blackmoon | 20ba77f7ae1761062acd954a950ca8505ccea819a64ca4f611f1b2bbe2bce98e

Resubmissions

22-07-2023 22:23

230722-2a5vqsce56 10

22-07-2023 22:16

230722-16y7dsce26 10

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2023 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NA_07ed0ef84efce4exe_JC.exe
Size

10.9MB
MD5

07ed0ef84efce475c96e02fc359cf55d
SHA1

68481020b069608200a38e0c8e3549ae1a5e8c9e
SHA256

20ba77f7ae1761062acd954a950ca8505ccea819a64ca4f611f1b2bbe2bce98e
SHA512

cc27062d5eed294fb4f2d78b1fd7013fd0fd63740e8b3a7a9ea6942e87fb967ceb83cafbcf7d1b6f42d0d37cf46150ae9688e0558416c1877ccf890e2379695a
SSDEEP

196608:r4eZJ4ef4eZYAbIsZ9Mo9VP4m9VBkKcvQitGwzFvJwD1apJy9yf2PL9rR33J:X9m8VBUvFtGUK1MTf2j9rn

Score

10^/10

blackmoon gh0strat purplefox banker pyinstaller rat rootkit trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 26 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\$234288948	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\$293154325	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\server.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\$913271144	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe	family_blackmoon

Detect PurpleFox Rootkit 16 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/3328-249-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/3328-251-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/1832-252-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/1832-253-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/4664-274-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/3328-269-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/4664-286-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/3200-295-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/3200-301-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/4772-303-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2864-347-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/1832-350-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/2864-357-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/4664-388-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/4888-516-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit
behavioral1/memory/1612-731-0x0000000010000000-0x00000000101A9000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 16 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3328-249-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/3328-251-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/1832-252-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/1832-253-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/4664-274-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/3328-269-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/4664-286-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/3200-295-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/3200-301-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/4772-303-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/2864-347-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/1832-350-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/2864-357-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/4664-388-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/4888-516-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat
behavioral1/memory/1612-731-0x0000000010000000-0x00000000101A9000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Drops file in Drivers directory 1 IoCs

Processes:

SB360.exe

description ioc process

File created C:\Windows\system32\drivers\QAssist.sys SB360.exe

description	ioc	process
File created	C:\Windows\system32\drivers\QAssist.sys	SB360.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

server.exeKangaroo Patcher.exeserver.exeserver.exeNA_07ed0ef84efce4exe_JC.exeKangaroo Patcher.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeserver.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	NA_07ed0ef84efce4exe_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	Kangaroo Patcher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation	server.exe

Executes dropped EXE 26 IoCs

Processes:

Âí×ÓÃû³Æ.exeserver.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeÂí×ÓÃû³Æ.exeSB360.exeserver.exeÂí×ÓÃû³Æ.exeSB360.exeKangaroo Patcher.exeserver.exeÂí×ÓÃû³Æ.exeKangaroo Patcher.exeSB360.exeserver.exeÂí×ÓÃû³Æ.exeKangaroo Patcher.exeserver.exeSB360.exeÂí×ÓÃû³Æ.exeSB360.exeÂí×ÓÃû³Æ.exeSB360.exesainbox.exesainbox.exe

pid	process
1324	Âí×ÓÃû³Æ.exe
3020	server.exe
2752	Kangaroo Patcher.exe
3324	server.exe
4216	Kangaroo Patcher.exe
2940	Âí×ÓÃû³Æ.exe
1832	SB360.exe
5092	server.exe
3480	Âí×ÓÃû³Æ.exe
3328	SB360.exe
4868	Kangaroo Patcher.exe
1368	server.exe
4148	Âí×ÓÃû³Æ.exe
3440	Kangaroo Patcher.exe
4664	SB360.exe
2868	server.exe
4440	Âí×ÓÃû³Æ.exe
3408	Kangaroo Patcher.exe
4940	server.exe
4772	SB360.exe
4368	Âí×ÓÃû³Æ.exe
3200	SB360.exe
3796	Âí×ÓÃû³Æ.exe
4888	SB360.exe
2864	sainbox.exe
1612	sainbox.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3328-244-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/1832-245-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/3328-249-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/3328-251-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/1832-252-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/1832-253-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/4664-274-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/3328-269-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/4664-286-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/3200-295-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/3200-301-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/4772-303-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/2864-347-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/1832-350-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/2864-357-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/4664-388-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/4888-516-0x0000000010000000-0x00000000101A9000-memory.dmp	upx
behavioral1/memory/1612-731-0x0000000010000000-0x00000000101A9000-memory.dmp	upx

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SB360.exe

description	ioc	process
File opened (read-only)	\??\X:	SB360.exe
File opened (read-only)	\??\Z:	SB360.exe
File opened (read-only)	\??\B:	SB360.exe
File opened (read-only)	\??\N:	SB360.exe
File opened (read-only)	\??\W:	SB360.exe
File opened (read-only)	\??\O:	SB360.exe
File opened (read-only)	\??\I:	SB360.exe
File opened (read-only)	\??\L:	SB360.exe
File opened (read-only)	\??\M:	SB360.exe
File opened (read-only)	\??\K:	SB360.exe
File opened (read-only)	\??\Q:	SB360.exe
File opened (read-only)	\??\R:	SB360.exe
File opened (read-only)	\??\S:	SB360.exe
File opened (read-only)	\??\T:	SB360.exe
File opened (read-only)	\??\E:	SB360.exe
File opened (read-only)	\??\G:	SB360.exe
File opened (read-only)	\??\H:	SB360.exe
File opened (read-only)	\??\U:	SB360.exe
File opened (read-only)	\??\V:	SB360.exe
File opened (read-only)	\??\Y:	SB360.exe
File opened (read-only)	\??\J:	SB360.exe
File opened (read-only)	\??\P:	SB360.exe

Drops file in System32 directory 4 IoCs

Processes:

SB360.exeSB360.exe

description	ioc	process
File created	C:\Windows\SysWOW64\sainbox.exe	SB360.exe
File opened for modification	C:\Windows\SysWOW64\sainbox.exe	SB360.exe
File created	C:\Windows\SysWOW64\sainbox.exe	SB360.exe
File opened for modification	C:\Windows\SysWOW64\sainbox.exe	SB360.exe

Detects Pyinstaller 8 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\server.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SB360.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SB360.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SB360.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

3872 PING.EXE
1036 PING.EXE

pid	process
3872	PING.EXE
1036	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exeSB360.exe

pid	process
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe
4664	SB360.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1732 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

taskmgr.exeSB360.exeSB360.exeSB360.exe

description	pid	process
Token: SeDebugPrivilege	1732	taskmgr.exe
Token: SeSystemProfilePrivilege	1732	taskmgr.exe
Token: SeCreateGlobalPrivilege	1732	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3328	SB360.exe
Token: SeIncBasePriorityPrivilege	1832	SB360.exe
Token: 33	4664	SB360.exe
Token: SeIncBasePriorityPrivilege	4664	SB360.exe
Token: 33	4664	SB360.exe
Token: SeIncBasePriorityPrivilege	4664	SB360.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe
1732	taskmgr.exe

Suspicious use of SetWindowsHookEx 38 IoCs

Processes:

NA_07ed0ef84efce4exe_JC.exeÂí×ÓÃû³Æ.exeserver.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeÂí×ÓÃû³Æ.exeserver.exeÂí×ÓÃû³Æ.exeKangaroo Patcher.exeserver.exeÂí×ÓÃû³Æ.exeKangaroo Patcher.exeserver.exeÂí×ÓÃû³Æ.exeserver.exeKangaroo Patcher.exeÂí×ÓÃû³Æ.exeÂí×ÓÃû³Æ.exe

pid	process
2712	NA_07ed0ef84efce4exe_JC.exe
2712	NA_07ed0ef84efce4exe_JC.exe
1324	Âí×ÓÃû³Æ.exe
1324	Âí×ÓÃû³Æ.exe
3020	server.exe
3020	server.exe
2752	Kangaroo Patcher.exe
2752	Kangaroo Patcher.exe
3324	server.exe
3324	server.exe
4216	Kangaroo Patcher.exe
4216	Kangaroo Patcher.exe
2940	Âí×ÓÃû³Æ.exe
2940	Âí×ÓÃû³Æ.exe
5092	server.exe
5092	server.exe
3480	Âí×ÓÃû³Æ.exe
3480	Âí×ÓÃû³Æ.exe
4868	Kangaroo Patcher.exe
4868	Kangaroo Patcher.exe
1368	server.exe
1368	server.exe
4148	Âí×ÓÃû³Æ.exe
4148	Âí×ÓÃû³Æ.exe
3440	Kangaroo Patcher.exe
3440	Kangaroo Patcher.exe
2868	server.exe
2868	server.exe
4440	Âí×ÓÃû³Æ.exe
4440	Âí×ÓÃû³Æ.exe
4940	server.exe
3408	Kangaroo Patcher.exe
4940	server.exe
3408	Kangaroo Patcher.exe
4368	Âí×ÓÃû³Æ.exe
3796	Âí×ÓÃû³Æ.exe
4368	Âí×ÓÃû³Æ.exe
3796	Âí×ÓÃû³Æ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

NA_07ed0ef84efce4exe_JC.exeserver.exeserver.exeKangaroo Patcher.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exeserver.exeKangaroo Patcher.exe

description	pid	process	target process
PID 2712 wrote to memory of 1324	2712	NA_07ed0ef84efce4exe_JC.exe	Âí×ÓÃû³Æ.exe
PID 2712 wrote to memory of 1324	2712	NA_07ed0ef84efce4exe_JC.exe	Âí×ÓÃû³Æ.exe
PID 2712 wrote to memory of 1324	2712	NA_07ed0ef84efce4exe_JC.exe	Âí×ÓÃû³Æ.exe
PID 2712 wrote to memory of 3020	2712	NA_07ed0ef84efce4exe_JC.exe	server.exe
PID 2712 wrote to memory of 3020	2712	NA_07ed0ef84efce4exe_JC.exe	server.exe
PID 2712 wrote to memory of 3020	2712	NA_07ed0ef84efce4exe_JC.exe	server.exe
PID 3020 wrote to memory of 2752	3020	server.exe	Kangaroo Patcher.exe
PID 3020 wrote to memory of 2752	3020	server.exe	Kangaroo Patcher.exe
PID 3020 wrote to memory of 2752	3020	server.exe	Kangaroo Patcher.exe
PID 3020 wrote to memory of 3324	3020	server.exe	server.exe
PID 3020 wrote to memory of 3324	3020	server.exe	server.exe
PID 3020 wrote to memory of 3324	3020	server.exe	server.exe
PID 3324 wrote to memory of 4216	3324	server.exe	Kangaroo Patcher.exe
PID 3324 wrote to memory of 4216	3324	server.exe	Kangaroo Patcher.exe
PID 3324 wrote to memory of 4216	3324	server.exe	Kangaroo Patcher.exe
PID 2752 wrote to memory of 2940	2752	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 2752 wrote to memory of 2940	2752	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 2752 wrote to memory of 2940	2752	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 2752 wrote to memory of 1832	2752	Kangaroo Patcher.exe	SB360.exe
PID 2752 wrote to memory of 1832	2752	Kangaroo Patcher.exe	SB360.exe
PID 2752 wrote to memory of 1832	2752	Kangaroo Patcher.exe	SB360.exe
PID 3324 wrote to memory of 5092	3324	server.exe	server.exe
PID 3324 wrote to memory of 5092	3324	server.exe	server.exe
PID 3324 wrote to memory of 5092	3324	server.exe	server.exe
PID 4216 wrote to memory of 3480	4216	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 4216 wrote to memory of 3480	4216	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 4216 wrote to memory of 3480	4216	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 4216 wrote to memory of 3328	4216	Kangaroo Patcher.exe	SB360.exe
PID 4216 wrote to memory of 3328	4216	Kangaroo Patcher.exe	SB360.exe
PID 4216 wrote to memory of 3328	4216	Kangaroo Patcher.exe	SB360.exe
PID 5092 wrote to memory of 4868	5092	server.exe	Kangaroo Patcher.exe
PID 5092 wrote to memory of 4868	5092	server.exe	Kangaroo Patcher.exe
PID 5092 wrote to memory of 4868	5092	server.exe	Kangaroo Patcher.exe
PID 5092 wrote to memory of 1368	5092	server.exe	server.exe
PID 5092 wrote to memory of 1368	5092	server.exe	server.exe
PID 5092 wrote to memory of 1368	5092	server.exe	server.exe
PID 4868 wrote to memory of 4148	4868	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 4868 wrote to memory of 4148	4868	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 4868 wrote to memory of 4148	4868	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 1368 wrote to memory of 3440	1368	server.exe	Kangaroo Patcher.exe
PID 1368 wrote to memory of 3440	1368	server.exe	Kangaroo Patcher.exe
PID 1368 wrote to memory of 3440	1368	server.exe	Kangaroo Patcher.exe
PID 4868 wrote to memory of 4664	4868	Kangaroo Patcher.exe	SB360.exe
PID 4868 wrote to memory of 4664	4868	Kangaroo Patcher.exe	SB360.exe
PID 4868 wrote to memory of 4664	4868	Kangaroo Patcher.exe	SB360.exe
PID 1368 wrote to memory of 2868	1368	server.exe	server.exe
PID 1368 wrote to memory of 2868	1368	server.exe	server.exe
PID 1368 wrote to memory of 2868	1368	server.exe	server.exe
PID 3440 wrote to memory of 4440	3440	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3440 wrote to memory of 4440	3440	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3440 wrote to memory of 4440	3440	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3440 wrote to memory of 4772	3440	Kangaroo Patcher.exe	SB360.exe
PID 3440 wrote to memory of 4772	3440	Kangaroo Patcher.exe	SB360.exe
PID 3440 wrote to memory of 4772	3440	Kangaroo Patcher.exe	SB360.exe
PID 2868 wrote to memory of 3408	2868	server.exe	Kangaroo Patcher.exe
PID 2868 wrote to memory of 3408	2868	server.exe	Kangaroo Patcher.exe
PID 2868 wrote to memory of 3408	2868	server.exe	Kangaroo Patcher.exe
PID 2868 wrote to memory of 4940	2868	server.exe	server.exe
PID 2868 wrote to memory of 4940	2868	server.exe	server.exe
PID 2868 wrote to memory of 4940	2868	server.exe	server.exe
PID 3408 wrote to memory of 4368	3408	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3408 wrote to memory of 4368	3408	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3408 wrote to memory of 4368	3408	Kangaroo Patcher.exe	Âí×ÓÃû³Æ.exe
PID 3408 wrote to memory of 3200	3408	Kangaroo Patcher.exe	SB360.exe

C:\Users\Admin\AppData\Local\Temp\NA_07ed0ef84efce4exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NA_07ed0ef84efce4exe_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
  "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe
    "C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
      "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2940
  - - C:\Users\Admin\AppData\Roaming\SB360.exe
      "C:\Users\Admin\AppData\Roaming\SB360.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Roaming\SB360.exe > nul
        5⤵
        
        PID:4404
      - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:3872
- - C:\Users\Admin\AppData\Roaming\server.exe
    "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3324
  - - C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe
      "C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4216
    - - C:\Users\Admin\AppData\Roaming\SB360.exe
        
        "C:\Users\Admin\AppData\Roaming\SB360.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Roaming\SB360.exe > nul
        6⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping -n 2 127.0.0.1
        7⤵
        Runs ping.exe
        
        PID:1036
    - - C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
        
        "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3480
  - - C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1368
      - C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
        
        "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4440
        
        C:\Users\Admin\AppData\Roaming\SB360.exe
        
        "C:\Users\Admin\AppData\Roaming\SB360.exe"
        7⤵
        Executes dropped EXE
        
        PID:4772
      - C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\server.exe
        
        "C:\Users\Admin\AppData\Roaming\server.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
        
        "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Users\Admin\AppData\Roaming\SB360.exe
        
        "C:\Users\Admin\AppData\Roaming\SB360.exe"
        8⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
        
        "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\SB360.exe
        
        "C:\Users\Admin\AppData\Roaming\SB360.exe"
        8⤵
        Executes dropped EXE
        
        PID:3200
    - - C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe
        
        "C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe
        
        "C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4148
      - C:\Users\Admin\AppData\Roaming\SB360.exe
        
        "C:\Users\Admin\AppData\Roaming\SB360.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Enumerates connected drives
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732

C:\Windows\SysWOW64\sainbox.exe
C:\Windows\SysWOW64\sainbox.exe -auto
1⤵
- Executes dropped EXE
PID:2864
- C:\Windows\SysWOW64\sainbox.exe
  C:\Windows\SysWOW64\sainbox.exe -acsi
  2⤵
  - Executes dropped EXE
  PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\$234288948

Filesize
1.3MB

MD5
8fb835613f3ec281757cc8c7065f8780

SHA1
ffa85853c1b0ae80f0962b647fa021bdf1bb2dec

SHA256
f26809f27004346fd892a7bb7889eb84d36497c2b1f79a4825d03933c9282817

SHA512
0ac5e4ebe12c444f8830f24b8f2ce63f0fb88734e4500f0b90af966aa20e5de2ea5b139fbd1e3cb455a246f05dbe7c33ef8a076219edc139af2eaed553406fcd

Download Submit
C:\Users\Admin\AppData\Roaming\$293154325

Filesize
8.3MB

MD5
6ce9ff00d5bd7c07b3cd2b0205a11368

SHA1
686de4025c0f71e9976f33d2cbc10fe1d477660d

SHA256
cca72d45a6b2be7a889b190fb35c64050ede4efef09307959772a13eb1c9c07d

SHA512
998a6ca37a88937c70ef19a316d31433c5d5d88843179d3e0ee77c514a76e298e69662bfd9499a2c6d16bb9b76cccc564c946e08cb138d987da75937246e8ecf

Download Submit
C:\Users\Admin\AppData\Roaming\$913271144

Filesize
1.3MB

MD5
8fb835613f3ec281757cc8c7065f8780

SHA1
ffa85853c1b0ae80f0962b647fa021bdf1bb2dec

SHA256
f26809f27004346fd892a7bb7889eb84d36497c2b1f79a4825d03933c9282817

SHA512
0ac5e4ebe12c444f8830f24b8f2ce63f0fb88734e4500f0b90af966aa20e5de2ea5b139fbd1e3cb455a246f05dbe7c33ef8a076219edc139af2eaed553406fcd

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\Kangaroo Patcher.exe

Filesize
2.1MB

MD5
efee6b6b8d2fc9e3a441400808e6b032

SHA1
371aee8135a93f13799ead9b4e1980cdcfb10163

SHA256
99a9780f5fe74d7f4b43c385535e4c13c18acea1be86fd29097a5a309ba833c8

SHA512
32f5454e4a97287744101af238d261f2ef08034fd679bc568d254126940fe2daa223485225b83487aa34d9f0aee01f83a9bbece0ddf5235102736e4d2bde4d18

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\SB360.exe

Filesize
374KB

MD5
aad528b5e838187025e70b9e1756d963

SHA1
645d3f3476def4075e92fef334b3979feec9adcb

SHA256
50f19e9b5313314d38b6cd17e8c98ca058aac64831cd1b8e539834763abf90d9

SHA512
69edffdf85332cda64a7e06ac7f2a0ba096c5810114b712bcd251e5cc6d571576696d38fdfbd808db79db1e4cb22fdd46d8d273983692db44ac759f2f745fda0

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
9.1MB

MD5
32b306617fb5452b340a5ee71cb7a380

SHA1
ca7848eb2cfa9c5b5935d0a744a4a67dbe35b82b

SHA256
0733ddf66052afec53c21e710a43d8fc002cbb0c2f0bbea0f792bbd2d2d6e309

SHA512
ebb9af09cc54e4b17fc9108b8349dd5c3752d566773ab442f15177669a0d960676865ef8a8058889a3091be62c4398e7d8c963c098e49ae5ef4de0ba015a2318

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Users\Admin\AppData\Roaming\Âí×ÓÃû³Æ.exe

Filesize
948KB

MD5
0489bda6335df6665a899fa6d2760e43

SHA1
5e06c49f447711edca4f0362ec1b5f33fac10daa

SHA256
fd779bb07c23405c07c26de9bfa3364d22daafd3f59b33fa27647fc2db972236

SHA512
b497b5dccfd1311d3d99c701842ed02f4f5d1aecf25a4dc1eecf797b273bc260a2937129b10a5ebf0d8bf5372e60f71777b4e572ab67009ccbcc1657afd5bc02

Download Submit
C:\Windows\SysWOW64\sainbox.exe

Filesize
10.4MB

MD5
0710aa9fbb5927d7477b24d7ac69ad1c

SHA1
1b5acda93030a33375138f7496e82be1db0ce58c

SHA256
cd38d3bb85219feace20690b46b7f518a7eb74a05ba24f48bb473b5f224becab

SHA512
5ebe3ee7eb366792692b44f6432218c509fdb81b214944b2aa7c726a24ec3bda03e240a2397ac4480a2745b97f4d745a344c3731b075d37109e7ff28f72d7b28

Download Submit
C:\Windows\SysWOW64\sainbox.exe

Filesize
10.4MB

MD5
0710aa9fbb5927d7477b24d7ac69ad1c

SHA1
1b5acda93030a33375138f7496e82be1db0ce58c

SHA256
cd38d3bb85219feace20690b46b7f518a7eb74a05ba24f48bb473b5f224becab

SHA512
5ebe3ee7eb366792692b44f6432218c509fdb81b214944b2aa7c726a24ec3bda03e240a2397ac4480a2745b97f4d745a344c3731b075d37109e7ff28f72d7b28

Download Submit
C:\Windows\SysWOW64\sainbox.exe

Filesize
10.4MB

MD5
0710aa9fbb5927d7477b24d7ac69ad1c

SHA1
1b5acda93030a33375138f7496e82be1db0ce58c

SHA256
cd38d3bb85219feace20690b46b7f518a7eb74a05ba24f48bb473b5f224becab

SHA512
5ebe3ee7eb366792692b44f6432218c509fdb81b214944b2aa7c726a24ec3bda03e240a2397ac4480a2745b97f4d745a344c3731b075d37109e7ff28f72d7b28

Download Submit
C:\Windows\SysWOW64\sainbox.exe

Filesize
10.4MB

MD5
0710aa9fbb5927d7477b24d7ac69ad1c

SHA1
1b5acda93030a33375138f7496e82be1db0ce58c

SHA256
cd38d3bb85219feace20690b46b7f518a7eb74a05ba24f48bb473b5f224becab

SHA512
5ebe3ee7eb366792692b44f6432218c509fdb81b214944b2aa7c726a24ec3bda03e240a2397ac4480a2745b97f4d745a344c3731b075d37109e7ff28f72d7b28

Download Submit
memory/1324-155-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/1612-731-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1732-280-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-275-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-281-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-262-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-284-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-266-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-264-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-285-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-278-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1732-277-0x000001CCC3510000-0x000001CCC3511000-memory.dmp

Filesize
4KB

Download
memory/1832-253-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1832-252-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1832-245-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/1832-350-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2864-347-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2864-357-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2940-190-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/3200-301-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3200-295-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3328-269-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3328-249-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3328-251-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/3328-244-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/4664-286-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/4664-274-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/4664-388-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/4772-303-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/4888-516-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download