ffdroider | 2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858

Analysis

max time kernel
152s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

521KB
MD5

5fe1f92b221d98a8504139a2792265f8
SHA1

5faf25f3ee80a45b85f4d1fb971ab9cfd1ff174d
SHA256

2fcbef2bf5b78f4e5205397a80b7f393762d78331166930b682dde2da4a16858
SHA512

b40a7cb1cfd119883e3ae5126b50a73641f184daa49eddc620728a1a2c8e4b5c2e6154bad5a0b6faf053c8049144208ffe4e209611df94e995489b9257ff362d
SSDEEP

12288:kQi3ceLI4OjuBxPnk6tnq6m6URA3Phmyawo+sdsikeEDmBlyZC3:kQiF7nphh/8+sdkvmOQ3

Score

10^/10

ffdroider nymaim smokeloader socelars backdoor evasion persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sadew1013/

Extracted

Family

nymaim

45.139.105.171

85.31.46.167

Signatures

Detects Smokeloader packer 4 IoCs

resource	yara_rule
behavioral2/memory/5884-213-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/4880-214-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader
behavioral2/memory/5884-217-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader
behavioral2/memory/5884-227-0x0000000000400000-0x0000000000409000-memory.dmp	family_smokeloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider
NyMaim
NyMaim is a malware with various capabilities written in C++ and first seen in 2013.
trojan nymaim

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	4544	rundll32.exe	73

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000200000001e78d-174.dat	family_socelars
behavioral2/files/0x000200000001e78d-173.dat	family_socelars

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	PowerOff.exe

Executes dropped EXE 12 IoCs

pid	Process
4964	file.tmp
4804	PowerOff.exe
4664	Copuxusuqo.exe
228	Copuxusuqo.exe
5748	GcleanerEU.exe
5844	gcleaner.exe
6028	random.exe
6136	mp3studios_10.exe
5112	pb1117.exe
3600	random.exe
4880	toolspab3.exe
5884	toolspab3.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000200000001e790-179.dat	vmprotect
behavioral2/files/0x000200000001e790-178.dat	vmprotect
behavioral2/memory/5112-183-0x0000000140000000-0x0000000140617000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	random.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	gcleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	GcleanerEU.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	PowerOff.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	Copuxusuqo.exe

Loads dropped DLL 2 IoCs

pid	Process
4964	file.tmp
5376	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Common Files\\Copuxusuqo.exe\""	PowerOff.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4880 set thread context of 5884	4880	toolspab3.exe	146

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js	mp3studios_10.exe
File opened for modification	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_10.exe
File created	C:\Program Files\Common Files\UWJZBHEITY\poweroff.exe	PowerOff.exe
File created	C:\Program Files (x86)\Common Files\Copuxusuqo.exe	PowerOff.exe
File created	C:\Program Files (x86)\Common Files\Copuxusuqo.exe.config	PowerOff.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js	mp3studios_10.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f4510e06-b322-41ff-abd3-34016893cd3b.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221022201242.pma	setup.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js	mp3studios_10.exe
File created	C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json	mp3studios_10.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 19 IoCs

pid	pid_target	Process	procid_target
2616	5844	WerFault.exe	100
3200	5748	WerFault.exe	96
3808	5844	WerFault.exe	100
4196	5748	WerFault.exe	96
5332	5844	WerFault.exe	100
5528	5748	WerFault.exe	96
5628	5376	WerFault.exe	139
2100	5748	WerFault.exe	96
4576	5844	WerFault.exe	100
4464	5748	WerFault.exe	96
4064	5844	WerFault.exe	100
4224	5748	WerFault.exe	96
4556	5844	WerFault.exe	100
5536	5748	WerFault.exe	96
4716	5844	WerFault.exe	100
5976	5748	WerFault.exe	96
5996	5844	WerFault.exe	100
1064	5844	WerFault.exe	100
5220	5748	WerFault.exe	96

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspab3.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
3988	taskkill.exe
4060	taskkill.exe
4388	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	87	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe
4664	Copuxusuqo.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5884	toolspab3.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5760	msedge.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	PowerOff.exe
Token: SeDebugPrivilege	228	Copuxusuqo.exe
Token: SeDebugPrivilege	4664	Copuxusuqo.exe
Token: SeCreateTokenPrivilege	6136	mp3studios_10.exe
Token: SeAssignPrimaryTokenPrivilege	6136	mp3studios_10.exe
Token: SeLockMemoryPrivilege	6136	mp3studios_10.exe
Token: SeIncreaseQuotaPrivilege	6136	mp3studios_10.exe
Token: SeMachineAccountPrivilege	6136	mp3studios_10.exe
Token: SeTcbPrivilege	6136	mp3studios_10.exe
Token: SeSecurityPrivilege	6136	mp3studios_10.exe
Token: SeTakeOwnershipPrivilege	6136	mp3studios_10.exe
Token: SeLoadDriverPrivilege	6136	mp3studios_10.exe
Token: SeSystemProfilePrivilege	6136	mp3studios_10.exe
Token: SeSystemtimePrivilege	6136	mp3studios_10.exe
Token: SeProfSingleProcessPrivilege	6136	mp3studios_10.exe
Token: SeIncBasePriorityPrivilege	6136	mp3studios_10.exe
Token: SeCreatePagefilePrivilege	6136	mp3studios_10.exe
Token: SeCreatePermanentPrivilege	6136	mp3studios_10.exe
Token: SeBackupPrivilege	6136	mp3studios_10.exe
Token: SeRestorePrivilege	6136	mp3studios_10.exe
Token: SeShutdownPrivilege	6136	mp3studios_10.exe
Token: SeDebugPrivilege	6136	mp3studios_10.exe
Token: SeAuditPrivilege	6136	mp3studios_10.exe
Token: SeSystemEnvironmentPrivilege	6136	mp3studios_10.exe
Token: SeChangeNotifyPrivilege	6136	mp3studios_10.exe
Token: SeRemoteShutdownPrivilege	6136	mp3studios_10.exe
Token: SeUndockPrivilege	6136	mp3studios_10.exe
Token: SeSyncAgentPrivilege	6136	mp3studios_10.exe
Token: SeEnableDelegationPrivilege	6136	mp3studios_10.exe
Token: SeManageVolumePrivilege	6136	mp3studios_10.exe
Token: SeImpersonatePrivilege	6136	mp3studios_10.exe
Token: SeCreateGlobalPrivilege	6136	mp3studios_10.exe
Token: 31	6136	mp3studios_10.exe
Token: 32	6136	mp3studios_10.exe
Token: 33	6136	mp3studios_10.exe
Token: 34	6136	mp3studios_10.exe
Token: 35	6136	mp3studios_10.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found
Token: SeShutdownPrivilege	2228	Process not Found
Token: SeCreatePagefilePrivilege	2228	Process not Found

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5760	msedge.exe
5760	msedge.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
2228	Process not Found
2228	Process not Found
2228	Process not Found
2228	Process not Found
2228	Process not Found

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe
5652	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2228	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 4964	3184	file.exe	82
PID 3184 wrote to memory of 4964	3184	file.exe	82
PID 3184 wrote to memory of 4964	3184	file.exe	82
PID 4964 wrote to memory of 4804	4964	file.tmp	83
PID 4964 wrote to memory of 4804	4964	file.tmp	83
PID 4804 wrote to memory of 4664	4804	PowerOff.exe	86
PID 4804 wrote to memory of 4664	4804	PowerOff.exe	86
PID 4804 wrote to memory of 228	4804	PowerOff.exe	87
PID 4804 wrote to memory of 228	4804	PowerOff.exe	87
PID 4664 wrote to memory of 2428	4664	Copuxusuqo.exe	94
PID 4664 wrote to memory of 2428	4664	Copuxusuqo.exe	94
PID 2428 wrote to memory of 5748	2428	cmd.exe	96
PID 2428 wrote to memory of 5748	2428	cmd.exe	96
PID 2428 wrote to memory of 5748	2428	cmd.exe	96
PID 4664 wrote to memory of 5784	4664	Copuxusuqo.exe	98
PID 4664 wrote to memory of 5784	4664	Copuxusuqo.exe	98
PID 228 wrote to memory of 5760	228	Copuxusuqo.exe	97
PID 228 wrote to memory of 5760	228	Copuxusuqo.exe	97
PID 5784 wrote to memory of 5844	5784	cmd.exe	100
PID 5784 wrote to memory of 5844	5784	cmd.exe	100
PID 5784 wrote to memory of 5844	5784	cmd.exe	100
PID 4664 wrote to memory of 5876	4664	Copuxusuqo.exe	101
PID 4664 wrote to memory of 5876	4664	Copuxusuqo.exe	101
PID 5760 wrote to memory of 5924	5760	msedge.exe	103
PID 5760 wrote to memory of 5924	5760	msedge.exe	103
PID 4664 wrote to memory of 5980	4664	Copuxusuqo.exe	104
PID 4664 wrote to memory of 5980	4664	Copuxusuqo.exe	104
PID 5876 wrote to memory of 6028	5876	cmd.exe	106
PID 5876 wrote to memory of 6028	5876	cmd.exe	106
PID 5876 wrote to memory of 6028	5876	cmd.exe	106
PID 4664 wrote to memory of 6060	4664	Copuxusuqo.exe	107
PID 4664 wrote to memory of 6060	4664	Copuxusuqo.exe	107
PID 5980 wrote to memory of 6136	5980	cmd.exe	109
PID 5980 wrote to memory of 6136	5980	cmd.exe	109
PID 5980 wrote to memory of 6136	5980	cmd.exe	109
PID 6060 wrote to memory of 5112	6060	cmd.exe	114
PID 6060 wrote to memory of 5112	6060	cmd.exe	114
PID 4664 wrote to memory of 388	4664	Copuxusuqo.exe	115
PID 4664 wrote to memory of 388	4664	Copuxusuqo.exe	115
PID 6028 wrote to memory of 3600	6028	random.exe	117
PID 6028 wrote to memory of 3600	6028	random.exe	117
PID 6028 wrote to memory of 3600	6028	random.exe	117
PID 388 wrote to memory of 4880	388	cmd.exe	121
PID 388 wrote to memory of 4880	388	cmd.exe	121
PID 388 wrote to memory of 4880	388	cmd.exe	121
PID 6136 wrote to memory of 4716	6136	mp3studios_10.exe	122
PID 6136 wrote to memory of 4716	6136	mp3studios_10.exe	122
PID 6136 wrote to memory of 4716	6136	mp3studios_10.exe	122
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124
PID 5760 wrote to memory of 3932	5760	msedge.exe	124

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Users\Admin\AppData\Local\Temp\is-1NFAQ.tmp\file.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1NFAQ.tmp\file.tmp" /SL5="$B0070,254182,170496,C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\is-L2RG2.tmp\PowerOff.exe
    "C:\Users\Admin\AppData\Local\Temp\is-L2RG2.tmp\PowerOff.exe" /S /UID=95
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Checks computer location settings
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Copuxusuqo.exe
      "C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Copuxusuqo.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4664
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe /eufive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe
        
        C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe /eufive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 452
        7⤵
        Program crash
        
        PID:3200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 764
        7⤵
        Program crash
        
        PID:4196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 804
        7⤵
        Program crash
        
        PID:5528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 824
        7⤵
        Program crash
        
        PID:2100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 884
        7⤵
        Program crash
        
        PID:4464
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 868
        7⤵
        Program crash
        
        PID:4224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 792
        7⤵
        Program crash
        
        PID:5536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 1308
        7⤵
        Program crash
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "GcleanerEU.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe" & exit
        7⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "GcleanerEU.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5748 -s 508
        7⤵
        Program crash
        
        PID:5220
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe /mixfive & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5784
      - C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe
        
        C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe /mixfive
        6⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:5844
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 452
        7⤵
        Program crash
        
        PID:2616
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 628
        7⤵
        Program crash
        
        PID:3808
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 772
        7⤵
        Program crash
        
        PID:5332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 812
        7⤵
        Program crash
        
        PID:4576
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 628
        7⤵
        Program crash
        
        PID:4064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 984
        7⤵
        Program crash
        
        PID:4556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1016
        7⤵
        Program crash
        
        PID:4716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1360
        7⤵
        Program crash
        
        PID:5996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe" & exit
        7⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "gcleaner.exe" /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5844 -s 1348
        7⤵
        Program crash
        
        PID:1064
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5876
      - C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe
        
        C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe
        
        "C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe" -q
        7⤵
        Executes dropped EXE
        
        PID:3600
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\odrqs3bf.tw4\mp3studios_10.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5980
      - C:\Users\Admin\AppData\Local\Temp\odrqs3bf.tw4\mp3studios_10.exe
        
        C:\Users\Admin\AppData\Local\Temp\odrqs3bf.tw4\mp3studios_10.exe
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        Enumerates system info in registry
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0cf04f50,0x7ffd0cf04f60,0x7ffd0cf04f70
        8⤵
        
        PID:3124
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
        8⤵
        
        PID:2912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1996 /prefetch:8
        8⤵
        
        PID:4344
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2412 /prefetch:8
        8⤵
        
        PID:5400
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
        8⤵
        
        PID:5428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
        8⤵
        
        PID:5472
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
        8⤵
        
        PID:4784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3756 /prefetch:8
        8⤵
        
        PID:5216
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
        8⤵
        
        PID:2100
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
        8⤵
        
        PID:4388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4824 /prefetch:8
        8⤵
        
        PID:3988
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
        8⤵
        
        PID:1092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5588 /prefetch:8
        8⤵
        
        PID:3488
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
        8⤵
        
        PID:1244
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5616 /prefetch:8
        8⤵
        
        PID:4740
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4784 /prefetch:8
        8⤵
        
        PID:5624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5116 /prefetch:8
        8⤵
        
        PID:4240
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
        8⤵
        
        PID:4816
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1632,13976553507116203603,7940144654202040797,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
        8⤵
        
        PID:4552
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2gok0nhb.sid\pb1117.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:6060
      - C:\Users\Admin\AppData\Local\Temp\2gok0nhb.sid\pb1117.exe
        
        C:\Users\Admin\AppData\Local\Temp\2gok0nhb.sid\pb1117.exe
        6⤵
        Executes dropped EXE
        
        PID:5112
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe & exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe
        
        C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe
        7⤵
        Executes dropped EXE
        Checks SCSI registry key(s)
        Suspicious behavior: MapViewOfSection
        
        PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\06-b9d73-9d6-1a1bc-fe197aecd19a9\Copuxusuqo.exe
      "C:\Users\Admin\AppData\Local\Temp\06-b9d73-9d6-1a1bc-fe197aecd19a9\Copuxusuqo.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
        5⤵
        Adds Run key to start application
        Enumerates system info in registry
        Modifies registry class
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:5760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffd0df046f8,0x7ffd0df04708,0x7ffd0df04718
        6⤵
        
        PID:5924
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
        6⤵
        
        PID:3932
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
        6⤵
        
        PID:3388
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
        6⤵
        
        PID:5004
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
        6⤵
        
        PID:5256
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
        6⤵
        
        PID:5288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5452 /prefetch:8
        6⤵
        
        PID:5672
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        6⤵
        
        PID:1140
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        6⤵
        
        PID:5100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5780 /prefetch:8
        6⤵
        
        PID:3160
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        6⤵
        
        PID:1804
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:8
        6⤵
        
        PID:2312
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
        6⤵
        Drops file in Program Files directory
        
        PID:5124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff72bc15460,0x7ff72bc15470,0x7ff72bc15480
        7⤵
        
        PID:5844
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,1980735469675288035,14486185721931483006,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6460 /prefetch:8
        6⤵
        
        PID:5612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5748 -ip 5748
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5844 -ip 5844
1⤵
PID:2640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5844 -ip 5844
1⤵
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5748 -ip 5748
1⤵
PID:4292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5844 -ip 5844
1⤵
PID:5224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5748 -ip 5748
1⤵
PID:5320

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Loads dropped DLL
PID:5376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 604
  2⤵
  - Program crash
  PID:5628

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5376 -ip 5376
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5748 -ip 5748
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5844 -ip 5844
1⤵
PID:6092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5748 -ip 5748
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5844 -ip 5844
1⤵
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5748 -ip 5748
1⤵
PID:4292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5844 -ip 5844
1⤵
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5748 -ip 5748
1⤵
PID:5324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5844 -ip 5844
1⤵
PID:5588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5748 -ip 5748
1⤵
PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5844 -ip 5844
1⤵
PID:5352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5844 -ip 5844
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5748 -ip 5748
1⤵
PID:2992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js

Filesize
20KB

MD5
0036afd7be6fe35f72a3bad6dadd5ee3

SHA1
9f783c5450afed157db609e50fcbc572e9701972

SHA256
8d85cb8ba1a69d37b1ce550c6106d2b5105894878618e2a333f25ece55a07439

SHA512
5af8dbf9ceffa9fda6b996a97a8cba923847f35b43d2ce17fc9dd2ed634a02064887904a1f825e703f92c6deef6ea9106bef68881e34c447451acbfca27d7032

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js

Filesize
3KB

MD5
f79618c53614380c5fdc545699afe890

SHA1
7804a4621cd9405b6def471f3ebedb07fb17e90a

SHA256
f3f30c5c271f80b0a3a329b11d8e72eb404d0c0dc9c66fa162ca97ccaa1e963c

SHA512
c4e0c4df6ac92351591859a7c4358b3dcd342e00051bf561e68e3fcc2c94fdd8d14bd0a042d88dca33f6c7e952938786378d804f56e84b4eab99e2a5fee96a4c

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json

Filesize
1KB

MD5
6da6b303170ccfdca9d9e75abbfb59f3

SHA1
1a8070080f50a303f73eba253ba49c1e6d400df6

SHA256
66f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333

SHA512
872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
5647c979bf4c50b7efe792ca14e4aeba

SHA1
1542c3800eac76e60540ce83078846f09695467b

SHA256
fac01e930c4303c6103ab32a895718994710353d74d7e641b8b9f3f4496318aa

SHA512
e2bbf3f57a6c913ef3ece00d48f68b91191ded580ef0daf220756521bf4cd5e67362b276b77cc3e9a1612ac057d918c6c684c028b07921b2da02b371273407d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
e53b74bd9c08032a42f6d5470c931c26

SHA1
be56bcde5a9827bf42e9c06a5901d1b65261db69

SHA256
eaf58d0e77a8f4bed10e033c973864759caf0318b6516847091c11729bf1cc5a

SHA512
b9704349c1f66e7269aba0a39a2d9253bd68c4d875160f7c3824723aef1067fd205280d071756dc5c2ba30fa11962d01582e2d2407f30e3b8369a443b4eb8d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\06-b9d73-9d6-1a1bc-fe197aecd19a9\Copuxusuqo.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\06-b9d73-9d6-1a1bc-fe197aecd19a9\Copuxusuqo.exe

Filesize
315KB

MD5
a1539d5a565503b26710d24a173eb641

SHA1
4982821c94b1c32d56d2395c4ef53a8fee852e25

SHA256
7332f18f1e9b01188e8a64feeb3cfec5013256048efa38d3c7b8173e9f466748

SHA512
d0bc439dcc68943fb3a7a3521e298035f66dd55ca34da86280a6f20d35007d2766ef1c892af5c0763e07dbd4032b4106d7928a9e3d9528cfd9aadab60e744878

Download Submit
C:\Users\Admin\AppData\Local\Temp\06-b9d73-9d6-1a1bc-fe197aecd19a9\Copuxusuqo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\1jb4taoz.jif\toolspab3.exe

Filesize
224KB

MD5
94aff6f696a630cdbee6ac586081ec41

SHA1
3c94db854ea9e5ae323989e95761d0ccaf763dc1

SHA256
d2d14961ece146ef21842ecf21664e2eed5f5f3eda19b18882a6e145d836636a

SHA512
5ad51374e4c79d17140558c46dde3b1116e60765d3d8158d7f8a735f6672229532251b3757e1e4e38f9e96e838c94fa8027111a15c061d4cb9a904c7140c1f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gok0nhb.sid\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2gok0nhb.sid\pb1117.exe

Filesize
3.5MB

MD5
dc2712485f755f16c7b433cc159b6643

SHA1
f412179298a43ae14eff6e42188e852930a3effd

SHA256
ad87cd82ba357bb206397eed1726c69bd344803c72782fc277e64f7fd95ab04f

SHA512
4d7893b4689b27930b1a6006c4014988879d1c59cb3389d5a2ec399a69fd2d2ae7c51480672199e5ea626ac0bf38bed41a58d2e619698ea958715e0360282f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Copuxusuqo.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Copuxusuqo.exe

Filesize
420KB

MD5
cb90d473ea62e95a2767bbe3d91c4c64

SHA1
61af0628fe380db4c09a8b34ff97a030b313800a

SHA256
512627bd32c8c842ea80f63d03fe491a1e8b9494b0083fb62c0d3ced93951223

SHA512
e56a94fa9adb28bbfe6862419d177154a98bba4f7105df9c49eb20f19cf51e8844771d925cdbb55df75740e18b5bd204e7ba0f89d4208ca0233fffbc5372bedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Copuxusuqo.exe.config

Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\98-ac243-77e-f5ca1-d01c491b9d9ed\Kenessey.txt

Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat

Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll

Filesize
52KB

MD5
e2082e7d7eeb4a3d599472a33cbaca24

SHA1
add8cf241e8fa6ec1e18317a7f3972e900dd9ab7

SHA256
9e02e104e1ab52a1c33d650c34d05a641c53e8edd5471c7ee4f68f29c79d62c1

SHA512
ae880716e0a2db43797a55294e101ad92323a0f08443c0337c4abe4d049375821b04b08744889c992b2a01396e89702585e9a3688e6c795e208e3dd594a99e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\efokgqb3.mjr\random.exe

Filesize
87KB

MD5
ac3635badcc667c6f1a708bc2143c658

SHA1
71025552e16053b0f25e512befa8bba390ee5d01

SHA256
7ae7a78651ac33f816e91b7b23dcd45a4b6c9024fe302fc711280ecdcc6eb2ca

SHA512
99e8036b82943d61f9e5fc8eefbd6fabb3fef3bf9be70e3b4e1d8469cc403f4b8200bd6b644225d566071843b136c2c294c5775bd811fc3e894e369005778ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1NFAQ.tmp\file.tmp

Filesize
805KB

MD5
bf8662a2311eb606e0549451323fa2ba

SHA1
79fbb3b94c91becb56d531806daab15cba55f31c

SHA256
4748736cfa0ff8f469c483cd864166c943d30ff9c3ba0f8cdf0b6b9378a89456

SHA512
e191a8a50e97800d3fb3cb449d01f1d06dda36d85845355f68d3038e30c3a2a7aa8d87e29f0f638ae85d2badd68eccc26a279f17fb91a38de2fa14a015ed3cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L2RG2.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L2RG2.tmp\PowerOff.exe

Filesize
375KB

MD5
52fc737d89c67101f7b8dc6361d5212f

SHA1
ad328b80bb00bb23ec33baabc27aaa18060acbb0

SHA256
f25346bf7c2b71015b0f735824b733a4c043f1b3086d2a232412d069a65b777a

SHA512
a4e3441bb7901f3b555e6d28faeebe089331b240331d67878cd429b4a40451e53ab2232ee9d0b7acb7cfa4a013da0df6328f84caa6e9e34ab96669a161530c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L2RG2.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\lqb4dnxy.jyq\GcleanerEU.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\odrqs3bf.tw4\mp3studios_10.exe

Filesize
1.4MB

MD5
7aa3cfb35ebe539d798ea895e917812c

SHA1
f40cb946771f40ab496718f38180e0a0a27d0fad

SHA256
424c38942afed1d3cbf630eaab78049b293e45583c94704e55695bea6c4c2ebb

SHA512
6b5c141b9e3faa77154ad6ea74dff1a6962083eae5a18bf6fc3eb13314fb2d1def469375046aa0f65a9fcb6ab85b748d44928d1c3eea48539eb119d309287ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\odrqs3bf.tw4\mp3studios_10.exe

Filesize
1.4MB

MD5
7aa3cfb35ebe539d798ea895e917812c

SHA1
f40cb946771f40ab496718f38180e0a0a27d0fad

SHA256
424c38942afed1d3cbf630eaab78049b293e45583c94704e55695bea6c4c2ebb

SHA512
6b5c141b9e3faa77154ad6ea74dff1a6962083eae5a18bf6fc3eb13314fb2d1def469375046aa0f65a9fcb6ab85b748d44928d1c3eea48539eb119d309287ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\z0mvohg4.off\gcleaner.exe

Filesize
293KB

MD5
5f13924f972897bebc2a1e1e008aed68

SHA1
4928520719c8b4e218c145107dea0055ba7d0202

SHA256
07c8d83a5302f1c11086aa329e36914c08a711d2b8dffa631a83e93394c16e06

SHA512
0d38387d0631e3ed868c3cbe92d0d8acbf29b584561c94faef272a1a523abfbd94c027b4580f9587f41339850015fe0fdec66d898bd04e8d0bdb67fe76bfc179

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
c11195412e5db1d6035fc1b0edacb632

SHA1
5fc5c6811e42cf38f0688711a38886ec4e19a6a4

SHA256
f01189eff15c4147070e2145dea2103a71b44a1cab8c497578343682eb973e03

SHA512
acc5c394d5933cf54d176ddb7fc2b145a6558400efa9f3b47e8a4c21e599ecf2dbc9f53b2726e03d0c03c0de62d0a93039ecc3917ced522e0bc83404cb8d82b5

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
59e14d1d3b7aa7322bba07bf3ccfc1f2

SHA1
fe8b56b0ada82fc6314ab089c655d3fe6de912d4

SHA256
2ae693161cf1b523c74d1b0971819ef0943f7199b5144de2cde36bd63b924ece

SHA512
6a0c4c940b38089da658a5b9691c2b6fb49ec9eb4c61c4b139239fceecff1e2d92a02ca1a85c7db69771ce6b0e9187b105fabe1720e21dd2800b349fb4f23304

Download Submit
\??\c:\users\admin\appdata\local\microsoft\edge\user data\default\edge profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
memory/228-153-0x00007FFD0EF60000-0x00007FFD0F996000-memory.dmp

Filesize
10.2MB

Download
memory/3184-134-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3184-132-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3184-152-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4664-154-0x00007FFD0EF60000-0x00007FFD0F996000-memory.dmp

Filesize
10.2MB

Download
memory/4804-142-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4804-141-0x0000000000D60000-0x0000000000DC6000-memory.dmp

Filesize
408KB

Download
memory/4804-151-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-212-0x0000000002F82000-0x0000000002F97000-memory.dmp

Filesize
84KB

Download
memory/4880-214-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/5112-183-0x0000000140000000-0x0000000140617000-memory.dmp

Filesize
6.1MB

Download
memory/5748-181-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5748-176-0x0000000002F70000-0x0000000002FB0000-memory.dmp

Filesize
256KB

Download
memory/5748-223-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5748-234-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5748-175-0x0000000002CB3000-0x0000000002CDA000-memory.dmp

Filesize
156KB

Download
memory/5844-235-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5844-189-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5844-226-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/5844-182-0x0000000002F13000-0x0000000002F3A000-memory.dmp

Filesize
156KB

Download
memory/5884-227-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5884-217-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/5884-213-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download