96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2

Analysis

max time kernel
202s
max time network
277s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07/12/2022, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe
Size

456KB
MD5

162db04b803dc577ea02154a0e312610
SHA1

478f578a1f9504814848f151450c1ccc4dd0ffa5
SHA256

96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2
SHA512

501f0f55ab28c56c03cfa6a1407dc123417c5ca7b1b26e7d8c8597e7dcae60838c098b6c20e446aa35146670e35ee0af012a27a2cf57ad01b01a8ddf67968f1b
SSDEEP

6144:tTfFDbRnOTrt5J8Z/Bz0gGIzYmt8L9WeVS6grL2FwvQWUUTziZCrbsaGtB/y0Q:D5OGhBwgGIzYlL9xIv1UU3Ao6yT

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\360safe = "C:\\WINDOWS\\system32\\sdfi\\spool.vbs"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\abcd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\baobi88.exe"	baobi88.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	baobi88.exe

Executes dropped EXE 9 IoCs

pid	Process
1884	time.exe
668	5685.exe
540	45.exe
1668	5.exe
1072	msn036.exe
924	101.exe
336	feifei.exe
1612	baobi88.exe
880	006.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1632	attrib.exe
936	attrib.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012324-63.dat	upx
behavioral1/files/0x0008000000012324-64.dat	upx
behavioral1/files/0x0008000000012324-65.dat	upx
behavioral1/files/0x0008000000012324-67.dat	upx
behavioral1/memory/668-70-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/668-133-0x0000000000400000-0x0000000000437000-memory.dmp	upx
behavioral1/memory/668-138-0x0000000000400000-0x0000000000437000-memory.dmp	upx

Loads dropped DLL 36 IoCs

pid	Process
552	WScript.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
1668	5.exe
1668	5.exe
1668	5.exe
552	WScript.exe
552	WScript.exe
1072	msn036.exe
1072	msn036.exe
1072	msn036.exe
1072	msn036.exe
1072	msn036.exe
924	101.exe
924	101.exe
924	101.exe
924	101.exe
924	101.exe
944	regsvr32.exe
552	WScript.exe
1072	msn036.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
552	WScript.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe
1448	WerFault.exe

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Impersonate = "0"	5685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Startup = "EventStartup"	5685.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll	5685.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify	5685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\DllName = "fly9157.dll"	5685.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\logondll\Asynchronous = "1"	5685.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\sdfi\11.reg	feifei.exe
File created	C:\Windows\SysWOW64\dllcache\fly9157.dll	5685.exe
File created	C:\Windows\SysWOW64\cimnuy.bat	45.exe
File created	C:\WINDOWS\SysWOW64\sdfi\__tmp_rar_sfx_access_check_7277836	feifei.exe
File created	C:\WINDOWS\SysWOW64\sdfi\down31.bat	feifei.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi\down31.bat	feifei.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi\3.bat	feifei.exe
File created	C:\Windows\SysWOW64\fly9157.dll	5685.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi	attrib.exe
File created	C:\Windows\SysWOW64\flyplug.dll	5685.exe
File created	C:\WINDOWS\SysWOW64\sdfi\3.vbs	feifei.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi\11.reg	feifei.exe
File created	C:\WINDOWS\SysWOW64\sdfi\spool.vbs	feifei.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi\spool.vbs	feifei.exe
File created	C:\Windows\SysWOW64\flymain.dll	5685.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi	feifei.exe
File created	C:\WINDOWS\SysWOW64\sdfi\3.bat	feifei.exe
File opened for modification	C:\WINDOWS\SysWOW64\sdfi\3.vbs	feifei.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Intel\baiduc.dll	101.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1448	880	WerFault.exe	40

NSIS installer 13 IoCs

installer

resource	yara_rule
behavioral1/files/0x0009000000012320-77.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-78.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-79.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-81.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-83.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-84.dat	nsis_installer_2
behavioral1/files/0x0009000000012320-85.dat	nsis_installer_2
behavioral1/files/0x0007000000012751-96.dat	nsis_installer_1
behavioral1/files/0x0007000000012751-98.dat	nsis_installer_1
behavioral1/files/0x0007000000012751-101.dat	nsis_installer_1
behavioral1/files/0x0007000000012751-100.dat	nsis_installer_1
behavioral1/files/0x0007000000012751-103.dat	nsis_installer_1
behavioral1/files/0x0007000000012751-102.dat	nsis_installer_1

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\CLSID\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ = "IControl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32\ThreadingModel = "both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\ = "ÓÒ¼ü²å¼þ 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{7138527F-430B-45B0-B164-9AA396644263}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\ = "Control Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ProgID\ = "My.Control.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\VersionIndependentProgID\ = "My.Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\{7138527F-430B-45B0-B164-9AA396644263}\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\InprocServer32\ = "C:\\Windows\\SysWow64\\flyplug.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\flyplug.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control.1\ = "Control Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\My.Control\CLSID\ = "{7138527F-430B-45B0-B164-9AA396644263}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7138527F-430B-45B0-B164-9AA396644263}\ = "Control Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{34B90EED-B1AB-42A9-BA14-F8825153F575}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\ = "{34B90EED-B1AB-42A9-BA14-F8825153F575}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ = "IControl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{19E65A85-5FEC-4CC3-8F60-738F1E9F1CD0}\TypeLib\ = "{34B90EED-B1AB-42A9-BA14-F8825153F575}"	regsvr32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1760	regedit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1580	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
668	5685.exe
1612	baobi88.exe
668	5685.exe
1612	baobi88.exe
1612	baobi88.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	baobi88.exe
Token: SeDebugPrivilege	880	006.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
668	5685.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 552	2028	96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe	28
PID 2028 wrote to memory of 552	2028	96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe	28
PID 2028 wrote to memory of 552	2028	96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe	28
PID 2028 wrote to memory of 552	2028	96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe	28
PID 552 wrote to memory of 1884	552	WScript.exe	29
PID 552 wrote to memory of 1884	552	WScript.exe	29
PID 552 wrote to memory of 1884	552	WScript.exe	29
PID 552 wrote to memory of 1884	552	WScript.exe	29
PID 552 wrote to memory of 668	552	WScript.exe	30
PID 552 wrote to memory of 668	552	WScript.exe	30
PID 552 wrote to memory of 668	552	WScript.exe	30
PID 552 wrote to memory of 668	552	WScript.exe	30
PID 552 wrote to memory of 540	552	WScript.exe	31
PID 552 wrote to memory of 540	552	WScript.exe	31
PID 552 wrote to memory of 540	552	WScript.exe	31
PID 552 wrote to memory of 540	552	WScript.exe	31
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1668	552	WScript.exe	32
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 552 wrote to memory of 1072	552	WScript.exe	33
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 1072 wrote to memory of 924	1072	msn036.exe	34
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 924 wrote to memory of 1988	924	101.exe	35
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 668 wrote to memory of 944	668	5685.exe	36
PID 552 wrote to memory of 336	552	WScript.exe	37
PID 552 wrote to memory of 336	552	WScript.exe	37
PID 552 wrote to memory of 336	552	WScript.exe	37
PID 552 wrote to memory of 336	552	WScript.exe	37
PID 336 wrote to memory of 1900	336	feifei.exe	38
PID 336 wrote to memory of 1900	336	feifei.exe	38
PID 336 wrote to memory of 1900	336	feifei.exe	38
PID 336 wrote to memory of 1900	336	feifei.exe	38
PID 552 wrote to memory of 1612	552	WScript.exe	39
PID 552 wrote to memory of 1612	552	WScript.exe	39
PID 552 wrote to memory of 1612	552	WScript.exe	39
PID 552 wrote to memory of 1612	552	WScript.exe	39
PID 552 wrote to memory of 880	552	WScript.exe	40

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
936	attrib.exe
1632	attrib.exe
476	attrib.exe

C:\Users\Admin\AppData\Local\Temp\96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe
"C:\Users\Admin\AppData\Local\Temp\96273c2215e7e63629cd43326223c9f96f62bef3b831bd1da9447bd7974585c2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\time.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\time.exe"
    3⤵
    - Executes dropped EXE
    PID:1884
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe"
    3⤵
    - Executes dropped EXE
    - Modifies WinLogon
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:668
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\System32\flyplug.dll
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\RarSFX0\tempDel.bat
      4⤵
      PID:1976
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Windows\system32\cimnuy.bat
      4⤵
      PID:1412
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 3 127.0.0.1
        5⤵
        Runs ping.exe
        
        PID:1580
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1668
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Users\Admin\AppData\Local\Temp\101.exe
      "C:\Users\Admin\AppData\Local\Temp\101.exe" 7836
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:924
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" "C:\Windows\Intel\baiduc.dll" /s
        5⤵
        
        PID:1988
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\feifei.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\feifei.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:336
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WINDOWS\system32\sdfi\3.vbs"
      4⤵
      PID:1900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c C:\WINDOWS\system32\sdfi\3.bat
        5⤵
        
        PID:1956
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib +a +s +h C:\WINDOWS\system32\sdfi
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1632
      - C:\Windows\SysWOW64\regedit.exe
        
        regedit /s 11.reg
        6⤵
        Adds policy Run key to start application
        Runs .reg file with regedit
        
        PID:1760
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe"
    3⤵
    - Adds policy Run key to start application
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      Views/modifies file attributes
      PID:476
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:936
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:880
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 248
      4⤵
      Loads dropped DLL
      Program crash
      PID:1448

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\2.vbs

Filesize
836B

MD5
a65d404589b61595b7aabbf8ed8ce383

SHA1
8e69068339e0d042bd2694892e2a94a44c546601

SHA256
5a204bdf149a2065eb45d4aefdb95bdef212bfd95ce2cf02582b6e5a07013e82

SHA512
56b116d4c088fa938e4330c0301caf702fbc6daf85fb3fc9f02605afc4d74981eae0dcf11d3fa04d70d450ae69d24b11d9ffd741d83b723b172fdc424f772024

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe

Filesize
24KB

MD5
b1662aeefa7792bb4a2b653d2716f7bb

SHA1
e5b200f1c9899e6211b621c0ba9a03a61131dea8

SHA256
8d132e8ce8a4a51728c8cd3caf15792ae2d433f8991e95a7799fcbc8d8d392dc

SHA512
9ccced23388c3d098f88b03c5569766a9006a78d90aa826658f176cbcc12241e8a627bb69a230bc7a0ca12bd57d12ca9f701c3d2dfebf2a63941dd7cbd55d94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe

Filesize
24KB

MD5
b1662aeefa7792bb4a2b653d2716f7bb

SHA1
e5b200f1c9899e6211b621c0ba9a03a61131dea8

SHA256
8d132e8ce8a4a51728c8cd3caf15792ae2d433f8991e95a7799fcbc8d8d392dc

SHA512
9ccced23388c3d098f88b03c5569766a9006a78d90aa826658f176cbcc12241e8a627bb69a230bc7a0ca12bd57d12ca9f701c3d2dfebf2a63941dd7cbd55d94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe

Filesize
44KB

MD5
91af4d306068fa6730c0584c667c3c0b

SHA1
90bc8accace502f34c5d19b001150eed8cc7c513

SHA256
9c4bba310a108344cf43216f3804e949f32497834ef7469c0eef53a67a2cb3b7

SHA512
77918f76c7d826307d810eb4be9a7efa5af469da7e6d96ccbc01a9cd21d014bd44cc4bf3f43082f13d5f408e4de6580e3a5c2c6a290a7c96d77a251455c3e862

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe

Filesize
44KB

MD5
91af4d306068fa6730c0584c667c3c0b

SHA1
90bc8accace502f34c5d19b001150eed8cc7c513

SHA256
9c4bba310a108344cf43216f3804e949f32497834ef7469c0eef53a67a2cb3b7

SHA512
77918f76c7d826307d810eb4be9a7efa5af469da7e6d96ccbc01a9cd21d014bd44cc4bf3f43082f13d5f408e4de6580e3a5c2c6a290a7c96d77a251455c3e862

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe

Filesize
43KB

MD5
8beccce0bf1d185386eeb81df83e97d3

SHA1
bb99ca7f828fa002b32e7effe16535d198c5c4bf

SHA256
b1e4f551a4f32a1f018817710b850830824251ee49aa3286d318b11776d89b83

SHA512
7b967e381f5898dff571d1bde8a62e79844b5acb8c52377aa58659b49ffbffb7eac07dc4bec5ec47d257cd63709c1af24e87ab689eb8faccdb6c41759ccdae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe

Filesize
43KB

MD5
8beccce0bf1d185386eeb81df83e97d3

SHA1
bb99ca7f828fa002b32e7effe16535d198c5c4bf

SHA256
b1e4f551a4f32a1f018817710b850830824251ee49aa3286d318b11776d89b83

SHA512
7b967e381f5898dff571d1bde8a62e79844b5acb8c52377aa58659b49ffbffb7eac07dc4bec5ec47d257cd63709c1af24e87ab689eb8faccdb6c41759ccdae51

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\feifei.exe

Filesize
103KB

MD5
57693c6ffcd3fa4f9272eefaedb22e86

SHA1
bec994fa36758a39807d5e4ab0170c98db17c962

SHA256
de18e3f1e22505c40873661575f70a6782f5cacd6571bf2b4fb4072a39065346

SHA512
683ffc826ab261b1e9ed565a69828a86594a1d1a4a115a5089579d6cd0622112c7b71e65eeec2adb85c5d78a9279941d76513ea47db4dfb54ca2eaaf7b2a554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\feifei.exe

Filesize
103KB

MD5
57693c6ffcd3fa4f9272eefaedb22e86

SHA1
bec994fa36758a39807d5e4ab0170c98db17c962

SHA256
de18e3f1e22505c40873661575f70a6782f5cacd6571bf2b4fb4072a39065346

SHA512
683ffc826ab261b1e9ed565a69828a86594a1d1a4a115a5089579d6cd0622112c7b71e65eeec2adb85c5d78a9279941d76513ea47db4dfb54ca2eaaf7b2a554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\tempDel.bat

Filesize
69B

MD5
2cfd39300cf2f8cca6a11fc677949149

SHA1
c98bd1b074c5cdb1943cfd66057f77609ad8b868

SHA256
93c92bd03e3fed6953252b7e808dd38977a9109ba69db83bdb9865e9441203fc

SHA512
5d6d31bf8239631001eb71f279a1063c94caba96bb6cae8a5a643e657a253cb32a7cf5d39d73871bb4d9202dd97deb406cdaa9692c18d06facec2bb3b66ef872

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\time.exe

Filesize
102KB

MD5
e6125ccf3e87bfa40065d3e716ff1758

SHA1
dacb4ec911761cee288f8cac4f376aeaa6cfcf62

SHA256
65ac7bf69517b853375177d4af4c4474bccb316e607d0846eda33307efe0f82a

SHA512
70f253aee34cad4bde3fb0e4bb7470dc4444ef376e65580b9c0aca481da9be12bbb617a560661a1b212327290849368bdcb9ff71499cdbdf779ee0dcd928f453

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\time.exe

Filesize
102KB

MD5
e6125ccf3e87bfa40065d3e716ff1758

SHA1
dacb4ec911761cee288f8cac4f376aeaa6cfcf62

SHA256
65ac7bf69517b853375177d4af4c4474bccb316e607d0846eda33307efe0f82a

SHA512
70f253aee34cad4bde3fb0e4bb7470dc4444ef376e65580b9c0aca481da9be12bbb617a560661a1b212327290849368bdcb9ff71499cdbdf779ee0dcd928f453

Download Submit
C:\WINDOWS\SysWOW64\sdfi\11.reg

Filesize
362B

MD5
e9d8da16828bbd7ce6e802a1f1eb0ac5

SHA1
447fad974c2706064f68dd79f793145db9bf8b52

SHA256
d52bb0c8af0e1f1a1b36af2ca7900f1149cf621a7c10c53913311ad33b62c8a1

SHA512
4c617dce96d3dc49b99fdf664a6c00f4aa1ce7c37324530648930f153ca88971d2e7f156ff46edd629a900a32d2ba7bb37b83be99743163404fafb2120a43b03

Download Submit
C:\WINDOWS\SysWOW64\sdfi\3.bat

Filesize
78B

MD5
62d8e2639d58004eed8ffd2c236a03fc

SHA1
8d66326d6737203851d4043ec78de68e26e3a43b

SHA256
5455684a5802bff84fb933e2285a6ca81e3880a483220da28bcdd65469163bb1

SHA512
27b2409b2c345e0be751c2bf0e765fb9b56b8eae501fb1a276205d1930af2645b10525c238debfd1be19715f260baa32bf3e915490fdbae0ca6d371096ac4444

Download Submit
C:\WINDOWS\SysWOW64\sdfi\3.vbs

Filesize
115B

MD5
302bf7d18e20301be9d1bd917dc2239d

SHA1
46d25eda8915349a250975cbe89d54ce7bdf5ea5

SHA256
902db1fa49ea44b8c3624166cc5544922df6aa73366d5e154ff4c7ef5dfbb1bc

SHA512
fc443d70f53a4ed475ee43d1e3fd3bdc794c2136dab208724e15cc8bdb6201c27313e816cef6b6c9d4a6ce7890c9a7e7e29346ec9503c095a8cf5fb5d352b6d1

Download Submit
C:\Windows\SysWOW64\cimnuy.bat

Filesize
177B

MD5
9dfbad72bba1a6a56ec1a2f3716cc24a

SHA1
8555f85761312b201af67167bfb31d135271978f

SHA256
55932fe38284a16c85c613f63aacb99942eef5ea5462b10b14ebb89e184ff7f7

SHA512
254936a7ea5ec63c15281bca44ff7b500a9967c63c31a91721c1aa6d3f702fa17529c577c04029235076b2bab5e06170c5063dda685313da7afd4b9aa5040142

Download Submit
C:\Windows\SysWOW64\flyplug.dll

Filesize
48KB

MD5
3c77f39e597dd78f213b76fcd41ac4b8

SHA1
482488fce9b8e3455282645bb0ef92110423c108

SHA256
ce000e6dcdb6e3b1c412285440e5c5e2761ed048367515289171b905718ef411

SHA512
4d4330af16c174b6dee5e2955f1725bb069c87156e8f6d2a9db268501d967c4f0213469ebeb693da87f1ac8a34d403c9651792b1cc11811d89d8d0741465a645

Download Submit
\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
\Users\Admin\AppData\Local\Temp\101.exe

Filesize
53KB

MD5
0368f0996a3880372f211949c1bb963c

SHA1
dde8a7c840a2248a6ada7cb329072d6ac346b8a4

SHA256
cec0c658179e3dc81e2b6ffc5f6d957dda3a82cd6e16e4d16cc78cf6079ee363

SHA512
b27ab866d022911aa3e10db4e147f09bde59d7f133deb134ff511cf96b689d6ffc4888027db283b7124c012ddd87425a54d4def1ef4be945746cec33e39455c8

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\006.exe

Filesize
26KB

MD5
d3d63a561b34ec2b36c78285dc0438be

SHA1
4b7fdacc3032820fbac6b9c3b4fa418333414ed8

SHA256
23cf8234bb3580abf459e9539ba52684b650c59355cfa897e03e7328dd9a2fb1

SHA512
cf9c6324fc12a5c5ee27c5343c3c67f1240f601bb1476543a87edf44e27ac4eb4617aa5cc9fa4c968afb36923715f341ed236febea8cc19191834c6bde29a4ec

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe

Filesize
24KB

MD5
b1662aeefa7792bb4a2b653d2716f7bb

SHA1
e5b200f1c9899e6211b621c0ba9a03a61131dea8

SHA256
8d132e8ce8a4a51728c8cd3caf15792ae2d433f8991e95a7799fcbc8d8d392dc

SHA512
9ccced23388c3d098f88b03c5569766a9006a78d90aa826658f176cbcc12241e8a627bb69a230bc7a0ca12bd57d12ca9f701c3d2dfebf2a63941dd7cbd55d94e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\45.exe

Filesize
24KB

MD5
b1662aeefa7792bb4a2b653d2716f7bb

SHA1
e5b200f1c9899e6211b621c0ba9a03a61131dea8

SHA256
8d132e8ce8a4a51728c8cd3caf15792ae2d433f8991e95a7799fcbc8d8d392dc

SHA512
9ccced23388c3d098f88b03c5569766a9006a78d90aa826658f176cbcc12241e8a627bb69a230bc7a0ca12bd57d12ca9f701c3d2dfebf2a63941dd7cbd55d94e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5.exe

Filesize
68KB

MD5
d2f920f6d7909b1aa6b8cfd784ce553d

SHA1
a14d34311a8e7bca330fdc71bced03bc8141c379

SHA256
b0e66b0934a062ac17c6b1114b15e7fab153a97a260be161db5d9154301fd652

SHA512
84d9c45a8a1377453be4dd549b3d92ac18e72c0fa0fbd24c1805efbc5a023c32db6747fb7f5c6259ffbced1a1c58e4d58ad8fb3bce92f9ad0a9cd785ed0ba5fe

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe

Filesize
44KB

MD5
91af4d306068fa6730c0584c667c3c0b

SHA1
90bc8accace502f34c5d19b001150eed8cc7c513

SHA256
9c4bba310a108344cf43216f3804e949f32497834ef7469c0eef53a67a2cb3b7

SHA512
77918f76c7d826307d810eb4be9a7efa5af469da7e6d96ccbc01a9cd21d014bd44cc4bf3f43082f13d5f408e4de6580e3a5c2c6a290a7c96d77a251455c3e862

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\5685.exe

Filesize
44KB

MD5
91af4d306068fa6730c0584c667c3c0b

SHA1
90bc8accace502f34c5d19b001150eed8cc7c513

SHA256
9c4bba310a108344cf43216f3804e949f32497834ef7469c0eef53a67a2cb3b7

SHA512
77918f76c7d826307d810eb4be9a7efa5af469da7e6d96ccbc01a9cd21d014bd44cc4bf3f43082f13d5f408e4de6580e3a5c2c6a290a7c96d77a251455c3e862

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe

Filesize
43KB

MD5
8beccce0bf1d185386eeb81df83e97d3

SHA1
bb99ca7f828fa002b32e7effe16535d198c5c4bf

SHA256
b1e4f551a4f32a1f018817710b850830824251ee49aa3286d318b11776d89b83

SHA512
7b967e381f5898dff571d1bde8a62e79844b5acb8c52377aa58659b49ffbffb7eac07dc4bec5ec47d257cd63709c1af24e87ab689eb8faccdb6c41759ccdae51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\baobi88.exe

Filesize
43KB

MD5
8beccce0bf1d185386eeb81df83e97d3

SHA1
bb99ca7f828fa002b32e7effe16535d198c5c4bf

SHA256
b1e4f551a4f32a1f018817710b850830824251ee49aa3286d318b11776d89b83

SHA512
7b967e381f5898dff571d1bde8a62e79844b5acb8c52377aa58659b49ffbffb7eac07dc4bec5ec47d257cd63709c1af24e87ab689eb8faccdb6c41759ccdae51

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\feifei.exe

Filesize
103KB

MD5
57693c6ffcd3fa4f9272eefaedb22e86

SHA1
bec994fa36758a39807d5e4ab0170c98db17c962

SHA256
de18e3f1e22505c40873661575f70a6782f5cacd6571bf2b4fb4072a39065346

SHA512
683ffc826ab261b1e9ed565a69828a86594a1d1a4a115a5089579d6cd0622112c7b71e65eeec2adb85c5d78a9279941d76513ea47db4dfb54ca2eaaf7b2a554a

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\msn036.exe

Filesize
88KB

MD5
1c0a4569322cfa3134476db610aa3538

SHA1
5e8dab0692a7b8f6d84c24f4945aef7e914c2ad3

SHA256
db6fccef4a06eafeea1e32af8a064d6fca2a770012d9bf925f05f716076799a5

SHA512
dd47f954c13950fd8fc5a2f274dcf681a787df52a5b30bbcf391231652a5451cd1563be9d2a2382db486506da30ec3ae71f4bde45984f765e2dfc1dcd0f1f481

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\time.exe

Filesize
102KB

MD5
e6125ccf3e87bfa40065d3e716ff1758

SHA1
dacb4ec911761cee288f8cac4f376aeaa6cfcf62

SHA256
65ac7bf69517b853375177d4af4c4474bccb316e607d0846eda33307efe0f82a

SHA512
70f253aee34cad4bde3fb0e4bb7470dc4444ef376e65580b9c0aca481da9be12bbb617a560661a1b212327290849368bdcb9ff71499cdbdf779ee0dcd928f453

Download Submit
\Users\Admin\AppData\Local\Temp\nskB4A.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Users\Admin\AppData\Local\Temp\nskB4A.tmp\System.dll

Filesize
10KB

MD5
bf01b2d04e8fad306ba2f364cfc4edfa

SHA1
58f42b45ca9fc1818c4498ecd8bac088d20f2b18

SHA256
d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903

SHA512
30ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA9D.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
\Users\Admin\AppData\Local\Temp\nsuA9D.tmp\System.dll

Filesize
10KB

MD5
4eff5fafd746f5decb93a44e3a3d570c

SHA1
a11aa7681b7e2df1c7f7492a127d332d1495ea8a

SHA256
cf61ddd15d63c25a12caee70f51ea736cfc02195c42e56ee01b33f689d3754c5

SHA512
cde82d2a1f28506e4c2264f6b82017a00af32f138ebcdbaf4cc58463870fa626f708aa57465294c5a6f096c886841e7b9112b85bf3ea2f1d8f2da816b51b2d72

Download Submit
\Windows\SysWOW64\flyplug.dll

Filesize
48KB

MD5
3c77f39e597dd78f213b76fcd41ac4b8

SHA1
482488fce9b8e3455282645bb0ef92110423c108

SHA256
ce000e6dcdb6e3b1c412285440e5c5e2761ed048367515289171b905718ef411

SHA512
4d4330af16c174b6dee5e2955f1725bb069c87156e8f6d2a9db268501d967c4f0213469ebeb693da87f1ac8a34d403c9651792b1cc11811d89d8d0741465a645

Download Submit
memory/552-69-0x00000000024B0000-0x00000000024E7000-memory.dmp

Filesize
220KB

Download
memory/552-68-0x00000000024B0000-0x00000000024E7000-memory.dmp

Filesize
220KB

Download
memory/668-138-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/668-70-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/668-133-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-54-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download