gcleaner | d6c7416582172b48537000e0f604ad4836c2298130ce61ee64187d2e5659bdf7

Resubmissions

15-06-2023 09:57

230615-lzef3sfg7z 7

28-02-2023 09:08

230228-k3wzvsac8y 10

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
28-02-2023 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

380KB
MD5

bbd74fe84f0cd1c6a490d33ccd2d5588
SHA1

7232328b8e24ec0d5ce5e29ad446a5150534b771
SHA256

d6c7416582172b48537000e0f604ad4836c2298130ce61ee64187d2e5659bdf7
SHA512

0402625cdd798cb36eaf4c3772921c5e372a21f7b7234a2811a64275ac6acc63ec1245d4270346a316a542d6f18223959f1b66ee96d053ec8259572263bd13b6
SSDEEP

6144:K/QiQXCA6m+ksmpk3U9jW1U4P9bBiQtCsZ/+/imJIGh7bc92xa+5o1WUK0h06PYA:yQi3Ap6m6URA3PhBtthtE/E9y5uVPYgV

Score

10^/10

gcleaner socelars evasion loader persistence spyware stealer vmprotect

Malware Config

Extracted

Family

socelars

https://hdbywe.s3.us-west-2.amazonaws.com/sfasue20/

Extracted

Family

gcleaner

45.12.253.56

45.12.253.72

45.12.253.98

45.12.253.75

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5596 4436 rundll32.exe
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5596	4436	rundll32.exe

Socelars payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe	family_socelars

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

BOLTin1.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts BOLTin1.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	BOLTin1.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chenp.exegcleaner.exeBOLTin1.exeGonylaxage.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	chenp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	gcleaner.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	BOLTin1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	Gonylaxage.exe

Executes dropped EXE 9 IoCs

Processes:

file.tmpBOLTin1.exeGonylaxage.exeGonylaxage.exegcleaner.exehanddiy_3.exechenp.exechenp.exepb1117.exe

pid process

3900 file.tmp
1708 BOLTin1.exe
1928 Gonylaxage.exe
1844 Gonylaxage.exe
5444 gcleaner.exe
5584 handdiy_3.exe
1752 chenp.exe
4152 chenp.exe
3080 pb1117.exe
Loads dropped DLL 2 IoCs

Processes:

file.tmprundll32.exe

pid process

3900 file.tmp
5776 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3900	file.tmp
1708	BOLTin1.exe
1928	Gonylaxage.exe
1844	Gonylaxage.exe
5444	gcleaner.exe
5584	handdiy_3.exe
1752	chenp.exe
4152	chenp.exe
3080	pb1117.exe

pid	process
3900	file.tmp
5776	rundll32.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe	vmprotect
behavioral2/memory/3080-346-0x0000000140000000-0x0000000140619000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

BOLTin1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Internet Explorer\\Gonylaxage.exe\""	BOLTin1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 15 IoCs

Processes:

handdiy_3.exesetup.exeBOLTin1.exe

description	ioc	process
File opened for modification	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e143babb-29fe-46d4-8cd1-71b15cedc76f.tmp	setup.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json	handdiy_3.exe
File created	C:\Program Files (x86)\Internet Explorer\Gonylaxage.exe.config	BOLTin1.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js	handdiy_3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230228100858.pma	setup.exe
File created	C:\Program Files\Java\GKAQDHFPSB\poweroff.exe	BOLTin1.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js	handdiy_3.exe
File created	C:\Program Files (x86)\Internet Explorer\Gonylaxage.exe	BOLTin1.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js	handdiy_3.exe
File created	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js	handdiy_3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5840	5444	WerFault.exe	gcleaner.exe
1708	5444	WerFault.exe	gcleaner.exe
5264	5444	WerFault.exe	gcleaner.exe
6040	5776	WerFault.exe	rundll32.exe
4768	5444	WerFault.exe	gcleaner.exe
228	5444	WerFault.exe	gcleaner.exe
3232	5444	WerFault.exe	gcleaner.exe
3088	5444	WerFault.exe	gcleaner.exe
4468	5444	WerFault.exe	gcleaner.exe
4108	5444	WerFault.exe	gcleaner.exe
3356	5444	WerFault.exe	gcleaner.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1152 taskkill.exe
4020 taskkill.exe

pid	process
1152	taskkill.exe
4020	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133220525329402534"	chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 108 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

description	flow	ioc
HTTP User-Agent header	108	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Gonylaxage.exe

pid	process
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe
1928	Gonylaxage.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
5424	msedge.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

BOLTin1.exeGonylaxage.exeGonylaxage.exehanddiy_3.exetaskkill.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1708	BOLTin1.exe
Token: SeDebugPrivilege	1844	Gonylaxage.exe
Token: SeDebugPrivilege	1928	Gonylaxage.exe
Token: SeCreateTokenPrivilege	5584	handdiy_3.exe
Token: SeAssignPrimaryTokenPrivilege	5584	handdiy_3.exe
Token: SeLockMemoryPrivilege	5584	handdiy_3.exe
Token: SeIncreaseQuotaPrivilege	5584	handdiy_3.exe
Token: SeMachineAccountPrivilege	5584	handdiy_3.exe
Token: SeTcbPrivilege	5584	handdiy_3.exe
Token: SeSecurityPrivilege	5584	handdiy_3.exe
Token: SeTakeOwnershipPrivilege	5584	handdiy_3.exe
Token: SeLoadDriverPrivilege	5584	handdiy_3.exe
Token: SeSystemProfilePrivilege	5584	handdiy_3.exe
Token: SeSystemtimePrivilege	5584	handdiy_3.exe
Token: SeProfSingleProcessPrivilege	5584	handdiy_3.exe
Token: SeIncBasePriorityPrivilege	5584	handdiy_3.exe
Token: SeCreatePagefilePrivilege	5584	handdiy_3.exe
Token: SeCreatePermanentPrivilege	5584	handdiy_3.exe
Token: SeBackupPrivilege	5584	handdiy_3.exe
Token: SeRestorePrivilege	5584	handdiy_3.exe
Token: SeShutdownPrivilege	5584	handdiy_3.exe
Token: SeDebugPrivilege	5584	handdiy_3.exe
Token: SeAuditPrivilege	5584	handdiy_3.exe
Token: SeSystemEnvironmentPrivilege	5584	handdiy_3.exe
Token: SeChangeNotifyPrivilege	5584	handdiy_3.exe
Token: SeRemoteShutdownPrivilege	5584	handdiy_3.exe
Token: SeUndockPrivilege	5584	handdiy_3.exe
Token: SeSyncAgentPrivilege	5584	handdiy_3.exe
Token: SeEnableDelegationPrivilege	5584	handdiy_3.exe
Token: SeManageVolumePrivilege	5584	handdiy_3.exe
Token: SeImpersonatePrivilege	5584	handdiy_3.exe
Token: SeCreateGlobalPrivilege	5584	handdiy_3.exe
Token: 31	5584	handdiy_3.exe
Token: 32	5584	handdiy_3.exe
Token: 33	5584	handdiy_3.exe
Token: 34	5584	handdiy_3.exe
Token: 35	5584	handdiy_3.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeCreatePagefilePrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

msedge.exechrome.exe

pid	process
5424	msedge.exe
5424	msedge.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

chenp.exechenp.exe

pid process

1752 chenp.exe
1752 chenp.exe
4152 chenp.exe
4152 chenp.exe

pid	process
1752	chenp.exe
1752	chenp.exe
4152	chenp.exe
4152	chenp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.tmpBOLTin1.exeGonylaxage.execmd.exeGonylaxage.execmd.exemsedge.exe

description	pid	process	target process
PID 4056 wrote to memory of 3900	4056	file.exe	file.tmp
PID 4056 wrote to memory of 3900	4056	file.exe	file.tmp
PID 4056 wrote to memory of 3900	4056	file.exe	file.tmp
PID 3900 wrote to memory of 1708	3900	file.tmp	BOLTin1.exe
PID 3900 wrote to memory of 1708	3900	file.tmp	BOLTin1.exe
PID 1708 wrote to memory of 1928	1708	BOLTin1.exe	Gonylaxage.exe
PID 1708 wrote to memory of 1928	1708	BOLTin1.exe	Gonylaxage.exe
PID 1708 wrote to memory of 1844	1708	BOLTin1.exe	Gonylaxage.exe
PID 1708 wrote to memory of 1844	1708	BOLTin1.exe	Gonylaxage.exe
PID 1928 wrote to memory of 5292	1928	Gonylaxage.exe	cmd.exe
PID 1928 wrote to memory of 5292	1928	Gonylaxage.exe	cmd.exe
PID 5292 wrote to memory of 5444	5292	cmd.exe	gcleaner.exe
PID 5292 wrote to memory of 5444	5292	cmd.exe	gcleaner.exe
PID 5292 wrote to memory of 5444	5292	cmd.exe	gcleaner.exe
PID 1844 wrote to memory of 5424	1844	Gonylaxage.exe	msedge.exe
PID 1844 wrote to memory of 5424	1844	Gonylaxage.exe	msedge.exe
PID 1928 wrote to memory of 5496	1928	Gonylaxage.exe	cmd.exe
PID 1928 wrote to memory of 5496	1928	Gonylaxage.exe	cmd.exe
PID 5496 wrote to memory of 5584	5496	cmd.exe	handdiy_3.exe
PID 5496 wrote to memory of 5584	5496	cmd.exe	handdiy_3.exe
PID 5496 wrote to memory of 5584	5496	cmd.exe	handdiy_3.exe
PID 5424 wrote to memory of 5612	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 5612	5424	msedge.exe	msedge.exe
PID 1928 wrote to memory of 5868	1928	Gonylaxage.exe	cmd.exe
PID 1928 wrote to memory of 5868	1928	Gonylaxage.exe	cmd.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe
PID 5424 wrote to memory of 6052	5424	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4056

C:\Users\Admin\AppData\Local\Temp\is-8QBM7.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8QBM7.tmp\file.tmp" /SL5="$90180,138982,55296,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\is-HOE0L.tmp\BOLTin1.exe
"C:\Users\Admin\AppData\Local\Temp\is-HOE0L.tmp\BOLTin1.exe" /S /UID=95
3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1708

C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe
"C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
5⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd8,0x104,0x7ff997d046f8,0x7ff997d04708,0x7ff997d04718
6⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
6⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
6⤵
PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
6⤵
PID:6124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
6⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
6⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
6⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
6⤵
PID:2156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
6⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
6⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
6⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
6⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
6⤵
- Drops file in Program Files directory
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff77bda5460,0x7ff77bda5470,0x7ff77bda5480
7⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3928 /prefetch:8
6⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,15016032277569134948,1923495481644348227,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2716 /prefetch:2
6⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe
"C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe /mixfive & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:5292

C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe
C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe /mixfive
6⤵
- Checks computer location settings
- Executes dropped EXE
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 452
7⤵
- Program crash
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 764
7⤵
- Program crash
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 772
7⤵
- Program crash
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 772
7⤵
- Program crash
PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 820
7⤵
- Program crash
PID:228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 984
7⤵
- Program crash
PID:3232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 984
7⤵
- Program crash
PID:3088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1048
7⤵
- Program crash
PID:4468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1172
7⤵
- Program crash
PID:4108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "gcleaner.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe" & exit
7⤵
PID:5860

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "gcleaner.exe" /f
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5444 -s 1488
7⤵
- Program crash
PID:3356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:5496

C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe
C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe
6⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:5584

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
7⤵
PID:2700

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
8⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
7⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff994d99758,0x7ff994d99768,0x7ff994d99778
8⤵
PID:460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:2
8⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:3284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3152 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:1
8⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:1
8⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3816 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:1
8⤵
PID:5224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4620 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:1
8⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4844 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4984 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1824,i,3918879575603347500,1976169333575614859,131072 /prefetch:8
8⤵
PID:5108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe & exit
5⤵
PID:5868

C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
6⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
"C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe" -h
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe & exit
5⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe
C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe
6⤵
- Executes dropped EXE
PID:3080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5444 -ip 5444
1⤵
PID:5668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 5444 -ip 5444
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5444 -ip 5444
1⤵
PID:5204

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
1⤵
- Process spawned unexpected child process
PID:5596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",open
2⤵
- Loads dropped DLL
PID:5776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5776 -s 600
3⤵
- Program crash
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5776 -ip 5776
1⤵
PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5444 -ip 5444
1⤵
PID:1172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5444 -ip 5444
1⤵
PID:112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5444 -ip 5444
1⤵
PID:2676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5444 -ip 5444
1⤵
PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5444 -ip 5444
1⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 400 -p 5444 -ip 5444
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5444 -ip 5444
1⤵
PID:6092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5228

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Software Discovery

T1518

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\background.html
Filesize
786B

MD5
9ffe618d587a0685d80e9f8bb7d89d39

SHA1
8e9cae42c911027aafae56f9b1a16eb8dd7a739c

SHA256
a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e

SHA512
a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\icon.png
Filesize
6KB

MD5
362695f3dd9c02c83039898198484188

SHA1
85dcacc66a106feca7a94a42fc43e08c806a0322

SHA256
40cfea52dbc50a8a5c250c63d825dcaad3f76e9588f474b3e035b587c912f4ca

SHA512
a04dc31a6ffc3bb5d56ba0fb03ecf93a88adc7193a384313d2955701bd99441ddf507aa0ddfc61dfc94f10a7e571b3d6a35980e61b06f98dd9eee424dc594a6f

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
Filesize
13KB

MD5
4ff108e4584780dce15d610c142c3e62

SHA1
77e4519962e2f6a9fc93342137dbb31c33b76b04

SHA256
fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a

SHA512
d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
Filesize
20KB

MD5
c5174fa6143d8f36a645e894a8bf1d44

SHA1
51470622aa1778719cf4a687b80cbcd6ff12db29

SHA256
db0161c45710a06d63a53dd7eada640a3f06f727deb0890ccc4c5420d9f920c1

SHA512
018b06a53107be21443b79dea291490bffa2759b583c7cbb9911a462e72070b684fffa4a4c34d6a2048bbca7b169db5fab778ae3e568105024f1fcb8361d7d37

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
Filesize
3KB

MD5
c31f14d9b1b840e4b9c851cbe843fc8f

SHA1
205e3a99dc6c0af0e2f4450ebaa49ebde8e76bb4

SHA256
03601415885fd5d8967c407f7320d53f4c9ca2ec33bbe767d73a1589c5e36c54

SHA512
2c3d7ed5384712a0013a2ebbc526e762f257e32199651192742282a9641946b6aea6235d848b1e8cb3b0f916f85d3708a14717a69cbcf081145bc634d11d75aa

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
Filesize
84KB

MD5
a09e13ee94d51c524b7e2a728c7d4039

SHA1
0dc32db4aa9c5f03f3b38c47d883dbd4fed13aae

SHA256
160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef

SHA512
f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js
Filesize
604B

MD5
23231681d1c6f85fa32e725d6d63b19b

SHA1
f69315530b49ac743b0e012652a3a5efaed94f17

SHA256
03164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a

SHA512
36860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
Filesize
268B

MD5
0f26002ee3b4b4440e5949a969ea7503

SHA1
31fc518828fe4894e8077ec5686dce7b1ed281d7

SHA256
282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d

SHA512
4290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11

Download Submit
C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\manifest.json
Filesize
1KB

MD5
05bfb082915ee2b59a7f32fa3cc79432

SHA1
c1acd799ae271bcdde50f30082d25af31c1208c3

SHA256
04392a223cc358bc79fcd306504e8e834d6febbff0f3496f2eb8451797d28aa1

SHA512
6feea1c8112ac33d117aef3f272b1cc42ec24731c51886ed6f8bc2257b91e4d80089e8ca7ce292cc2f39100a7f662bcc5c37e5622a786f8dc8ea46b8127152f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize
192B

MD5
b1eca3d86aeb7ec1a07028b072b99f7d

SHA1
d7f75ad7dbb869efbb68d632dbe996f429eaef56

SHA256
39828780e85582868d49f93d14e4f1f02ee22f85e43ed502062b822a91e199d9

SHA512
b0a1c8b70aa382a63913f694657332729abd01dbcbd3d095231894a9f091504c4d0cab2f5fc7efae9b51deb0604442b148e26bf8631ecbe10324c3ab9ed6d89d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5c5d3b47-0710-4e09-ad4d-b0626ceb46a8.tmp
Filesize
11KB

MD5
b44beee3c2c323a15b2854f5b3afa377

SHA1
bae1f47675c50f363d6cee5a3942d91e8cb56bb3

SHA256
c87d6788737a486a12e621e522286d431cc92683f596c8f6e5f9e563abd74f3c

SHA512
ebdfbabdafafd2318c27fcc1859331501a3b6ab2e707c25cf9718ca8467e396e1d87cff1e72c96d1efabc89ca2c2c4846b3eda62be051f81bf5ae9462d424cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
7ee01d90e0c58d3a3a256186c64e5ba4

SHA1
72c454bbf4c0f1e134e2953feb9d3ace6abaa2e9

SHA256
2241a670e16d80e4d0d745a22990b8f2003cb99713a0f5b2048b4e3170499a37

SHA512
11e575a3156321087054120ba9565bb4c0f94d0e1d7e9eae1830a908f01ff3fe667602e0a24bd30c004d4dd423689559fcb29f74d02b0ac2abb211ac2377075b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
d05de6105971301e54221c2b3db9ce51

SHA1
e8ffee98f505bfe9ac530e4d26ea6c0445e5d35c

SHA256
660ba1944061d3b8b1b7557c135fe664e92694fa6e460852323b049e0a403f84

SHA512
340de0d1ac0b8815ad21e86ae1481d092136d97b3a91db3c43828201d655d62d8af3042eb88ff31c28c5eef26ba192adaa40f34af5ac660f577e45c66f93319b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
48c3a3c48afcde34ffcace151ac59641

SHA1
782ffef1001ce1e935f22d98420d70edce658f4d

SHA256
8f7510caf2611d795624ac7e5b8a5b74167bca909c3036e6e0cf72d90b9343fd

SHA512
2afa937c482de933391e30c8014671fcd372a79aae8bc7c4f43a52a01296abf505938b55292db387e5cb158d11611bd40f5ea3c5c2e6fc6114ae64895c696352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
89858c9901a8f7d23f7cb6157b9dbcaf

SHA1
45d860d72a648bdb872d1254f98cd4e401fd7f69

SHA256
b992c3838eef53426596a0663878775ee2e69619a5bc38b48613a98220a91971

SHA512
5170b58f2ff14dcdebfc622b8923982387aea4463e478192f88dfacf20ce4c5f8c7a8b157e5bff4951fa1d5d07e8c65f1e71586824c4032c1504af1da8c467b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
c0460a37cbf9153469d50a64cb8e7cef

SHA1
df1634a340391495c55bedd1d98209c3cd95fede

SHA256
72a39bcd8b9ee4c8aaf6048c16b9128184dcf4034a81b869c40be93e6c02b753

SHA512
999529e3f5ab0eb8394d67e0678975bb85ca185b8d5c328a502cd44b2ff12913ce090534597f7bd104276e86524f38581d3a9d913427193f6e1c1bc05694cbce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
a4cfe79cfe2fb456b1f28a9453f87960

SHA1
40aa88bc30bd74b457a54a75829d8d3463f4e15e

SHA256
d78c3630465f4cafdbabd8648c6c03f779f8da7a08bf9bf47b68ed18b111c080

SHA512
ab684d0406a7acf2e06b8e538dad425e72a76706a2e44db09535f064cd0fde40963f486edee5c87579f332c06cd59cb72b388c64049bc23c8233537206129e43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
11KB

MD5
7374347769000209e7265c8232208b10

SHA1
5aeaf4b344aa465afd6cc6e1831d5a2a1a4f07d0

SHA256
a51358bceef037490c08acbccf5336396f3fbe8f00e3c941b25c76c4bb8439ba

SHA512
544a949ca9a5c6ac540b4e7a1cf759a2581c0240b4f27116c374fbfd66e3daec99f92a1c8b0695c337297fbdbc60f6695ce390fc9440f67bf69278c357aaf929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e1562692-caa5-4978-bdb8-8010abb1825f.tmp
Filesize
4KB

MD5
fc5675df32483c1e5f8b3b84dcab7c21

SHA1
a3dd1a6afbfea8ce0887fd61d33220525f4976db

SHA256
70718b425942dba4c4f33b4cd0e966ac48a4812380e90a7d41596b7619554015

SHA512
8cc5febb5eef45825a06eefc386b7084e02cf41fd2cfee0258281506d018574dbc3591f60339b265d2ced9a6589d648fed823c9910b9be9b27686f0024257612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
141KB

MD5
1c9d9b8cfe15da7203155dc888f44a08

SHA1
058642492c4729ac4655b3b1767fe346364ec310

SHA256
6530346bc47f97c12478bc7b2d12a99f0be8abba98f6e2af5e3b33ae7f874280

SHA512
4967e807bf32a7ce8b8b77db8898846798f72d0c9a24d04b4c79789e62a0b9acc78a4f641f063bff10f2151849813d9b1e66b114d9fceefe40b1560843f7c8a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b8c9383861d9295966a7f745d7b76a13

SHA1
d77273648971ec19128c344f78a8ffeb8a246645

SHA256
b75207c223dfc38fbb3dbf03107043a7dce74129d88053c9316350c97ac26d2e

SHA512
094e6978e09a6e762022e8ff57935a26b3171a0627639ca91a373bddd06092241d695b9f3b609ba60bc28e78a5c78cf0f072d79cd5769f1b9f6d873169f0df14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
91fa8f2ee8bf3996b6df4639f7ca34f7

SHA1
221b470deb37961c3ebbcc42a1a63e76fb3fe830

SHA256
e8e0588b16d612fa9d9989d16b729c082b4dd9bfca62564050cdb8ed03dd7068

SHA512
5415cd41f2f3bb5d9c7dadc59e347994444321cf8abe346b08e8c5a3fc6a5adae910eda43b4251ba4e317fbb7696c45dba9fd5e7fa61144c9b947206c7b999c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
42379276c9788370990840466927413e

SHA1
03efcd10c3dd64f0960ece08c99dd00c2656f12c

SHA256
1cb9a9302eee4ac5c6137209ffd2ca8cdd445c13538fc31fae6ef3c23df51c28

SHA512
5b933005bcf2624640b5dad75c34dd07a58708c395c6331c8420566c89a5d6cc16f0f46712a3381a7b3704a9f1cf596cc47210d3a5d2de44a56e71884890c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
ecf84d80c567fe6e4ecf1f12ff1bd70b

SHA1
e44a5e3ddf6c98cf60eb0fa4cb88f3380f6966a1

SHA256
f2ef4d8fef9e7189e6e01dcaed21c1a54091ac2ac1049f899cfaeed43b92e326

SHA512
96bfc373fdd93f1cda2d5ddaf97e97e66a6bd8cef7656df93bdd2052fe60eebd16f0c7b243dc2ea1293c038bd0fb4b47498fa7cff0ae1badcef25296f3efcfd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
bb175af43b161540558cc3ab9872a9bb

SHA1
f0c9ac222b464507fa35f8b18589e0b7e397b3c8

SHA256
2f0672f6a4bbe03b61e500fdc0a8c548d7558b1f933d879da5e6a783dae68016

SHA512
9553525abb9192f712d01bd953fa3c44ac1cffbd028edfb7c384e6b3d67c58c305d25e523959c1f96a6a6e73354376448c56f9e7aa745d9fda69bfc1f1a67e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
2643dc5cde7c2d2bd1bec61d573c0e3d

SHA1
bf47474386f191178a16464993add6ba8d0f22ce

SHA256
cd7dae87d6349b16d6c9ec686a7774107d8ce3082bd209cfd550cce86042fa91

SHA512
e695c77328c38ba095e694d63288cc4d0baf0228b9f194a880e639aac53206ef98aabb24de4a9ecf47ce6ec5556ffabe01020fe5a7e4875c1fca41e61de7fcac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
42bb9b76cb92912138ee18e29d3eed9f

SHA1
1d1a31562dd87997c64a6b7ff29ee87aee81edbd

SHA256
fa9310b0f33318a4c45ad240e9927edf7343eb6ffaf8b85e2a2904cb4482005f

SHA512
3830e528e96af5a70ab780add3c23a82456238e4dddada9770c2760b5a6cfbc76f709f5b6ec8aa8f39514a392bf0cfc35f6c5b7960e70c6b6d0104da6e8e2f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b538cef5df6afbf4a8a567c852f1f904

SHA1
946a32bab28a02fe6a1646a14962a147e1533a51

SHA256
0c1cf74455cbb66c07773796f61ca1a060317d3e9936ea427e34547c6db50576

SHA512
e3f4cb4ca6659ce2e7977f0acce3d5cba88028858a25d278fe79b9e0e5121e14d30f9b4eeb3a61681310b260f4794d2ef10d7e8ee60e61f2fba15de30f7f1a88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a17f52418e3b9263f3c9cd670a0d2cae

SHA1
426ebcff30d035100fa16c463e33f77662e9338b

SHA256
477daebc20b705fcfd87eec0e4f812aea4ffa4747c8afb81fce2129be6267582

SHA512
4fb05d28c3864a4bf95cb9265112da2538ef2299381c28853b240de73160c94f6290291ad47134063512ae4959169c297a3dbe95c493af99c42eedb6c4d62a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
60b345592703258c513cb5fc34a2f835

SHA1
39991bd7ea37e2fc394be3b253ef96ce04088a6d

SHA256
7e358b4f7553c9385e8eb2c5692d426bc257bbd4c0213e6c69294459734f6300

SHA512
0346fb4096eb285ab0fdf7e7ec38c4daf7bbb0c506f09975eb2290121d169a34c886fca342c3e06371cb697f2753a697ca4f72af7817ed340eee6063897110a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d51748e394a48bc8696bc36208d58798

SHA1
55dd56dea34d12dd8af177278242983adf48e7e4

SHA256
177c4d747f3af62eb7ef7ddf541a8041aaa2633a7fb21b57d7a3b80ba7507255

SHA512
047756b6252f34e3286c70b54dea5000b372e590065c530f59f92ccc96661f89f8fe8770a67b405168403cbc25f2673f9bddf54be463015d53a81d4d121e94b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
efab995522f7411de041a7b68cdf8361

SHA1
c6fe584c75c29c21bed0afaef27e4aee70c89460

SHA256
9948d74e912d9777ebac14ef26a3becf8f90d73faf914088aa30b3c9f2bb6c53

SHA512
f14a71bca7f0c4a52c3040992292fbbc6cc1e1af246ac0f07fa5c300e057f8213cd955b5da6b64d2425ce34c13d5ffcb398ddf2539cf077a2011be83059fa489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
1cd21c32bcb6645255fc9f62d285b211

SHA1
22e37950a9edde990794384da0a02e91b2257865

SHA256
7ab2037a2876b50a13ffb55a7ef663d8ce46817a029a0738db3de905b70ca506

SHA512
9992a9789f853bed98641a28ba63c7389add3f7575c581fce6cf6bd3ad9483e187f1a5277ce2bb9cbb8a6eb9e2e5a96ba066de1d2d8875e8549ded33e076388e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe
Filesize
1.4MB

MD5
fce50d42c32ea7de3d5da455cd2ead3e

SHA1
7fcbe29cf60fb2f9ba1380a33747c3d6665316ad

SHA256
0b70ee102482780a5039700c0edfeb2d483b3f142bbf8ee23a5c364d626da672

SHA512
9df5dc04607eb51ef7944daffe0ba4cc593debcb2763577ef5fab2e6e47b68426060fc80dd3bef56db7425c860f0f1459619f8715c84492d22d83fc43f4a6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qfjd5mh.cu2\handdiy_3.exe
Filesize
1.4MB

MD5
fce50d42c32ea7de3d5da455cd2ead3e

SHA1
7fcbe29cf60fb2f9ba1380a33747c3d6665316ad

SHA256
0b70ee102482780a5039700c0edfeb2d483b3f142bbf8ee23a5c364d626da672

SHA512
9df5dc04607eb51ef7944daffe0ba4cc593debcb2763577ef5fab2e6e47b68426060fc80dd3bef56db7425c860f0f1459619f8715c84492d22d83fc43f4a6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe
Filesize
3.5MB

MD5
4f4b4c9d7e54d7c8618104b4b6b01c45

SHA1
6a8b99f41c4191b196314167583943d78a073fbc

SHA256
f475036583912df6509241b5ae205801e521ef08f8cf16a9af207cfbcc9470cc

SHA512
e4ef05c8f891742e003ecad009769ee4e1df8e4a107a5f6e2906a69f90d562343faf06650970a58ec51acdee85cb4d1a7a4be435461e13eea95d20cbcf5ec4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4grklxsd.gtv\pb1117.exe
Filesize
3.5MB

MD5
4f4b4c9d7e54d7c8618104b4b6b01c45

SHA1
6a8b99f41c4191b196314167583943d78a073fbc

SHA256
f475036583912df6509241b5ae205801e521ef08f8cf16a9af207cfbcc9470cc

SHA512
e4ef05c8f891742e003ecad009769ee4e1df8e4a107a5f6e2906a69f90d562343faf06650970a58ec51acdee85cb4d1a7a4be435461e13eea95d20cbcf5ec4a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe
Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe
Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe
Filesize
399KB

MD5
1e8e3939ec32c19b2031d50cc9875084

SHA1
83cc7708448c52f5c184cc329fa11f4cfe9c2823

SHA256
5988245cd9d0c40bcb12155b966cb8ddd86da1107bca456341de5bd5fb560808

SHA512
0d3ad7c0865e421fad34e27a47108fdc9e359f8603c4c01f6d789d3ead6e6ac5815f979301870f8157fedaf8178ed34873fbff807807d46698249f098fc78caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d-cb26e-fb5-6ada0-f3c2561eccb33\Gonylaxage.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Gonylaxage.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\63-87c3a-973-96d8f-db8409f87f2dd\Kenessey.txt
Filesize
9B

MD5
97384261b8bbf966df16e5ad509922db

SHA1
2fc42d37fee2c81d767e09fb298b70c748940f86

SHA256
9c0d294c05fc1d88d698034609bb81c0c69196327594e4c69d2915c80fd9850c

SHA512
b77fe2d86fbc5bd116d6a073eb447e76a74add3fa0d0b801f97535963241be3cdce1dbcaed603b78f020d0845b2d4bfc892ceb2a7d1c8f1d98abc4812ef5af21

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dat
Filesize
557KB

MD5
76c3dbb1e9fea62090cdf53dadcbe28e

SHA1
d44b32d04adc810c6df258be85dc6b62bd48a307

SHA256
556fd54e5595d222cfa2bd353afa66d8d4d1fbb3003afed604672fceae991860

SHA512
de4ea57497cf26237430880742f59e8d2a0ac7e7a0b09ed7be590f36fbd08c9ced0ffe46eb69ec2215a9cff55720f24fffcae752cd282250b4da6b75a30b3a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\db.dll
Filesize
52KB

MD5
1b20e998d058e813dfc515867d31124f

SHA1
c9dc9c42a748af18ae1a8c882b90a2b9e3313e6f

SHA256
24a53033a2e89acf65f6a5e60d35cb223585817032635e81bf31264eb7dabd00

SHA512
79849fbdb9a9e7f7684b570d14662448b093b8aa2b23dfd95856db3a78faf75a95d95c51b8aa8506c4fbecffebcc57cd153dda38c830c05b8cd38629fae673c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8QBM7.tmp\file.tmp
Filesize
693KB

MD5
a926ae0ea031d6db49d5d679003ef95c

SHA1
03657bd9d3de4c69f8a30aab28eceaced746c68b

SHA256
1ec67071cc0dfea4a41830ef4982f42d6e42d831477d1e1dcadd6d13ab88bb8c

SHA512
5bf58812bf5bdbb6ce94949b58d2b8d3149a1d8a5457eb6c492c77fc51dbbd3ce2780133afd8276481a6c7abb683cee5a41dc262bd98164713691b37144726c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOE0L.tmp\BOLTin1.exe
Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOE0L.tmp\BOLTin1.exe
Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOE0L.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0ypogex.xyg\chenp.exe
Filesize
312KB

MD5
dc719929115e50ed4383bcc7f7182be3

SHA1
562e69bdf814c156872fd6ad6a3d0116b0304516

SHA256
5b0708551a5c3cf9932c8aea5e890e3f2abe7b7b5911cefebc6155d20692e365

SHA512
34b1dda47ff7a20052f582f4874dc35f4e768558baf8727419d5f91ec2f8c6e28d2a6bc0253975e6bac5d45edfa1edd09aabc5339d2caade73418b73096b9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe
Filesize
281KB

MD5
a7a20cf810653bc9ef0bfce74137dc7e

SHA1
3169cdc49a119a5615bf0aaaac7b9d680755de65

SHA256
7de3c029670d2a4b0a001d3470560699e58ed1eb615a45a3aaa326b0b922fd8b

SHA512
d68bca9a6fe1586ed6c9e5e35e570008239dc92ae701a817672cca0acfa22c3494b53d27ee084e0f4c55ce28e6bfd4fe5e5b3ea7ea8f3e77a928fef97e9f94b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwc4chcl.lno\gcleaner.exe
Filesize
281KB

MD5
a7a20cf810653bc9ef0bfce74137dc7e

SHA1
3169cdc49a119a5615bf0aaaac7b9d680755de65

SHA256
7de3c029670d2a4b0a001d3470560699e58ed1eb615a45a3aaa326b0b922fd8b

SHA512
d68bca9a6fe1586ed6c9e5e35e570008239dc92ae701a817672cca0acfa22c3494b53d27ee084e0f4c55ce28e6bfd4fe5e5b3ea7ea8f3e77a928fef97e9f94b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
11d62ea5f950ac84ccd336e33d145241

SHA1
0f8e5d9f0b6573a0b13b3ae40b02469bda8fcc8d

SHA256
9a9961c663796403a628b6714b72a601d5b0d7345cf3ed2bc4e2a64797d98519

SHA512
79a58b48e234d970893e443c67a6ad966f184449ab10d3a7a29c15844da8f9f02602c0ba1acdc5b13f8b88b5f76b441e80e41bb6599b278d94db8dd213f694a0

Download Submit
\??\pipe\LOCAL\crashpad_5424_SJDFNQNXDIPTUAHM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2364_LVHSBENTQDEQILNN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1708-152-0x000000001B810000-0x000000001B820000-memory.dmp

Filesize
64KB

Download
memory/1708-183-0x000000001B5E0000-0x000000001B72E000-memory.dmp

Filesize
1.3MB

Download
memory/1708-151-0x0000000000AA0000-0x0000000000B36000-memory.dmp

Filesize
600KB

Download
memory/1844-299-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/1844-198-0x000000001BFA0000-0x000000001BFFE000-memory.dmp

Filesize
376KB

Download
memory/1844-191-0x00000000009F0000-0x0000000000A5A000-memory.dmp

Filesize
424KB

Download
memory/1844-192-0x00000000014E0000-0x00000000014F0000-memory.dmp

Filesize
64KB

Download
memory/1928-194-0x000000001B7D0000-0x000000001B836000-memory.dmp

Filesize
408KB

Download
memory/1928-193-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1928-313-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1928-190-0x0000000000940000-0x00000000009BA000-memory.dmp

Filesize
488KB

Download
memory/1928-345-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1928-195-0x000000001BFA0000-0x000000001C46E000-memory.dmp

Filesize
4.8MB

Download
memory/1928-203-0x0000000021650000-0x00000000216B2000-memory.dmp

Filesize
392KB

Download
memory/1928-196-0x000000001C630000-0x000000001C6CC000-memory.dmp

Filesize
624KB

Download
memory/1928-197-0x000000001D010000-0x000000001D018000-memory.dmp

Filesize
32KB

Download
memory/1928-200-0x0000000001290000-0x00000000012A0000-memory.dmp

Filesize
64KB

Download
memory/1928-199-0x000000001FD20000-0x000000002002E000-memory.dmp

Filesize
3.1MB

Download
memory/3080-346-0x0000000140000000-0x0000000140619000-memory.dmp

Filesize
6.1MB

Download
memory/3624-496-0x00007FF9B6440000-0x00007FF9B6441000-memory.dmp

Filesize
4KB

Download
memory/3624-495-0x00007FF9B7350000-0x00007FF9B7351000-memory.dmp

Filesize
4KB

Download
memory/3900-187-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3900-146-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/4056-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4056-189-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5444-219-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/5444-362-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/5444-428-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/5864-445-0x00007FF9B6350000-0x00007FF9B6351000-memory.dmp

Filesize
4KB

Download
memory/6124-235-0x00007FF9B6350000-0x00007FF9B6351000-memory.dmp

Filesize
4KB

Download