemsedge.exechrome.exechrome.exeidentity_helper.exechrome.exe

pid	process
4248	keygen-step-6.exe
4248	keygen-step-6.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
3880	5YcwGBDBkGCR.exe
780	chrome.exe
780	chrome.exe
4192	chrome.exe
4192	chrome.exe
4512	naterrtasddfghad.c.exe
4512	naterrtasddfghad.c.exe
1492	InstallUtil.exe
1492	InstallUtil.exe
3416	chrome.exe
3416	chrome.exe
1492	InstallUtil.exe
1652	chrome.exe
1652	chrome.exe
864	msedge.exe
864	msedge.exe
1316	msedge.exe
1316	msedge.exe
4544	chrome.exe
4544	chrome.exe
5420	chrome.exe
5420	chrome.exe
5508	identity_helper.exe
5508	identity_helper.exe
5720	chrome.exe
5720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exemsedge.exe

pid process

4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
4192 chrome.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe
1316 msedge.exe

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

KiffAppE2.exemp3studios_91.exetaskkill.exeInstallUtil.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3524	KiffAppE2.exe
Token: SeCreateTokenPrivilege	4956	mp3studios_91.exe
Token: SeAssignPrimaryTokenPrivilege	4956	mp3studios_91.exe
Token: SeLockMemoryPrivilege	4956	mp3studios_91.exe
Token: SeIncreaseQuotaPrivilege	4956	mp3studios_91.exe
Token: SeMachineAccountPrivilege	4956	mp3studios_91.exe
Token: SeTcbPrivilege	4956	mp3studios_91.exe
Token: SeSecurityPrivilege	4956	mp3studios_91.exe
Token: SeTakeOwnershipPrivilege	4956	mp3studios_91.exe
Token: SeLoadDriverPrivilege	4956	mp3studios_91.exe
Token: SeSystemProfilePrivilege	4956	mp3studios_91.exe
Token: SeSystemtimePrivilege	4956	mp3studios_91.exe
Token: SeProfSingleProcessPrivilege	4956	mp3studios_91.exe
Token: SeIncBasePriorityPrivilege	4956	mp3studios_91.exe
Token: SeCreatePagefilePrivilege	4956	mp3studios_91.exe
Token: SeCreatePermanentPrivilege	4956	mp3studios_91.exe
Token: SeBackupPrivilege	4956	mp3studios_91.exe
Token: SeRestorePrivilege	4956	mp3studios_91.exe
Token: SeShutdownPrivilege	4956	mp3studios_91.exe
Token: SeDebugPrivilege	4956	mp3studios_91.exe
Token: SeAuditPrivilege	4956	mp3studios_91.exe
Token: SeSystemEnvironmentPrivilege	4956	mp3studios_91.exe
Token: SeChangeNotifyPrivilege	4956	mp3studios_91.exe
Token: SeRemoteShutdownPrivilege	4956	mp3studios_91.exe
Token: SeUndockPrivilege	4956	mp3studios_91.exe
Token: SeSyncAgentPrivilege	4956	mp3studios_91.exe
Token: SeEnableDelegationPrivilege	4956	mp3studios_91.exe
Token: SeManageVolumePrivilege	4956	mp3studios_91.exe
Token: SeImpersonatePrivilege	4956	mp3studios_91.exe
Token: SeCreateGlobalPrivilege	4956	mp3studios_91.exe
Token: 31	4956	mp3studios_91.exe
Token: 32	4956	mp3studios_91.exe
Token: 33	4956	mp3studios_91.exe
Token: 34	4956	mp3studios_91.exe
Token: 35	4956	mp3studios_91.exe
Token: SeDebugPrivilege	4040	taskkill.exe
Token: SeDebugPrivilege	1492	InstallUtil.exe
Token: SeDebugPrivilege	2720	taskkill.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

chrome.exemsedge.exe

pid	process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
1316	msedge.exe
1316	msedge.exe
1316	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe
4192	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.execmd.exekeygen-step-5.exekeygen-pr.execontrol.exekeygen-step-4.exekey.exeLicense Keys.exerundll32.exerundll32.exeRunDll32.exe5YcwGBDBkGCR.exemp3studios_91.execmd.exe

description	pid	process	target process
PID 4440 wrote to memory of 4424	4440	Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe	cmd.exe
PID 4440 wrote to memory of 4424	4440	Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe	cmd.exe
PID 4440 wrote to memory of 4424	4440	Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe	cmd.exe
PID 4424 wrote to memory of 4324	4424	cmd.exe	keygen-pr.exe
PID 4424 wrote to memory of 4324	4424	cmd.exe	keygen-pr.exe
PID 4424 wrote to memory of 4324	4424	cmd.exe	keygen-pr.exe
PID 4424 wrote to memory of 2540	4424	cmd.exe	keygen-step-1.exe
PID 4424 wrote to memory of 2540	4424	cmd.exe	keygen-step-1.exe
PID 4424 wrote to memory of 2540	4424	cmd.exe	keygen-step-1.exe
PID 4424 wrote to memory of 4120	4424	cmd.exe	keygen-step-5.exe
PID 4424 wrote to memory of 4120	4424	cmd.exe	keygen-step-5.exe
PID 4424 wrote to memory of 4120	4424	cmd.exe	keygen-step-5.exe
PID 4424 wrote to memory of 4248	4424	cmd.exe	keygen-step-6.exe
PID 4424 wrote to memory of 4248	4424	cmd.exe	keygen-step-6.exe
PID 4424 wrote to memory of 4248	4424	cmd.exe	keygen-step-6.exe
PID 4424 wrote to memory of 1516	4424	cmd.exe	keygen-step-4.exe
PID 4424 wrote to memory of 1516	4424	cmd.exe	keygen-step-4.exe
PID 4424 wrote to memory of 1516	4424	cmd.exe	keygen-step-4.exe
PID 4120 wrote to memory of 1260	4120	keygen-step-5.exe	control.exe
PID 4120 wrote to memory of 1260	4120	keygen-step-5.exe	control.exe
PID 4120 wrote to memory of 1260	4120	keygen-step-5.exe	control.exe
PID 4324 wrote to memory of 2568	4324	keygen-pr.exe	key.exe
PID 4324 wrote to memory of 2568	4324	keygen-pr.exe	key.exe
PID 4324 wrote to memory of 2568	4324	keygen-pr.exe	key.exe
PID 1260 wrote to memory of 4760	1260	control.exe	rundll32.exe
PID 1260 wrote to memory of 4760	1260	control.exe	rundll32.exe
PID 1260 wrote to memory of 4760	1260	control.exe	rundll32.exe
PID 1516 wrote to memory of 4512	1516	keygen-step-4.exe	License Keys.exe
PID 1516 wrote to memory of 4512	1516	keygen-step-4.exe	License Keys.exe
PID 1516 wrote to memory of 4512	1516	keygen-step-4.exe	License Keys.exe
PID 2568 wrote to memory of 892	2568	key.exe	key.exe
PID 2568 wrote to memory of 892	2568	key.exe	key.exe
PID 2568 wrote to memory of 892	2568	key.exe	key.exe
PID 4512 wrote to memory of 2000	4512	License Keys.exe	License Keys.exe
PID 4512 wrote to memory of 2000	4512	License Keys.exe	License Keys.exe
PID 4512 wrote to memory of 2000	4512	License Keys.exe	License Keys.exe
PID 1516 wrote to memory of 3524	1516	keygen-step-4.exe	KiffAppE2.exe
PID 1516 wrote to memory of 3524	1516	keygen-step-4.exe	KiffAppE2.exe
PID 3888 wrote to memory of 3924	3888	rundll32.exe	rundll32.exe
PID 3888 wrote to memory of 3924	3888	rundll32.exe	rundll32.exe
PID 3888 wrote to memory of 3924	3888	rundll32.exe	rundll32.exe
PID 4760 wrote to memory of 3280	4760	rundll32.exe	RunDll32.exe
PID 4760 wrote to memory of 3280	4760	rundll32.exe	RunDll32.exe
PID 3280 wrote to memory of 3884	3280	RunDll32.exe	rundll32.exe
PID 3280 wrote to memory of 3884	3280	RunDll32.exe	rundll32.exe
PID 3280 wrote to memory of 3884	3280	RunDll32.exe	rundll32.exe
PID 1516 wrote to memory of 3880	1516	keygen-step-4.exe	5YcwGBDBkGCR.exe
PID 1516 wrote to memory of 3880	1516	keygen-step-4.exe	5YcwGBDBkGCR.exe
PID 1516 wrote to memory of 3880	1516	keygen-step-4.exe	5YcwGBDBkGCR.exe
PID 3880 wrote to memory of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe
PID 3880 wrote to memory of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe
PID 3880 wrote to memory of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe
PID 3880 wrote to memory of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe
PID 3880 wrote to memory of 1492	3880	5YcwGBDBkGCR.exe	InstallUtil.exe
PID 1516 wrote to memory of 4956	1516	keygen-step-4.exe	mp3studios_91.exe
PID 1516 wrote to memory of 4956	1516	keygen-step-4.exe	mp3studios_91.exe
PID 1516 wrote to memory of 4956	1516	keygen-step-4.exe	mp3studios_91.exe
PID 4956 wrote to memory of 2364	4956	mp3studios_91.exe	cmd.exe
PID 4956 wrote to memory of 2364	4956	mp3studios_91.exe	cmd.exe
PID 4956 wrote to memory of 2364	4956	mp3studios_91.exe	cmd.exe
PID 2364 wrote to memory of 4040	2364	cmd.exe	taskkill.exe
PID 2364 wrote to memory of 4040	2364	cmd.exe	taskkill.exe
PID 2364 wrote to memory of 4040	2364	cmd.exe	taskkill.exe
PID 4956 wrote to memory of 4192	4956	mp3studios_91.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe_Photoshop_CC_Serial_keygen_by_KeyGenLion.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4424

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
keygen-pr.exe -p83fsase3Ge
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2568

C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe -txt -scanlocal -file:potato.dat
5⤵
PID:892

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
keygen-step-1.exe
3⤵
- Executes dropped EXE
PID:2540

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
keygen-step-5.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\control.exe
"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
4⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\system32\RunDll32.exe
C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
6⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL",
7⤵
- Loads dropped DLL
PID:3884

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
keygen-step-6.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
keygen-step-4.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe" -h
5⤵
- Executes dropped EXE
PID:2000

C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Users\Admin\AppData\Local\Temp\RarSFX2\5YcwGBDBkGCR.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\5YcwGBDBkGCR.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
5⤵
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d0a24f50,0x7ff8d0a24f60,0x7ff8d0a24f70
6⤵
PID:3196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:2
6⤵
PID:2412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1984 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
6⤵
PID:4248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
6⤵
PID:2600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
6⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
6⤵
PID:4532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
6⤵
PID:3524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
6⤵
PID:4252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
6⤵
PID:5012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4928 /prefetch:8
6⤵
PID:4600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
6⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4840 /prefetch:8
6⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5960 /prefetch:8
6⤵
PID:4588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6016 /prefetch:8
6⤵
PID:3980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
6⤵
PID:3104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1552 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 /prefetch:8
6⤵
- Suspicious behavior: EnumeratesProcesses
PID:5720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1552 /prefetch:8
6⤵
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1600,8235373247095020217,16605277670968244978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5284 /prefetch:8
6⤵
PID:5816

C:\Users\Admin\AppData\Local\Temp\RarSFX2\naterrtasddfghad.c.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\naterrtasddfghad.c.exe"
4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4512

C:\Users\Admin\AppData\Local\Temp\RarSFX2\kokos.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\kokos.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
PID:4460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 456
5⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 772
5⤵
- Program crash
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 772
5⤵
- Program crash
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 772
5⤵
- Program crash
PID:5008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 796
5⤵
- Program crash
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 928
5⤵
- Program crash
PID:740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1020
5⤵
- Program crash
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1048
5⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1392
5⤵
- Program crash
PID:4920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "kokos.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX2\kokos.exe" & exit
5⤵
PID:3096

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "kokos.exe" /f
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1356
5⤵
- Program crash
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Iw9B
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d1a446f8,0x7ff8d1a44708,0x7ff8d1a44718
5⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
5⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
5⤵
PID:3740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1
5⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
5⤵
PID:3880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2108 /prefetch:8
5⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
5⤵
PID:840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
5⤵
PID:1800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4044 /prefetch:8
5⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
5⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff6be145460,0x7ff6be145470,0x7ff6be145480
6⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,7238915520832919534,437431088953486919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5508

C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe"
4⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2580 -s 428
5⤵
- Program crash
PID:5012

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3924 -s 604
3⤵
- Program crash
PID:536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3924 -ip 3924
1⤵
PID:2468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4460 -ip 4460
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4460 -ip 4460
1⤵
PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4460 -ip 4460
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4460 -ip 4460
1⤵
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4460 -ip 4460
1⤵
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4460 -ip 4460
1⤵
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4460 -ip 4460
1⤵
PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4460 -ip 4460
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4460 -ip 4460
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4460 -ip 4460
1⤵
PID:1652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 2580 -ip 2580
1⤵
PID:980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png
Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
Filesize
20KB

MD5
19de647c9fea8c0ce0b5b435e7eaff98

SHA1
3b78a44530c49f3992633e9eb3afd2552ffd5643

SHA256
bb94882f24d1a36498b7ea0de5f20fd579a4a548195c25ea6bb646591c6eadcd

SHA512
c8c7ca02da24fde96c7a08dbacfda6bbc9b2a33462e293dcf8e0cd55475880e88f25e15e77314f1df0d3dfb75b45fb087562cca6ed90e58f5a81dc1ea8f371d3

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json
Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
203b21ab06d8949648129dc8ae33ba7e

SHA1
77ad2e943bc97db7ca856105793085396e452fbb

SHA256
2c0db9babd7028292d3b7e86240662c751b3b99c17f329261c352601f7c91647

SHA512
23a134a40812d270c3b8e6ed8f43e97ce38591d2e360d2a40fdfd6353b05c36c18184a4ea60896963a7d4d1d3656380cadcd74c5f5e2bacdbe243728865e70b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
87c6f7a12400e4d26086b4edcde0cf38

SHA1
55b84af207dbf774694363edd28d64e2012c1018

SHA256
e91547635729afce24b069a3c00a1868f62d01e3127e6b45adeef9fb0e7d5283

SHA512
dfc26d6a0ca2ad2d6c035a8dcef4949039196a94702f519b6fd46315b34bf836d1f1db11d68aa6298cee814ad7c8fb6e606592cbec8731a6eb8e480ee5b25418

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5K7Sai.CpL
Filesize
2.0MB

MD5
fd196307421e7279368cbf2ca3018ddb

SHA1
632607a2797f9c13e990c6f2b060dd49db686380

SHA256
96fd4438ba93e5134675a5263394e2fdfbd9bafcce2574127004f4c2d169b6cc

SHA512
2f00a865436639425c967e2459a0d238be1ded9890218ab73fa37a7a8d7465614140f046db5789b93137cbd8438d80889ba3404cd2b217dc13a2c7cec0b5d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-pr.exe
Filesize
1.7MB

MD5
65b49b106ec0f6cf61e7dc04c0a7eb74

SHA1
a1f4784377c53151167965e0ff225f5085ebd43b

SHA256
862a8cf0e5561c848145a1a1f464acf77f92a3b15cc43722a7208701f60a2fcd

SHA512
e9030cd609f42fb616e5bac3a5203ae46bbae9ec95682432a367f8805cdaa3e30c18a732ceddb0545ac653d543348a6728866149d2822752c80948066bfdf3da

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-1.exe
Filesize
112KB

MD5
c615d0bfa727f494fee9ecb3f0acf563

SHA1
6c3509ae64abc299a7afa13552c4fe430071f087

SHA256
95d91febc45d03c1ee477c127bcbd332cd6fbce1e91105004af723594e6f0199

SHA512
d97256eb93d8e546f5fb5c61bebe61e7dfab316eb7685be83782bd36b28df3f80880e7b823197a4b6bae1af7b9460c4c81357dd44ed199ab93ccaee5acc10e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.1MB

MD5
254be7af6cd5fdde89b5ca7c243cf5f4

SHA1
6e4172ca994228171b89bffc3fa1301c8a9277bc

SHA256
d3ce87a5fbaf82688812157d3ef73a565f9349d073e6b87a6134cb0a63561219

SHA512
e3f6b6250b6ef50837545a0a4f833810260e1f06c6be8ff36d756271a8b1f32f97beeaa31fad131c1a53ea331aa1d843cc5c8dd884b309573a9b174c06ada575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-4.exe
Filesize
12.1MB

MD5
254be7af6cd5fdde89b5ca7c243cf5f4

SHA1
6e4172ca994228171b89bffc3fa1301c8a9277bc

SHA256
d3ce87a5fbaf82688812157d3ef73a565f9349d073e6b87a6134cb0a63561219

SHA512
e3f6b6250b6ef50837545a0a4f833810260e1f06c6be8ff36d756271a8b1f32f97beeaa31fad131c1a53ea331aa1d843cc5c8dd884b309573a9b174c06ada575

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
1.7MB

MD5
c8512150bead2df55285742e51031329

SHA1
a9b651363228a905c533214257acb71a11f4b685

SHA256
dec1e2022b8e01810d8af37b0f6319886e4b8cba234be136596c4189fd5d48aa

SHA512
d0ca19d344e2b80ae6923af4e570eba8b8890143922f186503501b84b9b66b8e4d4162ded536e0e6992fd784d9f390844d41b757ec0f1e470952de6edef909cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-5.exe
Filesize
1.7MB

MD5
c8512150bead2df55285742e51031329

SHA1
a9b651363228a905c533214257acb71a11f4b685

SHA256
dec1e2022b8e01810d8af37b0f6319886e4b8cba234be136596c4189fd5d48aa

SHA512
d0ca19d344e2b80ae6923af4e570eba8b8890143922f186503501b84b9b66b8e4d4162ded536e0e6992fd784d9f390844d41b757ec0f1e470952de6edef909cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen-step-6.exe
Filesize
80KB

MD5
0ccff32c225f062f028e7a0bc2707799

SHA1
aa410d93fa92488877c419110a54b3170bc04923

SHA256
b96f30418380b7ef39e66146a4eb3a68d114c0823e0511c9097be46c1effe62d

SHA512
6e91b74367e17f769b8671122fcfb8035f3b6c55c3328e4c791f8d67881cf71699ce85c427dfc25b7929d5fc76409f74c02eb554d286d54bf09e51ff8dc0ccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\keygen.bat
Filesize
149B

MD5
601bb2b0a5d8b03895d13b6461fab11d

SHA1
29e815e3252c5be49f9b57b1ec9c479b523000ce

SHA256
f9be5d8f88ddf4e50a05b23fce2d6af154e427b636fdd90ca0822654acdc851c

SHA512
95acdd98dc84ea03951b5827233d30b750226846d1883548911f31e182bc6def3ec397732a6b0730db24312aefe8f8892689c3666b3db3d8f20b127e76430e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\JOzWR.dat
Filesize
1.5MB

MD5
12476321a502e943933e60cfb4429970

SHA1
c71d293b84d03153a1bd13c560fca0f8857a95a7

SHA256
14a0fbd7eab461e49ee161ac3bd9ad8055086dbe56848dbaba9ec2034b3dea29

SHA512
f222de8febc705146394fd389e6cece95b077a0629e18eab91c49b139bf5b686435e28a6ada4a0dbb951fd24ec3db692e7a5584d57ffd0e851739e595f2bbfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\key.exe
Filesize
58KB

MD5
51ef03c9257f2dd9b93bfdd74e96c017

SHA1
3baa7bee4b4b7d3ace13409d69dc7bcd0399ac34

SHA256
82a022b29bda763ef9f2ce01c82c82e199182d1d0243cca9811eccc1d993cecf

SHA512
2c97e5d08c9be89ca45153511e0976abfabf41e25d4187dcb7586ba125b6d8d763b99e79043ac1504203c26c7ab47a9246d9a0235b469f6c611703d4e2ae00e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\5YcwGBDBkGCR.exe
Filesize
1.8MB

MD5
646bc99e1e55e5d7bde0d90eb36191f7

SHA1
d00a71e32d4b1439fcdc8bf02a94583534c07060

SHA256
d7d79896c76e10332eace10ef628139c2dacdf7ec7ca79315db6b12e03925719

SHA512
31fb9adbfb28ff4986bcfe37e05ce78c505f2f6badc0e007040c7c4310404cd6061da1c4f84d4c4a1c64309b98f8a7c3fcf842e451b2bbc33f7ec0d0659afbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\5YcwGBDBkGCR.exe
Filesize
1.8MB

MD5
646bc99e1e55e5d7bde0d90eb36191f7

SHA1
d00a71e32d4b1439fcdc8bf02a94583534c07060

SHA256
d7d79896c76e10332eace10ef628139c2dacdf7ec7ca79315db6b12e03925719

SHA512
31fb9adbfb28ff4986bcfe37e05ce78c505f2f6badc0e007040c7c4310404cd6061da1c4f84d4c4a1c64309b98f8a7c3fcf842e451b2bbc33f7ec0d0659afbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
Filesize
157KB

MD5
db5cc5204a082888533280e4cb9099b0

SHA1
834a14383eaec6e8ab377d9e537a20b29b662509

SHA256
cbe3879a9979495761b4ecfecf2bdb76614d659a018feca61026616baf4a067d

SHA512
54885107838db3ed11314c2a425d7b302398d16932e079e9e62cbb267e86eaf66e9a83054e9aadcbae32603d5cd60b5d60951856c9b9d26581088658679e9625

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\KiffAppE2.exe
Filesize
157KB

MD5
db5cc5204a082888533280e4cb9099b0

SHA1
834a14383eaec6e8ab377d9e537a20b29b662509

SHA256
cbe3879a9979495761b4ecfecf2bdb76614d659a018feca61026616baf4a067d

SHA512
54885107838db3ed11314c2a425d7b302398d16932e079e9e62cbb267e86eaf66e9a83054e9aadcbae32603d5cd60b5d60951856c9b9d26581088658679e9625

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\License Keys.exe
Filesize
76KB

MD5
75a6c1a6ef5439c5c7ef7c2961eb1e4c

SHA1
0af04b9178ea8521c09f887dfb2f2f0ac862f7ca

SHA256
8e3101d29cbcc87cae115fe4a157a3817493badb6e0457068d08c70cba5f9b08

SHA512
a085476279219fa3e970dba66d7376561d730b357518cd2c5282df236552f267e49737764bc85919d17b9f9becde49d79d36ed1b5be4d50b4c77d7b86d11837a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\kokos.exe
Filesize
362KB

MD5
c2a3898cf1d9bddccef58d88e6014eb3

SHA1
47445439977356c716c683fde8c1062fb7859905

SHA256
f819f03b0e5e1b244046065fdd995d2c95e3313ca8f47dbb46c1fb31c7538aad

SHA512
c0cbda8ea0999887235a121afa974a1d3ba2379f22374a4410f9a2537bd51750a7459dfc269d31c619c38d65de9b59c4cac306dc45bcf42a671b3ff270a4162b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\kokos.exe
Filesize
362KB

MD5
c2a3898cf1d9bddccef58d88e6014eb3

SHA1
47445439977356c716c683fde8c1062fb7859905

SHA256
f819f03b0e5e1b244046065fdd995d2c95e3313ca8f47dbb46c1fb31c7538aad

SHA512
c0cbda8ea0999887235a121afa974a1d3ba2379f22374a4410f9a2537bd51750a7459dfc269d31c619c38d65de9b59c4cac306dc45bcf42a671b3ff270a4162b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
7ee98db0e73b9d51ef1ba62cdfcb2d9a

SHA1
3a75ee39fb8d16cfbb13cc806fa61895ae22c833

SHA256
c17f6b497787f2602e89285241134ce0e90d149e627f39847438389e1e864d8e

SHA512
715fe31b6f69a095a80987c1f77fb7656cb1d43048c9ad99771476aed8ee72c9f6f618453c82e2880c8fee914a63777633aff2e47905a256cd940891590edd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\mp3studios_91.exe
Filesize
1.4MB

MD5
7ee98db0e73b9d51ef1ba62cdfcb2d9a

SHA1
3a75ee39fb8d16cfbb13cc806fa61895ae22c833

SHA256
c17f6b497787f2602e89285241134ce0e90d149e627f39847438389e1e864d8e

SHA512
715fe31b6f69a095a80987c1f77fb7656cb1d43048c9ad99771476aed8ee72c9f6f618453c82e2880c8fee914a63777633aff2e47905a256cd940891590edd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\naterrtasddfghad.c.exe
Filesize
6.3MB

MD5
f8196c4cac08e11ed7fc7ca823507ca8

SHA1
c9086d09de5bb1871e510d08dcb26973587698c0

SHA256
689029fee0a997e28afd5d2598069065a1a0eb23019c11afbbb1db3fa2267a19

SHA512
5c16a1b16a7f378bb1baf009ab8b3262f4e0d11e00d317f38d1c7d74d1485775693d71ed8dceeedce367c9873a816b066ff0c13f5c7cdec20fc2bc5309220c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\naterrtasddfghad.c.exe
Filesize
6.3MB

MD5
f8196c4cac08e11ed7fc7ca823507ca8

SHA1
c9086d09de5bb1871e510d08dcb26973587698c0

SHA256
689029fee0a997e28afd5d2598069065a1a0eb23019c11afbbb1db3fa2267a19

SHA512
5c16a1b16a7f378bb1baf009ab8b3262f4e0d11e00d317f38d1c7d74d1485775693d71ed8dceeedce367c9873a816b066ff0c13f5c7cdec20fc2bc5309220c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX2\pb1119.exe
Filesize
3.5MB

MD5
f74a7706a54a00279e68ffef489c6ebc

SHA1
8879497d1731c0f8be4fae50826f18ba574afccc

SHA256
786416354066f4f84e2c4c5b13601536237b9db7c2c3c41b671842ad317b4030

SHA512
a366b0590571a4925bc53a06377d73041a7c25d32846ef70048e51ec568182ed18355b5a265a38e1761b18fb7aa16fcb021ab6794617639ea6ab86972b59dcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
48abebba7675785b5973b17b0765b88d

SHA1
780fe8bbdfa6de3bc6215bea213153e4a9b9874b

SHA256
18dfc5eb22ec12374b59d1fee26a8e67a89403e828891f2c6eff295160b12a6b

SHA512
b5b4e7ab4ea7a30039c566643b3a616f06cf055ac621aab081d4a6ef70b88ac64851e4c17b6206665e913227a4c09003c7fd8529dfdd8939fd501ae11d340a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5K7Sai.cpl
Filesize
2.0MB

MD5
fd196307421e7279368cbf2ca3018ddb

SHA1
632607a2797f9c13e990c6f2b060dd49db686380

SHA256
96fd4438ba93e5134675a5263394e2fdfbd9bafcce2574127004f4c2d169b6cc

SHA512
2f00a865436639425c967e2459a0d238be1ded9890218ab73fa37a7a8d7465614140f046db5789b93137cbd8438d80889ba3404cd2b217dc13a2c7cec0b5d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5K7Sai.cpl
Filesize
2.0MB

MD5
fd196307421e7279368cbf2ca3018ddb

SHA1
632607a2797f9c13e990c6f2b060dd49db686380

SHA256
96fd4438ba93e5134675a5263394e2fdfbd9bafcce2574127004f4c2d169b6cc

SHA512
2f00a865436639425c967e2459a0d238be1ded9890218ab73fa37a7a8d7465614140f046db5789b93137cbd8438d80889ba3404cd2b217dc13a2c7cec0b5d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5K7Sai.cpl
Filesize
2.0MB

MD5
fd196307421e7279368cbf2ca3018ddb

SHA1
632607a2797f9c13e990c6f2b060dd49db686380

SHA256
96fd4438ba93e5134675a5263394e2fdfbd9bafcce2574127004f4c2d169b6cc

SHA512
2f00a865436639425c967e2459a0d238be1ded9890218ab73fa37a7a8d7465614140f046db5789b93137cbd8438d80889ba3404cd2b217dc13a2c7cec0b5d826

Download Submit
C:\Users\Admin\AppData\Local\Temp\r5K7Sai.cpl
Filesize
2.0MB

MD5
fd196307421e7279368cbf2ca3018ddb

SHA1
632607a2797f9c13e990c6f2b060dd49db686380

SHA256
96fd4438ba93e5134675a5263394e2fdfbd9bafcce2574127004f4c2d169b6cc

SHA512
2f00a865436639425c967e2459a0d238be1ded9890218ab73fa37a7a8d7465614140f046db5789b93137cbd8438d80889ba3404cd2b217dc13a2c7cec0b5d826

Download Submit
\??\pipe\crashpad_4192_PUENMJETQAXGBITT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/840-274-0x0000000000000000-mapping.dmp

Download
memory/864-264-0x0000000000000000-mapping.dmp

Download
memory/892-162-0x0000000000000000-mapping.dmp

Download
memory/1260-149-0x0000000000000000-mapping.dmp

Download
memory/1268-263-0x0000000000000000-mapping.dmp

Download
memory/1316-254-0x0000000000000000-mapping.dmp

Download
memory/1492-212-0x0000000005180000-0x00000000051BC000-memory.dmp

Filesize
240KB

Download
memory/1492-219-0x0000000006240000-0x00000000067E4000-memory.dmp

Filesize
5.6MB

Download
memory/1492-240-0x0000000006B40000-0x0000000006BB6000-memory.dmp

Filesize
472KB

Download
memory/1492-239-0x0000000007A70000-0x0000000007F9C000-memory.dmp

Filesize
5.2MB

Download
memory/1492-238-0x0000000007370000-0x0000000007532000-memory.dmp

Filesize
1.8MB

Download
memory/1492-218-0x00000000054D0000-0x0000000005562000-memory.dmp

Filesize
584KB

Download
memory/1492-207-0x00000000051F0000-0x00000000052FA000-memory.dmp

Filesize
1.0MB

Download
memory/1492-241-0x0000000006BC0000-0x0000000006C10000-memory.dmp

Filesize
320KB

Download
memory/1492-197-0x0000000000000000-mapping.dmp

Download
memory/1492-198-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1492-200-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1492-206-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/1492-209-0x0000000005120000-0x0000000005132000-memory.dmp

Filesize
72KB

Download
memory/1492-220-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/1516-146-0x0000000000000000-mapping.dmp

Download
memory/1800-276-0x0000000000000000-mapping.dmp

Download
memory/2000-163-0x0000000000000000-mapping.dmp

Download
memory/2364-216-0x0000000000000000-mapping.dmp

Download
memory/2540-137-0x0000000000000000-mapping.dmp

Download
memory/2568-164-0x0000000002D40000-0x0000000002EDC000-memory.dmp

Filesize
1.6MB

Download
memory/2568-150-0x0000000000000000-mapping.dmp

Download
memory/2580-258-0x0000000140000000-0x000000014060C000-memory.dmp

Filesize
6.0MB

Download
memory/2580-255-0x0000000000000000-mapping.dmp

Download
memory/2680-268-0x0000000000000000-mapping.dmp

Download
memory/2720-251-0x0000000000000000-mapping.dmp

Download
memory/3096-250-0x0000000000000000-mapping.dmp

Download
memory/3280-181-0x0000000000000000-mapping.dmp

Download
memory/3524-169-0x0000000000840000-0x000000000086E000-memory.dmp

Filesize
184KB

Download
memory/3524-170-0x00007FF8CFE50000-0x00007FF8D0911000-memory.dmp

Filesize
10.8MB

Download
memory/3524-166-0x0000000000000000-mapping.dmp

Download
memory/3524-186-0x00007FF8CFE50000-0x00007FF8D0911000-memory.dmp

Filesize
10.8MB

Download
memory/3740-266-0x0000000000000000-mapping.dmp

Download
memory/3880-201-0x00000000029CE000-0x0000000002B23000-memory.dmp

Filesize
1.3MB

Download
memory/3880-196-0x000000000CBB0000-0x000000000CD10000-memory.dmp

Filesize
1.4MB

Download
memory/3880-187-0x0000000000000000-mapping.dmp

Download
memory/3880-270-0x0000000000000000-mapping.dmp

Download
memory/3880-192-0x000000000CBB0000-0x000000000CD10000-memory.dmp

Filesize
1.4MB

Download
memory/3880-193-0x00000000029CE000-0x0000000002B23000-memory.dmp

Filesize
1.3MB

Download
memory/3880-190-0x00000000022FF000-0x00000000029BA000-memory.dmp

Filesize
6.7MB

Download
memory/3884-194-0x0000000002CF0000-0x0000000002DF9000-memory.dmp

Filesize
1.0MB

Download
memory/3884-195-0x0000000002F10000-0x0000000003015000-memory.dmp

Filesize
1.0MB

Download
memory/3884-185-0x00000000028E0000-0x0000000002AD8000-memory.dmp

Filesize
2.0MB

Download
memory/3884-182-0x0000000000000000-mapping.dmp

Download
memory/3884-205-0x0000000003020000-0x00000000030DF000-memory.dmp

Filesize
764KB

Download
memory/3884-208-0x00000000030E0000-0x000000000318A000-memory.dmp

Filesize
680KB

Download
memory/3884-213-0x0000000002F10000-0x0000000003015000-memory.dmp

Filesize
1.0MB

Download
memory/3888-257-0x0000000000000000-mapping.dmp

Download
memory/3924-172-0x0000000000000000-mapping.dmp

Download
memory/3984-278-0x0000000000000000-mapping.dmp

Download
memory/4040-217-0x0000000000000000-mapping.dmp

Download
memory/4120-140-0x0000000000000000-mapping.dmp

Download
memory/4248-142-0x0000000000000000-mapping.dmp

Download
memory/4324-134-0x0000000000000000-mapping.dmp

Download
memory/4424-132-0x0000000000000000-mapping.dmp

Download
memory/4460-247-0x0000000000704000-0x000000000072B000-memory.dmp

Filesize
156KB

Download
memory/4460-248-0x00000000005B0000-0x00000000005F1000-memory.dmp

Filesize
260KB

Download
memory/4460-249-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4460-244-0x0000000000000000-mapping.dmp

Download
memory/4460-253-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4460-252-0x0000000000704000-0x000000000072B000-memory.dmp

Filesize
156KB

Download
memory/4512-237-0x0000000000400000-0x0000000000DE2000-memory.dmp

Filesize
9.9MB

Download
memory/4512-242-0x0000000000400000-0x0000000000DE2000-memory.dmp

Filesize
9.9MB

Download
memory/4512-235-0x0000000000400000-0x0000000000DE2000-memory.dmp

Filesize
9.9MB

Download
memory/4512-221-0x0000000000000000-mapping.dmp

Download
memory/4512-272-0x0000000000000000-mapping.dmp

Download
memory/4512-243-0x0000000000400000-0x0000000000DE2000-memory.dmp

Filesize
9.9MB

Download
memory/4512-155-0x0000000000000000-mapping.dmp

Download
memory/4760-159-0x0000000002680000-0x0000000002878000-memory.dmp

Filesize
2.0MB

Download
memory/4760-154-0x0000000000000000-mapping.dmp

Download
memory/4760-177-0x0000000002E50000-0x0000000002F0F000-memory.dmp

Filesize
764KB

Download
memory/4760-191-0x0000000002D40000-0x0000000002E45000-memory.dmp

Filesize
1.0MB

Download
memory/4760-178-0x0000000002F10000-0x0000000002FBA000-memory.dmp

Filesize
680KB

Download
memory/4760-175-0x0000000002B20000-0x0000000002C29000-memory.dmp

Filesize
1.0MB

Download
memory/4760-176-0x0000000002D40000-0x0000000002E45000-memory.dmp

Filesize
1.0MB

Download
memory/4956-202-0x0000000000000000-mapping.dmp

Download
memory/5244-279-0x0000000000000000-mapping.dmp

Download
memory/5300-280-0x0000000000000000-mapping.dmp

Download
memory/5508-281-0x0000000000000000-mapping.dmp

Download