ffdroider | e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
Size

3.3MB
MD5

2a1400529544b41c0c7e56a7b91c43f6
SHA1

d89c0480f212fa0eab35dc1c049c409e572c2f09
SHA256

e47bfa7b58706edeeaf73664039c10cb1ff7a517d833c0b28751b835bdc68cf7
SHA512

f216d3cf5cec99c7734e0461bca2ef952ae1b097fc16d5639ff60671c4fdf381c3b6a803aee48ae0d8b2956e337d24bd8a39b87e7260dc357710c60f9063f76b
SSDEEP

98304:UboDpahPxyFximnbWtg5f4e+QFz6TBQ+/nqVF:USxHnbF5rZFz6TBQEqT

Score

10^/10

ffdroider privateloader smokeloader socelars backdoor evasion loader persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

ffdroider

http://101.36.107.74

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.wygexde.xyz/

Signatures

Detects Smokeloader packer 1 IoCs

resource	yara_rule
behavioral2/memory/3696-172-0x0000000000AB0000-0x0000000000AB9000-memory.dmp	family_smokeloader

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Info.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Info.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Info.exe

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4600	4592	rUNdlL32.eXe	29

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023177-161.dat	family_socelars
behavioral2/files/0x0006000000023177-160.dat	family_socelars

Executes dropped EXE 9 IoCs

pid	Process
1932	Files.exe
3836	Folder.exe
2476	KRSetp.exe
4508	File.exe
3692	Info.exe
4108	jg3_3uag.exe
3696	pub2.exe
4736	Folder.exe
724	Install.exe

VMProtect packed file 5 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x0006000000023175-150.dat	vmprotect
behavioral2/memory/4108-152-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect
behavioral2/files/0x0006000000023175-149.dat	vmprotect
behavioral2/memory/4108-162-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect
behavioral2/memory/4108-377-0x0000000000400000-0x0000000000644000-memory.dmp	vmprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Files.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	Folder.exe

Loads dropped DLL 2 IoCs

pid	Process
3432	rundll32.exe
3696	pub2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	jg3_3uag.exe

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json	Install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ipinfo.io
7	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002317e-142.dat	autoit_exe
behavioral2/files/0x000700000002317e-144.dat	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\23766671-ef9a-46ab-b56f-111fb7e74169.tmp	Process not Found
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230104131122.pma	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4984	3432	WerFault.exe	97

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
408	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3696	pub2.exe
3696	pub2.exe
4840	msedge.exe
4840	msedge.exe
4568	msedge.exe
4568	msedge.exe
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3696	pub2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe
5356	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	KRSetp.exe
Token: SeCreateTokenPrivilege	724	Install.exe
Token: SeAssignPrimaryTokenPrivilege	724	Install.exe
Token: SeLockMemoryPrivilege	724	Install.exe
Token: SeIncreaseQuotaPrivilege	724	Install.exe
Token: SeMachineAccountPrivilege	724	Install.exe
Token: SeTcbPrivilege	724	Install.exe
Token: SeSecurityPrivilege	724	Install.exe
Token: SeTakeOwnershipPrivilege	724	Install.exe
Token: SeLoadDriverPrivilege	724	Install.exe
Token: SeSystemProfilePrivilege	724	Install.exe
Token: SeSystemtimePrivilege	724	Install.exe
Token: SeProfSingleProcessPrivilege	724	Install.exe
Token: SeIncBasePriorityPrivilege	724	Install.exe
Token: SeCreatePagefilePrivilege	724	Install.exe
Token: SeCreatePermanentPrivilege	724	Install.exe
Token: SeBackupPrivilege	724	Install.exe
Token: SeRestorePrivilege	724	Install.exe
Token: SeShutdownPrivilege	724	Install.exe
Token: SeDebugPrivilege	724	Install.exe
Token: SeAuditPrivilege	724	Install.exe
Token: SeSystemEnvironmentPrivilege	724	Install.exe
Token: SeChangeNotifyPrivilege	724	Install.exe
Token: SeRemoteShutdownPrivilege	724	Install.exe
Token: SeUndockPrivilege	724	Install.exe
Token: SeSyncAgentPrivilege	724	Install.exe
Token: SeEnableDelegationPrivilege	724	Install.exe
Token: SeManageVolumePrivilege	724	Install.exe
Token: SeImpersonatePrivilege	724	Install.exe
Token: SeCreateGlobalPrivilege	724	Install.exe
Token: 31	724	Install.exe
Token: 32	724	Install.exe
Token: 33	724	Install.exe
Token: 34	724	Install.exe
Token: 35	724	Install.exe
Token: SeDebugPrivilege	408	taskkill.exe
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeShutdownPrivilege	1028	Process not Found
Token: SeCreatePagefilePrivilege	1028	Process not Found
Token: SeManageVolumePrivilege	4108	jg3_3uag.exe
Token: SeManageVolumePrivilege	4108	jg3_3uag.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4568	msedge.exe
4568	msedge.exe
4568	msedge.exe
1028	Process not Found
1028	Process not Found
1028	Process not Found
1028	Process not Found
5356	chrome.exe
5356	chrome.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe
4508	File.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3692	Info.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 1932	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	82
PID 3576 wrote to memory of 1932	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	82
PID 3576 wrote to memory of 1932	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	82
PID 3576 wrote to memory of 3836	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	84
PID 3576 wrote to memory of 3836	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	84
PID 3576 wrote to memory of 3836	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	84
PID 3576 wrote to memory of 2476	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	86
PID 3576 wrote to memory of 2476	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	86
PID 1932 wrote to memory of 4508	1932	Files.exe	87
PID 1932 wrote to memory of 4508	1932	Files.exe	87
PID 1932 wrote to memory of 4508	1932	Files.exe	87
PID 3576 wrote to memory of 3692	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	88
PID 3576 wrote to memory of 3692	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	88
PID 3576 wrote to memory of 3692	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	88
PID 3576 wrote to memory of 4108	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	89
PID 3576 wrote to memory of 4108	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	89
PID 3576 wrote to memory of 4108	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	89
PID 3576 wrote to memory of 3696	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	90
PID 3576 wrote to memory of 3696	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	90
PID 3576 wrote to memory of 3696	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	90
PID 3836 wrote to memory of 4736	3836	Folder.exe	91
PID 3836 wrote to memory of 4736	3836	Folder.exe	91
PID 3836 wrote to memory of 4736	3836	Folder.exe	91
PID 3576 wrote to memory of 724	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	92
PID 3576 wrote to memory of 724	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	92
PID 3576 wrote to memory of 724	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	92
PID 3576 wrote to memory of 4568	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	94
PID 3576 wrote to memory of 4568	3576	Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe	94
PID 4568 wrote to memory of 4224	4568	msedge.exe	95
PID 4568 wrote to memory of 4224	4568	msedge.exe	95
PID 4600 wrote to memory of 3432	4600	rUNdlL32.eXe	97
PID 4600 wrote to memory of 3432	4600	rUNdlL32.eXe	97
PID 4600 wrote to memory of 3432	4600	rUNdlL32.eXe	97
PID 724 wrote to memory of 3276	724	Install.exe	100
PID 724 wrote to memory of 3276	724	Install.exe	100
PID 724 wrote to memory of 3276	724	Install.exe	100
PID 3276 wrote to memory of 408	3276	cmd.exe	103
PID 3276 wrote to memory of 408	3276	cmd.exe	103
PID 3276 wrote to memory of 408	3276	cmd.exe	103
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107
PID 4568 wrote to memory of 4816	4568	msedge.exe	107

C:\Users\Admin\AppData\Local\Temp\Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-PSW.Win32.Racealer.lly-e47bfa7b58706ed.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Users\Admin\AppData\Local\Temp\Files.exe
  "C:\Users\Admin\AppData\Local\Temp\Files.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1Rxji7
    3⤵
    PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb689e46f8,0x7ffb689e4708,0x7ffb689e4718
      4⤵
      PID:3952
- C:\Users\Admin\AppData\Local\Temp\Folder.exe
  "C:\Users\Admin\AppData\Local\Temp\Folder.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Users\Admin\AppData\Local\Temp\Folder.exe
    "C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
    3⤵
    - Executes dropped EXE
    PID:4736
- C:\Users\Admin\AppData\Local\Temp\KRSetp.exe
  "C:\Users\Admin\AppData\Local\Temp\KRSetp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\Info.exe
  "C:\Users\Admin\AppData\Local\Temp\Info.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3692
- C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe
  "C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Users\Admin\AppData\Local\Temp\pub2.exe
  "C:\Users\Admin\AppData\Local\Temp\pub2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:724
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c taskkill /f /im chrome.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im chrome.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:408
- - C:\Windows\SysWOW64\xcopy.exe
    xcopy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data" "C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\" /s /e /y
    3⤵
    - Enumerates system info in registry
    PID:3744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --window-position=-50000,-50000 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" https://www.facebook.com/ https://www.facebook.com/pages/ https://secure.facebook.com/ads/manager/account_settings/account_billing/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5356
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99 --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb69374f50,0x7ffb69374f60,0x7ffb69374f70
      4⤵
      PID:5384
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
      4⤵
      PID:5572
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=network --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1996 /prefetch:8
      4⤵
      PID:5584
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2280 /prefetch:8
      4⤵
      PID:5696
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3040 /prefetch:1
      4⤵
      PID:5884
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
      4⤵
      PID:5876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
      4⤵
      PID:5956
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
      4⤵
      PID:5964
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
      4⤵
      PID:5976
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=4864 /prefetch:8
      4⤵
      PID:5244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
      4⤵
      PID:5256
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
      4⤵
      PID:4200
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
      4⤵
      PID:2488
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3052 /prefetch:8
      4⤵
      PID:4256
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3288 /prefetch:8
      4⤵
      PID:6056
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3560 /prefetch:8
      4⤵
      PID:3160
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=3504 /prefetch:8
      4⤵
      PID:5960
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
      4⤵
      PID:3424
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2836 /prefetch:8
      4⤵
      PID:5272
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=1564 /prefetch:8
      4⤵
      PID:5268
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=5928 /prefetch:8
      4⤵
      PID:3940
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --mojo-platform-channel-handle=2752 /prefetch:8
      4⤵
      PID:5556
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1596,4149576532026227223,16546469932273092072,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99" --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2620 /prefetch:2
      4⤵
      PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1rPS67
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb689e46f8,0x7ffb689e4708,0x7ffb689e4718
    3⤵
    PID:4224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
    3⤵
    PID:1284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
    3⤵
    PID:4524
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
    3⤵
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
    3⤵
    PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4336 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5472 /prefetch:8
    3⤵
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
    3⤵
    PID:2584
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
    3⤵
    PID:2496
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
    3⤵
    PID:3804
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:1748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff622c35460,0x7ff622c35470,0x7ff622c35480
      4⤵
      PID:4172
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
    3⤵
    PID:3164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5388 /prefetch:8
    3⤵
    PID:5244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6380 /prefetch:8
    3⤵
    PID:1948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
    3⤵
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2884 /prefetch:2
    3⤵
    PID:3728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6952 /prefetch:8
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2112,11905884330664527197,6867041187801511355,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
    3⤵
    PID:5212

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Loads dropped DLL
  PID:3432
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 600
    3⤵
    - Program crash
    PID:4984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3432 -ip 3432
1⤵
PID:4324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6cbd705caec67f52c6f480a2a76e712a

SHA1
4afd804fe0cef4570e3b77ab367083f38aff3a06

SHA256
881b01cae2b7120bebcb71dbfef41e2fc4d8f5adca469eb8c91617d9d16fe50c

SHA512
a254e96b5e87b34d2d7378f9c258dc79459b65719ad92f41560abe5fac8d0429dfc39494285015b20621050b57fcca704ecff36b8371afb5cba6dbb58223722d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\background.html

Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\icon.png

Filesize
6KB

MD5
c8d8c174df68910527edabe6b5278f06

SHA1
8ac53b3605fea693b59027b9b471202d150f266f

SHA256
9434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5

SHA512
d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\aes.js

Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\background.js

Filesize
15KB

MD5
141423f2b762c7fd0eef0748779070e3

SHA1
c4e54b31c04adfeade0be82a6719f176123fdbc8

SHA256
00aae9b0df6c093b157371297c8733c0a5e55fb4d4b15320f9745db8e0add9ba

SHA512
4f89b246d5bc5cf3adb970a4f1836fc72c59b5aff91b2bd07b88122730cd8be79bf6eabe2dbfad1dfb3923183af8e8def2b747a5e7e2815705dad348a84c4883

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\content.js

Filesize
26KB

MD5
029c53effaed86331055c63d264c3316

SHA1
859bb39d27b462a73fc9131f694b69c8c118b3cf

SHA256
3c1453cb6fe4c7ae8945d96db6c19e3eb58702df65ee0244f8f2444b20e93068

SHA512
68d115d79428c906ca377091f30c207de92ee9450e22e94a35fd7753547cb582ae36434595f1c0e444bb19d5c6dcc214fe58a9987f690486800c8ad91c9642d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\jquery-3.3.1.min.js

Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\mode-ecb.js

Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\js\pad-nopadding.js

Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\colgdlijdieibnaccfdcdbpdffofkfeb\6.37.18_0\manifest.json

Filesize
1KB

MD5
6c60a1967cbc43f39c65d563fd100719

SHA1
a90467bcbc38e0b31ff6da9468c51432df034197

SHA256
6afb68b31d74314a31e752c8e0b8bc36946ef783fdc68a0b072e2632a2b752b5

SHA512
91c23ea68ffaa5b5786b3120e78607042fa5fbd00369f36b4719a5bf8eaf480a94b87115df4cc66db5abf419cb57495093f2023b1b9f6d30a85214fc3d347aa3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
30KB

MD5
c5cdeb0f52fafe261a3aba8172962c51

SHA1
9e7ef35920d02f057bfe7a77ee6a23d8808926c4

SHA256
716b2458714283eb42ed97ec93a7a8275b925236557e1503825c1dfa49ce6301

SHA512
05ba3d19646aca2ea86d4abcba3a16cc673f87fa3b47b13feda77f137d4a7fabef4440c974889cf0f89ccd719f3124f108c16551579b7b309b2d939ad0da64a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CC4F.tmp

Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
685KB

MD5
9db8533616a943ad1dace74d963cd44a

SHA1
46d5a1d89b7ae17ea58bf1ad712b0e630b7bb4c3

SHA256
f9bf8fabc02c83ac085c69395b4d9d0c7ed208444603f024e9bafe0232d56d4d

SHA512
d6a3ce9a5b21aee7832db51a04dc50096d0275d8c7efe33a2d79162b54ecc10b580b4387f8a6db31f557b8e22ba4af188850347c375d49fba5a8cfa361cd0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe

Filesize
685KB

MD5
9db8533616a943ad1dace74d963cd44a

SHA1
46d5a1d89b7ae17ea58bf1ad712b0e630b7bb4c3

SHA256
f9bf8fabc02c83ac085c69395b4d9d0c7ed208444603f024e9bafe0232d56d4d

SHA512
d6a3ce9a5b21aee7832db51a04dc50096d0275d8c7efe33a2d79162b54ecc10b580b4387f8a6db31f557b8e22ba4af188850347c375d49fba5a8cfa361cd0b02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe

Filesize
712KB

MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
804KB

MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe

Filesize
804KB

MD5
92acb4017f38a7ee6c5d2f6ef0d32af2

SHA1
1b932faf564f18ccc63e5dabff5c705ac30a61b8

SHA256
2459694049abfe227ddcf5b4d813fe3ae8e1e9066de5228acf20c958d425c2e1

SHA512
d385b2857d934628e1df3ef493b3a33e2a042c5974d9c153c126a86a28fc61bcc02db0a0791c225378994737a16cd35b74f217600d4b837cda779200c9faeb73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
59169e3ce0cecff73d7cd659d3701759

SHA1
89d1047e7d137fe43f202e84098f37a29ed9abf2

SHA256
68e0b06616fa053d7e9918fab0536d2d0f8256c60f1911a4776645dd644bdfe8

SHA512
31bc616c6b583c02d20aad0f6bd78fae4537760f16e2745a3b6be9cfcda25a382fa5f9c52072111dc1f2504fea809086b07635c348d32205f452126f23aba42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
1.4MB

MD5
59169e3ce0cecff73d7cd659d3701759

SHA1
89d1047e7d137fe43f202e84098f37a29ed9abf2

SHA256
68e0b06616fa053d7e9918fab0536d2d0f8256c60f1911a4776645dd644bdfe8

SHA512
31bc616c6b583c02d20aad0f6bd78fae4537760f16e2745a3b6be9cfcda25a382fa5f9c52072111dc1f2504fea809086b07635c348d32205f452126f23aba42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
166KB

MD5
8e1219c0d7cd346394d1ec9c137b9b4d

SHA1
a3e80a774c425158b3c2137b27fb26dfe7d97c40

SHA256
a04ac90fe7655c6337c447a9d2d8435fabcab139ad944eb8361b3d28d64f2586

SHA512
f9559ffb770d95ecca977982c9ce5a2f3e4df5a19c5b13f58d9cdccc235d4cbb8fc9e1c3f0164c2729fa6097502257888595a1c0a8628e3b2fc3793bda8b35c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRSetp.exe

Filesize
166KB

MD5
8e1219c0d7cd346394d1ec9c137b9b4d

SHA1
a3e80a774c425158b3c2137b27fb26dfe7d97c40

SHA256
a04ac90fe7655c6337c447a9d2d8435fabcab139ad944eb8361b3d28d64f2586

SHA512
f9559ffb770d95ecca977982c9ce5a2f3e4df5a19c5b13f58d9cdccc235d4cbb8fc9e1c3f0164c2729fa6097502257888595a1c0a8628e3b2fc3793bda8b35c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe

Filesize
846KB

MD5
09e9036e720556b90849d55a19e5c7dd

SHA1
862b2f14e945e4bf24f19ad3f1eb8f7e290a8d89

SHA256
5ec2d9b70fc901925c7bb7aed5af4e760732b5f56df34b9dafba5655c68b4ce5

SHA512
ba6abbbc1157b3b699369acf91e2e42e1afbe0e82073f654831eeb38938c1b772eb095dd31c0e9c81bd717b8d6027e0bfa8771b172ad4ea9a8ad48e752c56cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe

Filesize
846KB

MD5
09e9036e720556b90849d55a19e5c7dd

SHA1
862b2f14e945e4bf24f19ad3f1eb8f7e290a8d89

SHA256
5ec2d9b70fc901925c7bb7aed5af4e760732b5f56df34b9dafba5655c68b4ce5

SHA512
ba6abbbc1157b3b699369acf91e2e42e1afbe0e82073f654831eeb38938c1b772eb095dd31c0e9c81bd717b8d6027e0bfa8771b172ad4ea9a8ad48e752c56cda

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat

Filesize
552KB

MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll

Filesize
73KB

MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\CrashpadMetrics-active.pma

Filesize
1024KB

MD5
03c4f648043a88675a920425d824e1b3

SHA1
b98ce64ab5f7a187d19deb8f24ca4ab5d9720a6d

SHA256
f91dbb7c64b4582f529c968c480d2dce1c8727390482f31e4355a27bb3d9b450

SHA512
2473f21cf8747ec981db18fb42726c767bbcca8dd89fd05ffd2d844206a6e86da672967462ac714e6fb43cc84ac35fffcec7ddc43a9357c1f8ed9d14105e9192

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Crashpad\settings.dat

Filesize
40B

MD5
13ee140d3fbdbfa1b149bedee8c79537

SHA1
da770b1f8b8024e6afe6ebdb0ec70eefd89756cf

SHA256
fa234ff7d82cbbd4fd290bb9d56438f5ab4771ac7ce47f293f0e3f442188d76c

SHA512
c368340fbe46f9caf4fa707c184c92d619ffdbda47967c0c62cfb6384dcf245611d814509e113f86c94fa8f8a59f5029f97263574a450dcdf1c568a656f2f975

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Preferences

Filesize
7KB

MD5
e6db72a31682d29c37e2e6c99de5695d

SHA1
de1999eadb3a124baa34e6a4e185c791db740ffb

SHA256
09735d675fb831e0a8c583059c36dd0b8a87e8ec3e43b25ef4474e9973e63db9

SHA512
fb27890c316fe071980723ed34a35e8bd2b5f33faee7ca8123942534f05324c6dad384eb6ce4153575520349acc8143663690396419be2cd6b01f7dd9015be99

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Secure Preferences

Filesize
30KB

MD5
c5cdeb0f52fafe261a3aba8172962c51

SHA1
9e7ef35920d02f057bfe7a77ee6a23d8808926c4

SHA256
716b2458714283eb42ed97ec93a7a8275b925236557e1503825c1dfa49ce6301

SHA512
05ba3d19646aca2ea86d4abcba3a16cc673f87fa3b47b13feda77f137d4a7fabef4440c974889cf0f89ccd719f3124f108c16551579b7b309b2d939ad0da64a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Default\Visited Links

Filesize
128KB

MD5
e3430c8343d982117e7e661b543fac7f

SHA1
0fa92ff66d37a89d55a10c6deab6242bacf50471

SHA256
93e664ab821bc3474e51a67567224b464d792b1e8190ad3c5b7ea67ed3081a2f

SHA512
9d60eb240948e2cd2488740d86f4880c06583be5c02240c2d5b07b28a6a9e71f8a93f4117d87e98e243b86f90bfb5a99bd5998158ab6fc4a7cf5f81f963af9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Last Version

Filesize
13B

MD5
b63048c4e7e52c52053d25da30d9c5ab

SHA1
679a44d402f5ec24605719e06459f5a707989187

SHA256
389caa40ea458e84bc624a9af1e0dec60fa652b2db2b81c09b1dfe22822cc3d1

SHA512
e86c58c5a25e24f21ad79ed526a90c120a09c115f4820663bd2ebbc59e7bb1c4c418267eb77645522aa20b2c1b53fba8e31690db7bae9b21e4eff3db06316359

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\Local State

Filesize
103KB

MD5
63eb838801d0343e274d6ff20a4e1dd9

SHA1
44fab5107b9863c7f50e9c6cd6ce5a0844fd5025

SHA256
a966f44e088e076a086ecafb202f6b28761e01ca288306e843447d5f8e42e27f

SHA512
ebec2235b6794eb77d67a4b332946fc2d31ca707b7e46acef96334da6abc43a06137f88dca6b2bbf06333a8ce8e63c9932380da3a992bf48072bd84d5dfaef77

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cghjgasaaz99\ShaderCache\GPUCache\index

Filesize
256KB

MD5
b757af9323d9d080b72fd17ebaeac05c

SHA1
b0b3af521adee120a15a9718f1bb56d47c4bd318

SHA256
fff2c317d35348da373da197b32efb591d75509b9660f6a3313a5809c31906d5

SHA512
678f67b5bb4bdd376327cb7e5b9dc0637d873e27c52f1e25b4b6e254e03e1807a9c862047019156bd73950c96efabecb32fe50ea1615d69d880161cf47c33bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe

Filesize
789KB

MD5
b41472d8b0e9c50205e96d39e427de9e

SHA1
c16a3a63fd20c22fc8da89ab2896d76ca0e724db

SHA256
fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507

SHA512
8161e820896be2d6b63291cc4ef74879d2b5cdf87c3a202664eecfd851f279efbe4b624461470672589d082809f00864c029a0a78f2c053ca83c6d1c5e0d3d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\jg3_3uag.exe

Filesize
789KB

MD5
b41472d8b0e9c50205e96d39e427de9e

SHA1
c16a3a63fd20c22fc8da89ab2896d76ca0e724db

SHA256
fd0e9e093b695b66b71910bf84e1196b1123700185521e8b3f27ac98aa1dd507

SHA512
8161e820896be2d6b63291cc4ef74879d2b5cdf87c3a202664eecfd851f279efbe4b624461470672589d082809f00864c029a0a78f2c053ca83c6d1c5e0d3d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
192KB

MD5
90a1299fae4ca2833b79466756fa7a6d

SHA1
58b4928afeb04a436c504f4a6604dce3ad427c4a

SHA256
2e865873f6f273659f83aadc530c05e38119a5dec5830ff947335920d1110384

SHA512
9fabf9e0afa9b087929a0f6c2f7c582e7589ce3a0af32fc30f78318b9c925dd04e3bfb0fd97f1113f2c5f1dd56e567d7e16c73cfd9822b671ade0f7e72726609

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe

Filesize
192KB

MD5
90a1299fae4ca2833b79466756fa7a6d

SHA1
58b4928afeb04a436c504f4a6604dce3ad427c4a

SHA256
2e865873f6f273659f83aadc530c05e38119a5dec5830ff947335920d1110384

SHA512
9fabf9e0afa9b087929a0f6c2f7c582e7589ce3a0af32fc30f78318b9c925dd04e3bfb0fd97f1113f2c5f1dd56e567d7e16c73cfd9822b671ade0f7e72726609

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

Filesize
2KB

MD5
ace837c50d1633beea5e7cec8926e6cb

SHA1
6274ffe32eea998afc66a155c8a2e5477569c885

SHA256
57864ce9ed1d127639ea079521ad51040f1c0a0e7933c3eb310534897ffed435

SHA512
1639f97d39ba2a09854ad22d96f6d05e16871e0e8689a1e61411339d496a445b4b5b80b66d489b28b6d140ebbf9127677462fe6947e67df2ac2b6cded0cb5271

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
2aae91f326cf502a0a3bb247d1970cf2

SHA1
b5f534ea27b56dd0d721c39d337951e83f63b369

SHA256
a2caf5fcf5fd1dfb749a80a878db0fcbfb1cbce903b1174be3f87ea44ce6410c

SHA512
80ae4320589fd61d6b128e07801d139efded9d6b98fdf2b5d23392ae50902d083ce4540542c8da951ba006b7daac6a50e0e87a6769a58a2179760ed3a7eb3036

Download Submit
\??\c:\users\admin\appdata\local\microsoft\edge\user data\default\edge profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
memory/2476-143-0x0000000000840000-0x0000000000872000-memory.dmp

Filesize
200KB

Download
memory/2476-151-0x00007FFB6C330000-0x00007FFB6CDF1000-memory.dmp

Filesize
10.8MB

Download
memory/2476-169-0x00007FFB6C330000-0x00007FFB6CDF1000-memory.dmp

Filesize
10.8MB

Download
memory/3696-171-0x0000000000BFD000-0x0000000000C06000-memory.dmp

Filesize
36KB

Download
memory/3696-172-0x0000000000AB0000-0x0000000000AB9000-memory.dmp

Filesize
36KB

Download
memory/3696-173-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/3696-196-0x0000000000400000-0x00000000009AB000-memory.dmp

Filesize
5.7MB

Download
memory/4108-240-0x00000000036D0000-0x00000000036E0000-memory.dmp

Filesize
64KB

Download
memory/4108-289-0x0000000004080000-0x0000000004088000-memory.dmp

Filesize
32KB

Download
memory/4108-152-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4108-377-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4108-340-0x0000000003E80000-0x0000000003E88000-memory.dmp

Filesize
32KB

Download
memory/4108-339-0x0000000003E80000-0x0000000003E88000-memory.dmp

Filesize
32KB

Download
memory/4108-290-0x0000000004080000-0x0000000004088000-memory.dmp

Filesize
32KB

Download
memory/4108-288-0x00000000042A0000-0x00000000042A8000-memory.dmp

Filesize
32KB

Download
memory/4108-162-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/4108-234-0x0000000003530000-0x0000000003540000-memory.dmp

Filesize
64KB

Download
memory/4108-287-0x0000000004120000-0x0000000004128000-memory.dmp

Filesize
32KB

Download
memory/4108-246-0x0000000004180000-0x0000000004188000-memory.dmp

Filesize
32KB

Download
memory/4108-247-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/4108-248-0x0000000004240000-0x0000000004248000-memory.dmp

Filesize
32KB

Download
memory/4108-249-0x00000000044C0000-0x00000000044C8000-memory.dmp

Filesize
32KB

Download
memory/4108-250-0x00000000044E0000-0x00000000044E8000-memory.dmp

Filesize
32KB

Download
memory/4108-251-0x0000000004890000-0x0000000004898000-memory.dmp

Filesize
32KB

Download
memory/4108-252-0x0000000004790000-0x0000000004798000-memory.dmp

Filesize
32KB

Download
memory/4108-253-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4108-254-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/4108-255-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4108-256-0x0000000004630000-0x0000000004638000-memory.dmp

Filesize
32KB

Download
memory/4108-257-0x00000000041A0000-0x00000000041A8000-memory.dmp

Filesize
32KB

Download
memory/4108-258-0x0000000004630000-0x0000000004638000-memory.dmp

Filesize
32KB

Download
memory/4108-259-0x0000000004500000-0x0000000004508000-memory.dmp

Filesize
32KB

Download
memory/4108-284-0x0000000004060000-0x0000000004068000-memory.dmp

Filesize
32KB

Download
memory/4108-285-0x0000000004080000-0x0000000004088000-memory.dmp

Filesize
32KB

Download
memory/4108-286-0x0000000004120000-0x0000000004128000-memory.dmp

Filesize
32KB

Download