9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed

Analysis

max time kernel
190s
max time network
198s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 05:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe
Size

596KB
MD5

18ee5f00933f9f9d88b03b0434d51419
SHA1

65ec87ab6092870264427de586819495bb12b9dc
SHA256

9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed
SHA512

b01bbacdb60f52dcf28af7d3049de6d6bf7d44b5f3de167350ab32188dbccba5281451971d8fb512ec4c9ff1cb22742daa1f094b5af6e5580ae382972840c06b
SSDEEP

12288:t9T9h92AH0dOKrl7gGEvofiRz9QE+gd1m2UgMFA+l0IPIM:tV9hILcQgtJ/QEVgZr

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

setup_p45.exeWebGame.exe

pid process

1468 setup_p45.exe
1824 WebGame.exe
Drops startup file 1 IoCs

Processes:

setup_p45.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DÓÎÏ·´óÌü.lnk setup_p45.exe

pid	process
1468	setup_p45.exe
1824	WebGame.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5DÓÎÏ·´óÌü.lnk	setup_p45.exe

Loads dropped DLL 16 IoCs

Processes:

9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exesetup_p45.exeWebGame.exeregsvr32.exe

pid	process
1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1468	setup_p45.exe
1824	WebGame.exe
1824	WebGame.exe
1964	regsvr32.exe
1824	WebGame.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

WebGame.exe

description ioc process

File opened for modification \??\PhysicalDrive0 WebGame.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WebGame.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup_p45.exe

description	ioc	process
File created	C:\Program Files (x86)\5DGame\skin\default\bg_popup.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_login_bg03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_next01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\skin.xml.bak	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_gdyx.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\skin.xml	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_close03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\skin.xml	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_hide.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_zhuce_bg03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_qj.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_sx.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\toolbar_nav02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_restore01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_gw.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_qp.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_big02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_bottom_bg03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_kefu02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_kfzx.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_shezhi.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_prev01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_bottom_bg02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_login_bg02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_zhuce_bg01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_yxdt.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg_yxdt01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_login.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\Thumbs.db	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_back_bg01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_cz.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_next03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_small02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\WebGame.exe	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_back_bg03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_3653.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_ht.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_lt.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\icon_zhaq.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg_yxdt02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_big01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_close02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\¸´¼þ skin.xml	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_more02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\nav_bg031.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_close01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\bg_main.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_back_bg02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_zhuce_bg02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\toolbar_bg01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\toolbar_nav03.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_restore03.png	setup_p45.exe
File opened for modification	C:\Program Files (x86)\5DGame\5DÓÎÏ·´óÌü.url	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\btn_login_bg01.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\pop_close02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_next02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\skin\default\top_restore02.png	setup_p45.exe
File created	C:\Program Files (x86)\5DGame\fancygame.ocx	setup_p45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 6 IoCs

installer

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2
C:\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2
\Users\Admin\AppData\Local\Temp\setup_p45.exe	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 61 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{840386A1-739E-11ED-8AA1-4ADA2A0CA6C6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807e5780ab07d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{84035F91-739E-11ED-8AA1-4ADA2A0CA6C6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376901008"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000007e7524454497a77b25db2337ae6edd916df73bfed9dea9cf0e1e94c613e8f87d000000000e80000000020000200000002cd447d1313192909205ec482e424389fe7a873dd01f03f36a04e2d30dd2797e200000006dfbcdd97487fc299515a6acfb1567d3ea5dccacbcc149762e6e22d1eacfd48840000000badfb2e415ac424e485fabaa08e41f4fd3b4a7d64b5dd304c43017a25da58073c322926aac884d8f5f499f51833336206ac6413ce64dfa6336c9dc395b3b2053	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000256ed27e8919d04f83812f84ee5c95da000000000200000000001066000000010000200000009bf3f10ee357f155adcc18995d392a036cb2229b6c48dba7656e3f0425e96583000000000e80000000020000200000008cae0c94f53c3757d5d9cee9409bbfe297d3bd1bc9178ff89218ab76aeb81ab1900000000f747cf400d451b8e32c0df9f73c0e4f942d9724fe04cd6b7d3323facaef77d0b507edc45086ff4fd403ce3b4382c194965113422e1e6f85c0eb4e63520925c514f63246e38f18de0485c76e1edf072292b9283c95971061b94560d14affb0df988d26373d12bfbc110e1f87872ab92a77dd1b27333fa7eebec1e5f6f99f997e3bb52ffc24d8b3839a573f235d362ae940000000eb431053d7a40a1d83dcee4c901c9248590566a34da8761753bf0e07a893299340a4db9a12eede1c7db84d506dda259b91b34ae260f2f1dfcb76ef20e38c48b8	iexplore.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\0\win32\ = "C:\\Program Files (x86)\\5DGame\\fancygame.ocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ProgID\ = "FANCY3DOCX.Fancy3DOCXCtrl.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\FLAGS\ = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ = "_DFancy3DOCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}\ = "Fancy3DOCX Property Page"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ = "_DFancy3DOCXEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ToolboxBitmap32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX, 1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\HELPDIR\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\ = "Fancy3DOCX Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7F2F0427-C756-4B4A-A14D-27C2CCEEF130}\InprocServer32\ = "C:\\PROGRA~2\\5DGame\\FANCYG~1.OCX"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\CLSID\ = "{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D490692-7713-45BA-BCCE-F18E84A4BAE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6CF31DA5-B148-4811-A05C-2B0378D39626}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FANCY3DOCX.Fancy3DOCXCtrl.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7AE7497B-CAD8-4E66-A58B-DDE9BCAF6B61}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{32B34856-4FE5-44C6-888B-3C111AB18606}\1.0\ = "Fancy3DOCX ActiveX Control module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\TypeLib\ = "{32B34856-4FE5-44C6-888B-3C111AB18606}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B2E8D85E-C0C5-48DF-8DBC-1359B339AE32}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WebGame.exe

description pid process

Token: 33 1824 WebGame.exe
Token: SeIncBasePriorityPrivilege 1824 WebGame.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeiexplore.exeWebGame.exe

pid process

1060 iexplore.exe
744 iexplore.exe
1824 WebGame.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

WebGame.exe

pid process

1824 WebGame.exe

description	pid	process
Token: 33	1824	WebGame.exe
Token: SeIncBasePriorityPrivilege	1824	WebGame.exe

pid	process
1060	iexplore.exe
744	iexplore.exe
1824	WebGame.exe

pid	process
1824	WebGame.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exeiexplore.exeiexplore.exeWebGame.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe
744	iexplore.exe
744	iexplore.exe
1060	iexplore.exe
1060	iexplore.exe
1824	WebGame.exe
1824	WebGame.exe
296	IEXPLORE.EXE
296	IEXPLORE.EXE
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1824	WebGame.exe
1824	WebGame.exe
1944	IEXPLORE.EXE
1944	IEXPLORE.EXE
1824	WebGame.exe
1824	WebGame.exe
1824	WebGame.exe

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exeexplorer.exeexplorer.exeiexplore.exeiexplore.exesetup_p45.exe

description	pid	process	target process
PID 1140 wrote to memory of 672	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 672	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 672	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 672	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 472	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 472	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 472	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 472	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	explorer.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 1140 wrote to memory of 1468	1140	9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe	setup_p45.exe
PID 632 wrote to memory of 1060	632	explorer.exe	iexplore.exe
PID 632 wrote to memory of 1060	632	explorer.exe	iexplore.exe
PID 632 wrote to memory of 1060	632	explorer.exe	iexplore.exe
PID 572 wrote to memory of 744	572	explorer.exe	iexplore.exe
PID 572 wrote to memory of 744	572	explorer.exe	iexplore.exe
PID 572 wrote to memory of 744	572	explorer.exe	iexplore.exe
PID 744 wrote to memory of 1944	744	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 1944	744	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 1944	744	iexplore.exe	IEXPLORE.EXE
PID 744 wrote to memory of 1944	744	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 296	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 296	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 296	1060	iexplore.exe	IEXPLORE.EXE
PID 1060 wrote to memory of 296	1060	iexplore.exe	IEXPLORE.EXE
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1964	1468	setup_p45.exe	regsvr32.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe
PID 1468 wrote to memory of 1824	1468	setup_p45.exe	WebGame.exe

C:\Users\Admin\AppData\Local\Temp\9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe
"C:\Users\Admin\AppData\Local\Temp\9863810288b859ab409fef7d079966b55391181194465c1242bd62c95de582ed.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\explorer.exe
explorer.exe "http://www.netgy.com/cpm/10102/10194.jsp?s=11054&dm=2"
2⤵
PID:672

C:\Windows\SysWOW64\explorer.exe
explorer.exe "http://www.netgy.com/cpm/10191/10331.jsp?s=11054&dm=2"
2⤵
PID:472

C:\Users\Admin\AppData\Local\Temp\setup_p45.exe
"C:\Users\Admin\AppData\Local\Temp\setup_p45.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\5DGame\fancygame.ocx" /s
3⤵
- Loads dropped DLL
- Modifies registry class
PID:1964

C:\Program Files (x86)\5DGame\WebGame.exe
"C:\Program Files (x86)\5DGame\WebGame.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.netgy.com/cpm/10102/10194.jsp?s=11054&dm=2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:744

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.netgy.com/cpm/10191/10331.jsp?s=11054&dm=2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
C:\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
C:\Program Files (x86)\5DGame\fancygame.ocx
Filesize
506KB

MD5
5ca1ca33127d71eff439da94fb116682

SHA1
a445847bb60ac03a6e5165893051bdf486dd6a7f

SHA256
6381e0e596d366141028771f63726200235e27ea9ed2267671f50319144cebd2

SHA512
36d1b7ceac1ed42e316a34d6f58ce1523d5a66feb809aaf1ea7c51ad3822ea4de6775cbad0da53afb8d8548ca4cfa86333254e3e5c357334f5fe3b792f19ce1f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\bg_main.png
Filesize
3KB

MD5
8989ed5d6354f7b864498b5b2eaa2223

SHA1
cc554ffe2a7e726a732f2196ac13209487d3c81c

SHA256
c65b7045b0ea0ad944e5188f8924a411156c0c8631cad06c51c38aa37eaa1fe8

SHA512
0af49646eb077c80901b5021c261b3f1c91f2d178a04c1778b47a50c35c8e00c7eaa93ed54e8e0412d14dc2d03d95d092e13a7538616fe9eb5383d8a99e2e187

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_kefu02.png
Filesize
218B

MD5
3e7f3bac1531e4ea3b1a8a2933c58e11

SHA1
0a40955bf64bf06f01713206cb5a5f96bffaf9e7

SHA256
46ac63ee266d74043cf506c87a94c943aea5c0c91a2a8093a7fc7338db0092a2

SHA512
e3bc726b0272cdf61cec6315f68ab5f448437ad9f2b15802f37fbc4efeecb4a49b8598799dfe92d2c0908ea3ce0f6c439bf0dbe9a12325839eff780f0aec6d2f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_kefu03.png
Filesize
257B

MD5
f507fedcc95f7767709973b51e9790df

SHA1
296eef2e57be7af71c5ca4a015d84857c82d7f9f

SHA256
86b25f8662f517e3675e06ade5f6b46fc8eee87dd8d4ba827d04f3413dd9b0d0

SHA512
a92a3ed6f752685a457835f416f6291625db17e2dabbe0f4c9a2b6329c0be026306f90bae2ccddf2fce22b873fbb49147f742e15987d369eb0df605ee1cd1f8a

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more01.png
Filesize
286B

MD5
8f439b42bf3354063bcb52e890cb4c65

SHA1
94a690dee5b863bd77a5e9d6685b5b2933b449c9

SHA256
2dfd17918d8e4ef94ceac0ac21c1cd619cf9c56afb221faf40736b3f96bfb050

SHA512
bf59a3c46b5ed58a501d9e613daf97467a3627852a2e5add5cbc7276a5e530cf3e2052cd4df06c79ed41051a0231990c3d877ccea46591f5f4c1039a23c2caac

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more02.png
Filesize
267B

MD5
0604efc23a41c93e9c99683ff09c7cf2

SHA1
424ed08c3d29de661e777be52eed4c627eb5cad0

SHA256
ba2e5a4a42ca6aa57a76dbd6832fb4a86986927050712aa14318fed57a93dc48

SHA512
50c70b45fd348bd4d4f697212044cb23841d384edc5fcf63eea69467777545d51dcdae4236a65abc7a808f7d71592aa4a6988fb5913d7c40c65a360932969767

Download Submit
C:\Program Files (x86)\5DGame\skin\default\btn_more03.png
Filesize
298B

MD5
e364fdf4f45864a73def205611d031cc

SHA1
913a98cd5ad74f80b84ca5356ffac0c2d028396f

SHA256
224e56237f58e5c2ceb7ecd0d4e22bc3d400fab37293faca62a280cb79d8b9b7

SHA512
55d2fb69d3007f38cc4e945ea692123f1fe63b4858645fb428a602ffb0df08193035a84c10de2dfbc014a83ef7b4b3b8cf3e42c34c686aad1106391e70901858

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_cz.png
Filesize
1KB

MD5
c0ad1cb9f09ce403fdc01df6ede3cbaa

SHA1
a2f0f03cfd9c29f8c97181eabfd51cc88d9f7844

SHA256
47f66084dc0e69201dfdddb5c364dd06b9e4f965bbd8fe0c249c5c12145a703f

SHA512
162b5f946ba05334be0a5b9c641ecb0301d6825074f55e93b0ce618e1cfda71ef33e4f4c3511b48bfe9a0fda4858ae8249ea41528ec5980c3486c8c6a0c12a37

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_gdyx.png
Filesize
908B

MD5
dc176b3fdf7f073b7f23ef1179c8cfb9

SHA1
aa38ffe6857f46df7342dff28707e9ce75e67b19

SHA256
3b4244e51c1fd29b573af6aeacf0aa8399480b1f407c426bef1e0a70602fe57b

SHA512
e256502be6c5d27f3a62b7a3520fb9044f6177743c7cfd97dd91cc6cb7b778ddf68212c3d630676a74d6fbb4a573bd32b88f208452a36f486680044f43747abd

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_gw.png
Filesize
1KB

MD5
0d5d1091742cc0e5de1de541ed4cb0bf

SHA1
d14e18d41e15c401618e56832a9622f0095aae86

SHA256
cc22891c5b55fae6166c8e888361ff59605c955a68cf47d0e323d6110ed121ce

SHA512
54d559b6c90f4b1b5913dfb56c7080838446fe4633bbe07618f496b34ea1fa9d1b680bf9600a547f3a584a08b5df4e5aead49139b6d2419c9f492ba2d8d4f58e

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_ht.png
Filesize
820B

MD5
8be49f05a95a09d83a470baf6383559e

SHA1
f59cddb1806f0534787c452571ca7c089da0b9ab

SHA256
5594fafce7821a8c641ca446409c9e05e231a3132b0d21b6ea9390ad90004b5c

SHA512
57757d15f3bdfe431f9e0676c3258d9ec5b31c38977b2e842e4d2b62ffbbff037c064009f909e012fcde9721a1c0c033d4c476ccac4c75da879200212325dcf0

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_kfzx.png
Filesize
926B

MD5
60cb207eeb68e650d13b7a91a84e6a27

SHA1
7b21d001b69ff7b83383aa66b5826af8449c004b

SHA256
e1e67ccf204a5cb3d38d3c21359f4227201c033a002cf8ba986f56deffa9d9c9

SHA512
2e35b0cfbf04809e49331518f6f5f074dbe84ddc0566045ef138ec5444d4c9c09a02aa7b5d5d5b29c81ca0b261dd5e98439f25e017591c61a06857d5e68c13ef

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_lt.png
Filesize
1KB

MD5
233972770a2fd0c908e71342878be91d

SHA1
36510a70dd0f6efaad7d421cea474162053c4af5

SHA256
fa37413581a89d1cf0b2498fc6ef764fcab5b8913e9e03d25629da3b776b05c5

SHA512
d76766c32b52e03da114faeb83e962a47f30a01af7aec5b446af52b6b53b7a2074bf66e16ab3b3b76f8c79bf437e230e94f9a9dac865d036579907251797775b

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_qj.png
Filesize
791B

MD5
4a537631bc45b0bf36605320be8fb07a

SHA1
56960fa2b3bf05a5530829e74f869d666c0d9db3

SHA256
ce1763c5e5c804b9f7afa5cd6bdc105930479430009078c1b36dda0275281872

SHA512
0162ed23af41df0c47dded7713fc3c69c8124b2019aa8452250a0ce41b07bc152f2051a8d799d5a988a0a0ca2d4b4eda66a26dc6f052c8517caa6ddacfd86ce8

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_qp.png
Filesize
690B

MD5
4c80b8ee1f564acbd57f878bd2b158b0

SHA1
d9ac861f647d0f088f250ebde75714958f7662e8

SHA256
35d5045234b90aac968eec6cd7c77d5043b113c71012f38cc742ccaf8771ea54

SHA512
35f62e473d02a10af4e95f1a3a0b8f37c2aa438763a166ecdc60f5e8f1d71b2f1abe829c5860692574511151d3812d45e1adb5b5c69eaed08f2d22dbe57af729

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_sx.png
Filesize
1KB

MD5
e5376444deb4e1116e99ab035792eb58

SHA1
a02e9023fad5a36139045108ac7ddc3f15fae8e9

SHA256
b505bb32874631f408f1fd839cb04c7aa94c798deef50eeea71aba32bf05ee66

SHA512
a9ac21f1ca04c11472e5d923147484692e5998721710f9487c6298cc87b24cee6a8e00ed358f72397204359e91e109b97280fd5150072aec11f01b63826b919e

Download Submit
C:\Program Files (x86)\5DGame\skin\default\icon_yxdt.png
Filesize
803B

MD5
4cc83055491dd2b98795dfb9bdbbf60c

SHA1
a15594379994e2cd7fc692ced43bf26ff29d84e3

SHA256
9beb49dd628d9a140d4469941b481ee95061a70663398c6e2a0f0feb7a38b3ba

SHA512
f2ec10c1b67c9e8dda820099e10b6a9509aaccf110497b80b8d0201d64b735f16122ddf7463767b0514bb2736e80b72e8f231bb81a389232feeca7ee6242ae15

Download Submit
C:\Program Files (x86)\5DGame\skin\default\nav_bg01.png
Filesize
250B

MD5
ca44b23bf0012cc0a7e349a16636ae57

SHA1
55c066af9ac08d39907bc8d312e073de00dd1bf8

SHA256
382c115367b8e47e0a085f45c192fdc46e68cbec2d082509dc32f701ac312a95

SHA512
f2d1d867e1c3981495bdc0a47bbbc0826ef37929dd881657b6230bb6ebad264d08d3e8664747f3432768132ca42a585cffcdc4baa4dde93356bf0cd504be0980

Download Submit
C:\Program Files (x86)\5DGame\skin\default\nav_bg02.png
Filesize
240B

MD5
75074fca52eef6d840eb9e41c2779dbe

SHA1
cb603147cb4570b7bb4cf9fee2d3d799b161c59a

SHA256
070de1c6ba4613714b6978b6c148383abccc8341c84b5dac78cd4d8fff49216e

SHA512
821aefcae6ed650187481bb09fd23421c53ef83249039ee51f4ec5cf4b6552ddd12ff7ef92112355c7f0461e1083488cf5508eda8c047d687ba501be7863d6ec

Download Submit
C:\Program Files (x86)\5DGame\skin\default\skin.xml
Filesize
2KB

MD5
41081872767f9350b75d5cda17fbeab3

SHA1
a92b0212fef427ab6b3b1a3098cd19355fc8efa1

SHA256
6c8903347071e20c3e66f52994fa7fac7bfc7f6b703f57b15808bda0290ea598

SHA512
c91ef07bb95540d57c16a7a9eb46c7785f2a292e0673f7202ac1873a5075ca2db48ed32a9c052b49899330cf62e34e48537565ead1aa5c8ddb170c2c3a1f3b4d

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_bg01.png
Filesize
3KB

MD5
81fc6157b1c5cc30d797c308f56262b7

SHA1
a87fcc8d8fd7c27d50eb46cd66021bcafc7de4a5

SHA256
9af6bb513f42134609345cc7415ec76a630c24387ef51a491fe097489643fd12

SHA512
5e6b2693c7e01c4a4ee9b7b3e22f472fa82eccbd340e8becea217186d05cb7fc964da9b5ebb5299f5f1a8bee24fe9a8a1fab385a27e0aa8b37c47565fa8e0739

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_nav02.png
Filesize
217B

MD5
7df81bc502c0ad0b538353eb7884e160

SHA1
175cc34ac9c14d491ebc7b4b062a2dce06342df9

SHA256
74302fbf1015fce43d482d1accf4ae7d5e6e6a52ba6e8c33c8f43cefcd8be024

SHA512
d3bc7f638a1ca70bd8b612e12574514237aefc326b1a74cde43dbb5c6422556219c31a70b9ecb518b7f4974b86d4a3fa948d81da5939d3976e921b8695f2aad3

Download Submit
C:\Program Files (x86)\5DGame\skin\default\toolbar_nav03.png
Filesize
242B

MD5
0361fd5cd757222c4952268e4c74ab9e

SHA1
1a5449d580f5391ff70e8f4ffc0dbb463f49237b

SHA256
0413da48754dd71e456abfd8a01aeb0d4fdae938cca5e57df4dc71ff01d7ac6e

SHA512
5c775796129de3d49ddce6b93731c9247155ecc961280e5c8ceaf2f4f6709e08a645a53c667c5f2c43417b9edf7bb2b6c69f7b1045f4e3bda7cfb7a405c8ccac

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_big01.png
Filesize
398B

MD5
d75c56ff2b41fecbe9c4616ddedc2623

SHA1
e7bae4b0348d2eab892a0c1d8d09279c3e4abb9d

SHA256
ff4de8e566cf49a319aee795f295d3d5f042e813c42c559bfff48233cc6f10ea

SHA512
02a0a07c1068163a20fcafeb88e463dc426f6c8371b1f65acfe3a73e89573bfdcc7a592a63404cdfbdbf876e32ce0a679317135d862703e4942ca9eefa7a3d89

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_big02.png
Filesize
337B

MD5
8cd3d38d4a5faa4bf05a231785019b76

SHA1
37642cfaa3ca2e878aff48807c36547792560599

SHA256
de6a18c601197e2d9d782afd54159363cdb632707004fe04a0c78ea49d2bbdc8

SHA512
51f03a25e85188b7f49901efcb3c79ba0a2fa6030a8986cf33a8042d441366a337600358e601aa64738ac26cc054bd53fb1660230970dcc48c782241f0fa1115

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_big03.png
Filesize
337B

MD5
8cd3d38d4a5faa4bf05a231785019b76

SHA1
37642cfaa3ca2e878aff48807c36547792560599

SHA256
de6a18c601197e2d9d782afd54159363cdb632707004fe04a0c78ea49d2bbdc8

SHA512
51f03a25e85188b7f49901efcb3c79ba0a2fa6030a8986cf33a8042d441366a337600358e601aa64738ac26cc054bd53fb1660230970dcc48c782241f0fa1115

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_close01.png
Filesize
518B

MD5
db079579946e34c14e3b7e0888172002

SHA1
aa7f1f80fbc3462d3dc83b14a833d5cd7be4beb1

SHA256
0027a0096f9c9ef50166e4e249d80f1ab11364bf0602c024ed7d851c6772a758

SHA512
da9f733254f9bc8527dcceb1e34b9b558dc0c7742f0cd4a0b6c69e0634e850aa20ea32308077122462dd063e66391e4e01d994b8ed19f15ab6dd39f632e16a7d

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_close02.png
Filesize
468B

MD5
f1e3b569de59076556536310b1c7d1f9

SHA1
e7584b2c9fddf7c172ec1080a099d88f4edcfa0c

SHA256
aba101911720f563f66ec82be44b1b58c6ed741e9cc6363a6b976f2b9a2e843f

SHA512
b043305c8f3617f1a872519a57f1490dfb64fda9f1c7dc75d3ac39fe8e19f8d5ceaeba2393ba0b5867ad9308d8873dde0336487eb94bbd8183979761028e12f2

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_close03.png
Filesize
468B

MD5
f1e3b569de59076556536310b1c7d1f9

SHA1
e7584b2c9fddf7c172ec1080a099d88f4edcfa0c

SHA256
aba101911720f563f66ec82be44b1b58c6ed741e9cc6363a6b976f2b9a2e843f

SHA512
b043305c8f3617f1a872519a57f1490dfb64fda9f1c7dc75d3ac39fe8e19f8d5ceaeba2393ba0b5867ad9308d8873dde0336487eb94bbd8183979761028e12f2

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_next01.png
Filesize
267B

MD5
4a58af71b4e8491aebc496ed04ce5b79

SHA1
0b60f0ac2d37157573e0b734ce6e986e7f2bd406

SHA256
4667a695aa09d56c87d8e1d34dd32338c4a910c0560cd67f4a094d3ddbb3abb9

SHA512
faefeb1257b0fec4eab9f73314124dd69d2059a95c8f426825784ad591e43c0f73ed8fd2b90a5915f17f971a60b04240206087f9325780c42d33dce3f6564bb7

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_next02.png
Filesize
242B

MD5
edb2d521e3c14f8309d63359f578cc60

SHA1
4f6cab5524bcfb1fe5477d53d219a9adf0258b3c

SHA256
dd3c9515bcea5ef723a6375747acaafeb434859e586b5b7a72ed813dd3b90d96

SHA512
9997434c16df396a27b947b61de4476b608a32ed31073bbb85398d9661a6224ac19be1c65ff7b044501c12b00595c04fca589d30159af80f0c6886b1619bb9a9

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_next03.png
Filesize
242B

MD5
edb2d521e3c14f8309d63359f578cc60

SHA1
4f6cab5524bcfb1fe5477d53d219a9adf0258b3c

SHA256
dd3c9515bcea5ef723a6375747acaafeb434859e586b5b7a72ed813dd3b90d96

SHA512
9997434c16df396a27b947b61de4476b608a32ed31073bbb85398d9661a6224ac19be1c65ff7b044501c12b00595c04fca589d30159af80f0c6886b1619bb9a9

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_prev01.png
Filesize
264B

MD5
827b802f581b35adb607620d59ec72a4

SHA1
3436d352a88690f354c20c9acde95b382458fd3e

SHA256
6282974d5192a6f8d986ffc2cb7cbcb8a480649a7e261d4e146b57d3596fbbfc

SHA512
00568bb17d8b72ef517822cee645faab3bc50a7e8902c66a0ac8cbb705a9c9d3d4db5df4e9c1ec6dcea649e5306afc0f6965f048eaf5e8fc414ecb24700b2b49

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_prev02.png
Filesize
247B

MD5
76eec3e4fd42fc648d11741c757d0a97

SHA1
b1e9a0e0fa172ba546c0d36acca6bf5096d6c97d

SHA256
088e70bf38c3c9f2d1d8ca87804c196457702e86709a1dc8a74713e641ee9f97

SHA512
4ee2d93ed878305344b7eecc1feb6f5d0bac4e6d98dd172c4c5b7db08f284e7f438e3ec01207ce3da780d6c1cc1c94550b7f9ccd69cefa8e1aac0d4826e6cd1c

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_prev03.png
Filesize
247B

MD5
76eec3e4fd42fc648d11741c757d0a97

SHA1
b1e9a0e0fa172ba546c0d36acca6bf5096d6c97d

SHA256
088e70bf38c3c9f2d1d8ca87804c196457702e86709a1dc8a74713e641ee9f97

SHA512
4ee2d93ed878305344b7eecc1feb6f5d0bac4e6d98dd172c4c5b7db08f284e7f438e3ec01207ce3da780d6c1cc1c94550b7f9ccd69cefa8e1aac0d4826e6cd1c

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_restore01.png
Filesize
447B

MD5
56690eec0ac3b891f95bac19db3b244b

SHA1
82ff06f617ba3c1da2a819067c93744dda481e59

SHA256
87522a413f0e13e9d142aa0611af17ef144bd869e9f987a1766f9e8f18b8e98d

SHA512
8c92a1f125a22ac5400e115754267da5262a8f59c935e54e729fe74c0539fd1af522c5dfaafb13fbc4d5428b1245949174fc9fd8554a9c9b5ac978e62229f289

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_restore02.png
Filesize
368B

MD5
f4cf01f92b1078fbb4a8b74f8f9d4da8

SHA1
0e0fdee8eb818679593cb5e5cbd485e784025f9f

SHA256
a07fcd00ffba3c6d41d28c20f21e9603d22b5e963d107c330e4b2cb5a4d32f8a

SHA512
e29a87eb394a69511db18064e37853aef4ff02144e89eee495ffe6061a62513472891d4784cc8abcf4b7c9f26ab984350d603a9ae147775ed8a8d74c9051f844

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_restore03.png
Filesize
368B

MD5
f4cf01f92b1078fbb4a8b74f8f9d4da8

SHA1
0e0fdee8eb818679593cb5e5cbd485e784025f9f

SHA256
a07fcd00ffba3c6d41d28c20f21e9603d22b5e963d107c330e4b2cb5a4d32f8a

SHA512
e29a87eb394a69511db18064e37853aef4ff02144e89eee495ffe6061a62513472891d4784cc8abcf4b7c9f26ab984350d603a9ae147775ed8a8d74c9051f844

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_small01.png
Filesize
349B

MD5
1d210d606cf7600801718943d807f753

SHA1
1d0cc736f026b1e21df99975d2fa1579c7a2fddf

SHA256
24b32a228886e034ac856ec0fe7fa6af7836640b65fb39cc2adfecf2dff0a2cf

SHA512
951b652a77690cd310d9e5c6bb9997f53a61ef3c39d7946fe66b888145385c43e9dd8a322b76e3c1e8a8160f8f93207cf7fb8cedb930edd92e979e16f4ec4a1f

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_small02.png
Filesize
301B

MD5
88be351cd6521b336f9ad4365bf59d55

SHA1
81549e1de2de29bf308eb8f2937d024da7e4cdd0

SHA256
4527281a721855a9e5434bd8d1a942f5c97b99d93e0b9155489a907df5cefd25

SHA512
fa12a25cf2bdd12d2ac1806fe7506e541b21b91a8d3463b95122451f209fe2ad7ed205cae228989cd5232c280137aa2051f156f1c42e40f1e350d6ae95aeee27

Download Submit
C:\Program Files (x86)\5DGame\skin\default\top_small03.png
Filesize
301B

MD5
88be351cd6521b336f9ad4365bf59d55

SHA1
81549e1de2de29bf308eb8f2937d024da7e4cdd0

SHA256
4527281a721855a9e5434bd8d1a942f5c97b99d93e0b9155489a907df5cefd25

SHA512
fa12a25cf2bdd12d2ac1806fe7506e541b21b91a8d3463b95122451f209fe2ad7ed205cae228989cd5232c280137aa2051f156f1c42e40f1e350d6ae95aeee27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84035F91-739E-11ED-8AA1-4ADA2A0CA6C6}.dat
Filesize
3KB

MD5
4fc459d507b92bbdcc6f3739ca90b576

SHA1
482a38a8ec611bf49db920bfb88971311d852e4d

SHA256
301a57ee8902c362c3658f749d5c5c3e2486cd09809004c1827d38c92d83f834

SHA512
333e0fe85143b4f5b5777f96489c49ad377da1b2bba9e24270e81358fc1e09ce54c2383bd41cc0b593ea4488b96a2605b887d49c9ee095b0339ad185e600d0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{840386A1-739E-11ED-8AA1-4ADA2A0CA6C6}.dat
Filesize
3KB

MD5
f42eb7dc94e61e7ef509b548bc9059f6

SHA1
080b0006d4635495b496ba4875808adb7effc265

SHA256
3b2c7a64d07d005f51b488fe32faaee6609b6382554e56d049c7ad509dc1b4a1

SHA512
04f8a7d57774c04fac832f4276b667e0d70631bcab0c57f4a493f850e147f3a16bedf8bbdf140f62d8648dda50aa7592dac55de3d46c195fe2cfc2807364e594

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1BW3YI2D.txt
Filesize
539B

MD5
4394fdd1352c44ca6e42987a69fbdfe3

SHA1
2d7db98b636b4a4c1488f2f5a0d896037a5950cf

SHA256
d569aa018273f2e2d5b66507e6452550c12083ee75a41d6f712ee171e453a96c

SHA512
dd7e24866174bbd5cab6aa96ac44660934ef235866ef807f0c512cad4a0da9145428fba82b0551c81e4eb0409e398b98edb24b89c0fbf969044b0c44bfd58f8a

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\WebGame.exe
Filesize
577KB

MD5
345ab504856eb9ea7dad32e01d562f30

SHA1
0e47b5e575466695893d3447738e074580392f2e

SHA256
39c542f82d9b2dcd202d17d0805d50afe21463319cdfda9161fd3db9d6d33eb5

SHA512
ffe1a2054d2f48bc7c74ae8e425a1c69631bdcfd0e9759b956c7569cd05f77b7d4c5d7850dd0d03e2bbb6a6302e8321a019f0c4efce29f48b5ec908fe9dd0df3

Download Submit
\Program Files (x86)\5DGame\fancygame.ocx
Filesize
506KB

MD5
5ca1ca33127d71eff439da94fb116682

SHA1
a445847bb60ac03a6e5165893051bdf486dd6a7f

SHA256
6381e0e596d366141028771f63726200235e27ea9ed2267671f50319144cebd2

SHA512
36d1b7ceac1ed42e316a34d6f58ce1523d5a66feb809aaf1ea7c51ad3822ea4de6775cbad0da53afb8d8548ca4cfa86333254e3e5c357334f5fe3b792f19ce1f

Download Submit
\Users\Admin\AppData\Local\Temp\nstC851.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
\Users\Admin\AppData\Local\Temp\setup_p45.exe
Filesize
495KB

MD5
0ff8a820fc5cf4b549041bead7122c54

SHA1
9f6e7e167c92f66f6ea23d2f5eb572a529e23e8d

SHA256
1287ab55609a6ed6a1638f1c1c6d41edea641a299be833bf90f0fd4ce8255d6e

SHA512
99e4ca0eb0cf9541761aa3ac5b7dfd40f2051429169e7f666df582461c21200f417ca38a2e0bdb6f681cc7220fc08d133f93d85237dccc84ed5e2cef6972d71f

Download Submit
memory/472-59-0x0000000000000000-mapping.dmp

Download
memory/572-62-0x000007FEFC201000-0x000007FEFC203000-memory.dmp

Filesize
8KB

Download
memory/672-56-0x0000000000000000-mapping.dmp

Download
memory/672-58-0x0000000075191000-0x0000000075193000-memory.dmp

Filesize
8KB

Download
memory/672-57-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1468-66-0x0000000000000000-mapping.dmp

Download
memory/1824-83-0x0000000000000000-mapping.dmp

Download
memory/1964-79-0x0000000000000000-mapping.dmp

Download