5880dfaf4e35ce13acf0d83a4785c63a82d776e415c61e0a9885c62727bf9a02

Analysis

max time kernel
148s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f827ed6b3961d4e76aecfb52d2c30de7.exe
Size

7.2MB
MD5

f827ed6b3961d4e76aecfb52d2c30de7
SHA1

27cabe67bfc858d9a06a0c6a99ad68ca0c49d4d7
SHA256

5880dfaf4e35ce13acf0d83a4785c63a82d776e415c61e0a9885c62727bf9a02
SHA512

bbe79074d74e14060cbe799575957fd927c22892a3fd302a59dc5b559aba9d630355d2ccb21087fc77275229b9c8318146b9c99ec016fe609914ef82e58defee
SSDEEP

196608:Kf4ZsE6yBpdqYHb0K/ReQPU4ZhpSUhq/pnoJ8cOphqu89:KYsdyBptHcQPUy5hq/eqdpob

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000600000002330a-432.dat	acprotect
behavioral2/files/0x0007000000023319-473.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2345_kbingyan_desk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2345_kbingyan_desk.exe

Executes dropped EXE 3 IoCs

pid	Process
4620	2345_kbingyan_desk.exe
4328	2345_kbingyan_desk.exe
2916	2345_kbingyan_desk.exe

Loads dropped DLL 9 IoCs

pid	Process
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002330a-432.dat	upx
behavioral2/memory/728-436-0x0000000010000000-0x0000000010179000-memory.dmp	upx
behavioral2/files/0x0007000000023319-473.dat	upx
behavioral2/memory/728-477-0x0000000072C10000-0x0000000072F55000-memory.dmp	upx
behavioral2/memory/728-500-0x0000000010000000-0x0000000010179000-memory.dmp	upx
behavioral2/memory/728-502-0x0000000010000000-0x0000000010179000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	f827ed6b3961d4e76aecfb52d2c30de7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\0	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ = "Idmsoft"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib\Version = "1.0"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB0EE5E7-851A-4B31-BC70-1106388CD545}\InprocServer32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}\TypeLib\ = "{0704321C-4EF8-4E9C-82E9-46D1DE560DB8}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XinNuo.SendData\CLSID	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E997A035-AA81-4A3D-BD1C-A83640F06336}\TypeLib\ = "{14C24187-9B05-4105-96B4-05BC022FE019}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E997A035-AA81-4A3D-BD1C-A83640F06336}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5C0E427-E8D2-44C8-86ED-1073776F0AFF}\TypeLib\ = "{6A4D2965-DCF1-458B-90A4-A28DB53E323E}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB0EE5E7-851A-4B31-BC70-1106388CD545}\ProgID	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3CF76A2B-509E-4880-B7CA-FE04098B50F8}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0704321C-4EF8-4E9C-82E9-46D1DE560DB8}\1.0\0\win32\ = "c:\\xtl\\plug365new.dll"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB0EE5E7-851A-4B31-BC70-1106388CD545}\VersionIndependentProgID	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14C24187-9B05-4105-96B4-05BC022FE019}\1.0\0\win32\ = "c:\\xtl\\san.dll"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib\Version = "1.0"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}\VersionIndependentProgID\ = "Plugin365ID"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3CF76A2B-509E-4880-B7CA-FE04098B50F8}\InProcServer32\ = "c:\\xtl\\xinnuo.dll"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0704321C-4EF8-4E9C-82E9-46D1DE560DB8}\1.0\0\win32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E669DCD-8550-41C3-8A53-66150597FB24}\InprocServer32\ = "c:\\xtl\\cy.dll"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB0EE5E7-851A-4B31-BC70-1106388CD545}\TypeLib	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15332F15-898A-4D3C-96F3-C13573B0C080}\TypeLib	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sy.dt	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\InprocServer32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5C0E427-E8D2-44C8-86ED-1073776F0AFF}\TypeLib\Version = "1.0"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\San.sanll\CurVer\ = "San.sanll.1"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E997A035-AA81-4A3D-BD1C-A83640F06336}\ProxyStubClsid32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F3F54BC2-D6D1-4A85-B943-16287ECEA64C}\TypeLib	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5C0E427-E8D2-44C8-86ED-1073776F0AFF}\ = "ISendData"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cy.plugin\Clsid\ = "{3E669DCD-8550-41C3-8A53-66150597FB24}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\TypeLib	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}\InprocServer32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3E669DCD-8550-41C3-8A53-66150597FB24}\VERSION	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84288AAD-BA02-4EF2-85EC-3FAD4D11354D}\1.0\HELPDIR\ = "c:\\xtl\\"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0\ = "sydt 1.0 Type Library"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5C0E427-E8D2-44C8-86ED-1073776F0AFF}\TypeLib	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0704321C-4EF8-4E9C-82E9-46D1DE560DB8}\1.0\FLAGS	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15332F15-898A-4D3C-96F3-C13573B0C080}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15332F15-898A-4D3C-96F3-C13573B0C080}\TypeLib\ = "{A725FB2D-9C8A-4B23-B7B1-FDC339F38FFB}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{14C24187-9B05-4105-96B4-05BC022FE019}\1.0\FLAGS	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\VersionIndependentProgID\ = "sy.dt"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74F1DF58-11CD-458C-A149-2761D9FAA6CA}\1.0	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}\ProxyStubClsid32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CB0EE5E7-851A-4B31-BC70-1106388CD545}\TypeLib\ = "{14C24187-9B05-4105-96B4-05BC022FE019}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{15332F15-898A-4D3C-96F3-C13573B0C080}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cy.plugin	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3CF76A2B-509E-4880-B7CA-FE04098B50F8}\InProcServer32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Plugin365ID.1\CLSID\ = "{FD9D01DD-08E3-487C-B4BA-F21C23628E27}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}\ = "Plugin365 Class"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD9D01DD-08E3-487C-B4BA-F21C23628E27}\ProgID\ = "Plugin365ID.1"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EF83CA6-D06B-44D1-88B9-AFB6188C4BDF}\TypeLib\ = "{74F1DF58-11CD-458C-A149-2761D9FAA6CA}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5C0E427-E8D2-44C8-86ED-1073776F0AFF}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2A0CAD4-A13F-45C5-88F6-CFAD7AA2F03C}	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{78FB983E-28D7-4081-887E-C0E6EDAE8362}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A725FB2D-9C8A-4B23-B7B1-FDC339F38FFB}\1.0\0\win32\ = "c:\\xtl\\cy.dll"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A725FB2D-9C8A-4B23-B7B1-FDC339F38FFB}\1.0\0\win32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{15332F15-898A-4D3C-96F3-C13573B0C080}\ProxyStubClsid32	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dm.dmsoft\CLSID\ = "{26037A0E-7CBD-4FFF-9C63-56F2D0770214}"	f827ed6b3961d4e76aecfb52d2c30de7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\San.sanll\CLSID	f827ed6b3961d4e76aecfb52d2c30de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Plugin365ID\CurVer\ = "Plugin365ID.1"	f827ed6b3961d4e76aecfb52d2c30de7.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
1040	msedge.exe
1040	msedge.exe
5204	identity_helper.exe
5204	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe
728	f827ed6b3961d4e76aecfb52d2c30de7.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4620	728	f827ed6b3961d4e76aecfb52d2c30de7.exe	101
PID 728 wrote to memory of 4620	728	f827ed6b3961d4e76aecfb52d2c30de7.exe	101
PID 728 wrote to memory of 4620	728	f827ed6b3961d4e76aecfb52d2c30de7.exe	101
PID 4620 wrote to memory of 4328	4620	2345_kbingyan_desk.exe	102
PID 4620 wrote to memory of 4328	4620	2345_kbingyan_desk.exe	102
PID 4620 wrote to memory of 4328	4620	2345_kbingyan_desk.exe	102
PID 4328 wrote to memory of 2916	4328	2345_kbingyan_desk.exe	103
PID 4328 wrote to memory of 2916	4328	2345_kbingyan_desk.exe	103
PID 4328 wrote to memory of 2916	4328	2345_kbingyan_desk.exe	103
PID 2916 wrote to memory of 1040	2916	2345_kbingyan_desk.exe	105
PID 2916 wrote to memory of 1040	2916	2345_kbingyan_desk.exe	105
PID 1040 wrote to memory of 5080	1040	msedge.exe	106
PID 1040 wrote to memory of 5080	1040	msedge.exe	106
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4416	1040	msedge.exe	107
PID 1040 wrote to memory of 4536	1040	msedge.exe	108
PID 1040 wrote to memory of 4536	1040	msedge.exe	108
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109
PID 1040 wrote to memory of 4772	1040	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\f827ed6b3961d4e76aecfb52d2c30de7.exe
"C:\Users\Admin\AppData\Local\Temp\f827ed6b3961d4e76aecfb52d2c30de7.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:728
- C:\xtl\2345_kbingyan_desk.exe
  "C:\xtl\2345_kbingyan_desk.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4620
- - C:\Users\Admin\AppData\Roaming\2345.com\2345_kbingyan_desk.exe
    "C:\Users\Admin\AppData\Roaming\2345.com\2345_kbingyan_desk.exe" install_admin
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Roaming\2345.com\2345_kbingyan_desk.exe
      "C:\Users\Admin\AppData\Roaming\2345.com\2345_kbingyan_desk.exe" run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?kbingyan
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9597946f8,0x7ff959794708,0x7ff959794718
        6⤵
        
        PID:5080
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        6⤵
        
        PID:4416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
        6⤵
        
        PID:4772
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        6⤵
        
        PID:1032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
        6⤵
        
        PID:4760
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1
        6⤵
        
        PID:884
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
        6⤵
        
        PID:4092
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
        6⤵
        
        PID:4444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        6⤵
        
        PID:4440
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
        6⤵
        
        PID:4792
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
        6⤵
        
        PID:2468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
        6⤵
        
        PID:5028
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 /prefetch:8
        6⤵
        
        PID:5188
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,299086528036239159,12600157523164681209,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7a5862a0ca86c0a4e8e0b30261858e1f

SHA1
ee490d28e155806d255e0f17be72509be750bf97

SHA256
92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b

SHA512
0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ca968ba93ae64c6356fd15bd0e36ad47

SHA1
437518a20500dd7428a934108ac58825865210c5

SHA256
3fe2d0256021e630e4ff75be911702a7fe6d7e32be6933c54795c2ba9c79f44c

SHA512
5a63786619929aa8774f0c3ce6703a1736cac5d955e57d34b3c79d7682ca32e797a2264015c3ed64bcdf0352a22d66124f51adebf44d35702ff56b470aed60a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e4ce58db80b0e14e9d841474aacf51d

SHA1
ae676138ea20f535d71ee32321a68aaed2824493

SHA256
1d846cf7fda5a2c1bd247137038edc06c3955ef556f8e45b7bce900a8f6afd84

SHA512
75c2cde29f714c27492b7c526228ef0c29c4ca538676e33973a43587f5e012a2d69df80adc75c1ab31a244ab5db5a023e72208fabdf8ba8cb9a4f12e407411e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9f3d180c04984deb1aa5f21349017731

SHA1
71fd1f4e8a8174ea5af2a008a9b9d31e343bed07

SHA256
ac6aa78adac4c385bc44ffa91d30631ff56e19b233a464743a4c71c55b4d3f20

SHA512
dd34c7ef280f8367131cfde310a3c1aef65b57d61aca788213f8f6e7562951ec80180081fe73f8772bb5b6bb86f8e0fcf0906129c1e490372dd5dcff9f054c52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a2821433058bdbf07278ce096e66282

SHA1
e0b7929ec48621b35be46dcbbb54f8510f1a5c0c

SHA256
58d0cc959aa65134fe474e060c39988d66b66f02bca14b1409382562194b1345

SHA512
bb1f7a6bd855a3e1c380eabe5f13e759f9d37903c5694ca18f26200cbc1c590bf7d605c7056e8c2c72b0ae84fa63232a187987dc9ebc2eab17dedbd6d5a453f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0be95409dd32585bba1d349783566d78

SHA1
214936986bdd50bf22dfa89383aabcc2eb9a2310

SHA256
a6c53e1f06bde5dde1312fcf0cba72ea79cae14b4ed13025334d28866d5f1c22

SHA512
39e11bd6aee17488ce3567a1fff8824d3413f8ae4105af27d73fe4a621446ce98fddc0ddb8e2a27f86fb380f2b9547c06567de461e92a09a2e08115aaa1ac5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
52826cef6409f67b78148b75e442b5ea

SHA1
a675db110aae767f5910511751cc3992cddcc393

SHA256
98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb

SHA512
f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
9a2a012206015faac23ccb4d70fe1fa8

SHA1
1608ab6246630f450866ba3da4fafca98e5d7c45

SHA256
436c45da131ce88b1ac38ecc78a3bae37d48e0b2014a2b24e6ca2ec7391cbeb2

SHA512
64211f22fdf96abd9a108720760dd1e3ae8163fc47ba0e53a196967f37838a84e2d1e631920d13d303e124b9c26fed2d53b3513e2d44d3c2e42baf952ffc49fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
142ff7c47fadb0eddfe2f2551adf1c55

SHA1
941ca929ff7aa8a8f96f264fcfe42bf65efbc105

SHA256
cb044fdaf677d410e8cadb49150bd754f60747fade443012621a759a64325394

SHA512
ece896915bf93b81a23a89b5026dba4df88266c1295cd9214e67eb2cfaa4c6a052d1fc43a12c1401aed1a9e139cc2208b76cb97677cdf1ddc4557f73060104f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c81f17e4123bc359e48d90eb3dc5d147

SHA1
25cb857be6ff248d2e99cff7d4004bcdbd4dba8a

SHA256
27f1641dd3da4d7af3d6d8bd10bf2251010dfc184285a914bd6ada431171845e

SHA512
ee4b920b47e1868a8bc9b934baef4103a1aee717fbc4b6cc184b3e37f18e62ac3d21681c2a2b830ef06ce3af7bb553295e03a40740e48c669d080438f8e01e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\2345_kbingyan_desk

Filesize
1.4MB

MD5
16383931b0c2b18be6e74e553daa4d2e

SHA1
312754d6be3ba4b3a394c3d1c66e145d322da7bb

SHA256
b855a539ff5398b7eed7f94d4656fa9ef0d48955aa6b4212405a3ad78bae3d45

SHA512
86def3380f31aa1443b03f713164c25f91724816e356b9e73b5ac48b27a9cad184e9471af204f7bd24ddf435b8068da48568cc38d07a2aacb480366829ace597

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\XINNUO.DLL

Filesize
1.7MB

MD5
dac992deafd0d7b81f8ba667645f044f

SHA1
28357284420ab5705e80c323ca9ef770c9d1af80

SHA256
0aa8fabccf051c3e62b8ab3a17231a700ea1eaafd8e967117a92b37bd4b28ee1

SHA512
114501cf9365d7f37e3ebf1c1b381d70c6f92bf782078d0edad46f50035ed70ba2e1eae49c2ca7d80b45ae306a1ecf4b8341aae51a9f254baccea174e4b9c0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\cy.dll

Filesize
32KB

MD5
f4cb8b30c4e61b2624be3d3203182cae

SHA1
6d4fe28123d9c84439614c89e7caab4575f0befd

SHA256
ba9b648ecff5506474aae76671197c8ea95f78e658b0ef6efef91ce96acf78d0

SHA512
b1f4fb995dcd668353c49e2e9b216b60dd7aa033110e3faf5a198f2ab21921c544fd7707dc9eeed6ce4079c7649a15bc6dd6175748046955003a60fe47d89f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\data.ini

Filesize
3KB

MD5
ac7b429bb92e6ed9511fe472aa805e3f

SHA1
b4980cce3371aa2ae95b5874e75e0e08c3688f39

SHA256
f69c8704fa2d2be28d845ef8f7a3beaf03aa1aa32b716b289f583db58f140fab

SHA512
26c177d8576034a2a02dee2e6eb567574bd21981e1bb408a537a150470ed976f0a1bf0ea880c447f9c78d4ef231a0510e81d0be59066b987456ae14255c7feee

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\dm.dll

Filesize
811KB

MD5
7cc660f1afcd5122a4a142f33329b7aa

SHA1
e523b79e6f7177fe00e9e92613428c948b8aaad3

SHA256
7e59ab0f1f701558c2273021b16c995780fbd134bc5eaf0b473ecf0d23d4526c

SHA512
7e598ebc1104e81c28f32c30a99fe54213b142b7c33e28fd738109ac27064dfa8a288d945238786c5ee5601a3f40a8fbf759eebe71765ed66e4d04db99bcaf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\img_zz.png

Filesize
152KB

MD5
7c97b2f0ab24af0272c9900ed3bcc70b

SHA1
3e8ed47cfcf64a1f91dccd99e8ddf951fca78827

SHA256
bc72b5b1dd75b2d54088b75f06e005b1d62626e26d52077a1bb0ca4977e80338

SHA512
17dfe4c0420b73f1a8db69bf69d9bcb39f8b5fd751e4dc76ad75e863b127f82013ef69b23c14e975626fb446e0c5e013da59ac57cc4b8bbe2ab34c4ffc388d95

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\lingj.bmp

Filesize
2KB

MD5
b1547cccdb1fa17fc9a72a7d1b4df99f

SHA1
344548ce7d1bf47ebe1a112f53f295e7ed01c45c

SHA256
9909be4939485e1404d269c237eee406aebe9acfd98763d3ae37c2d9d92bd342

SHA512
1b18e486c4422a7f34b104101b2a76c7ea941611ce3e261287abbe4f1839894e85c63c5a4429130aaf2824e132af8d7565b2a29d17a6e7834786394f04257ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\mDll.dll

Filesize
1.1MB

MD5
541e326ce42f23fa4dcdaaff67103178

SHA1
6e7dd65e1cd3af7d08ceb4b3ccd804bb49d47141

SHA256
2b649b7db51ea7cbfe7cc89b412f5a0902a1672773f76638ddf15ce5899d2dac

SHA512
9b885c24b8549fa6e6985fb98b28ae1064f34110e28aa93796ba68e94d5d95bf92f8178da678446dc1d0ee4dcb378c462fef4fd0763ad66edfea15503603db3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\mDll.dll

Filesize
1.6MB

MD5
dbe3183b53fe8437075dd9805c4165aa

SHA1
8c8575577a3d3ea58c4825535986e17f2efeedda

SHA256
e88a16c38ea58e59c80f7d6f99034d76aef52da40aa01498eedeec1f3fc81e6a

SHA512
6e310c22a0fa7dc474f537f80d6a7db983b72453b7eaee747df23c8fed7e8661b617814625108bb64fee424afc99e60f288e69c5e77a71aefe609f57a3ec003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\mLib.dll

Filesize
1.7MB

MD5
21282505265f39a7ef0fca3125367679

SHA1
442653ec8c9037341cab830d6f0e0768eb89ba43

SHA256
73a80fdc4093a06288c825acf5ecf2e6267b971299c27484726fbd772faf8ba1

SHA512
db4e1cb96b3f71767565ee129949188d1ed4e373630fe7713d488421f4088a9a600d613d6413f4984094d51f673e9d280adbee55926c619ac2895dd2e014c16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\mLib.dll

Filesize
2.1MB

MD5
eaa3dc8b45660bda78401e4b1157b45a

SHA1
b5e99bee768cf1fa5c25d621c8b8c90802e72d20

SHA256
cd860a6620c5e8a9dddfca51485813a8ad92651c198b1a8993c42fdd157f10dc

SHA512
ec6219bd28fed28d725729c523a279b3bb374d79ef42c8b6ea00be6b8269c76a6587ce7de4b4e4be17a99e294eed371545631d78a9cd7a0e164566a70d1e26ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\mouse_tz.bmp

Filesize
29KB

MD5
f483b45b9f9d776a1be7af0ca03c101a

SHA1
093055b4d25499309d00c70e3e353cc7b85247c4

SHA256
d8f06ab4f3a8b25e07dcd704af2f3cabc359c0250d92d42e991d097393c919e5

SHA512
07fdce598f418d5fd85cce5b2d6aba4cb2d74fcc6aadb4d1b5939149fa1224debb1e6668083faa8a0b6b2fdd6e409d55cb04eb00448e7ce85f3008cb8d2e7aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\ptgj.bmp

Filesize
2KB

MD5
d9d925d20d5ceabff34082a00c868047

SHA1
ed48ff94f5a64807184ab59ab3b0c931255f5408

SHA256
a2fb46602581f49e7cf813ea00c3780d60511ad63e8b14758014716206ea3530

SHA512
48afb8d57dc1346557baf83d80a2db0c870246d5cd59b6849253a7b29d14b734f8697e88a907b76c165c48cf65b3f52fec2005a2be4fd8281bcef850fdd40c66

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\reg_dll.cmd

Filesize
741B

MD5
5f944dff641b3ea805669af2d13f9ff4

SHA1
785fe5a94fd56f4bf8144b06469cf85fe7bb827f

SHA256
d04dc7da881ba907bc89083e02848e3e0cbc5fa2694939fb5ba1a75d0e134620

SHA512
f67cd2957a9b3e1089ef8b88148610c0c8fe63cfc691fe70c94593e5180dec7e579ecb30c7912e9719cc709e159e17b2e928c07fb83884580ecc43f36371e89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\test.bmp

Filesize
2KB

MD5
0ad99c03b3174b1a221610cf0cf186d6

SHA1
1d9b4a99d515d4e429551adaffc3d4e89008ed88

SHA256
9b5ef25a0def3db0e609b74899217309f8afde79169324fe4d6fe5f08f90ad63

SHA512
5668b899a8a80cee892e96b1b439c9a104f1d13d4b5845d7da10d304cc46c1e2b07b86a4c4e51bd191fc99b3f2fe2918c4910f8f8e05dc5fe702006806b08b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\update.ini

Filesize
13KB

MD5
c76be1c91e247009bf3beb8469af5d14

SHA1
c78d41c13ae523cb27b2bdd2a0a117c636d28348

SHA256
5fb2fddd363e547c6b6f91a04c72ecc5c811b61de32e6ccd168592f3b9c4e742

SHA512
4967951f8adf221f549d4b82ed4765d0a09f8289034cf37e34c5a681c07430c5533740bb843fcbf2210fa9e5d6b6d8bc5bf6049d1d6596f55b050001dbebc3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\报警.mp3

Filesize
266KB

MD5
79d10d2f4a07390d35169c98b88342aa

SHA1
969005af8a057d87e743df8690bc91a6317c3b92

SHA256
df7bf8dd73822da078e5e5b00f8b144d4939e8278e48d917b730de3be7f4bbb4

SHA512
0b1b204f1e0cbea31f5e22de8bebbf3dbab54757d3f81cb6952313ffd2582461db77ad213c34807420918835cb30ffe329b9b8d15da1f269c73ee8586dde025b

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\火焰山_1.bmp

Filesize
354B

MD5
a8f83ec12126a8894a4880b52abec79d

SHA1
c450bd4125467cb81d1e3e3d3eaffd00f32db75b

SHA256
f5308c93588138b4d271138f3c542177b67ebd15ec85b1963ed534c9df71265f

SHA512
b2b48db24ae26b7ea2310a25378168a89b1feb9f5d38a9e050264d45c2d8bfccba882ee273075cdb89344fb6ee9a1387920aaad48357d3172771dcf68f61bafc

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\火焰谷_3.bmp

Filesize
354B

MD5
57aaa0aedb553591460fec134cfc2146

SHA1
ea7f8b7ec1643532f2705b4baed116335600c1e9

SHA256
27affa567c84b9224e666571a81fda4ae4f4d63abd7daab88e52f2484e0d62d5

SHA512
f24dfed183b849f2268699e7b2aec830e940bc187ba898bb1d8be411752860f6dc844e2008730862dbbe5f4a8da4231d9e35d5a34d6043d1a678ede5417d9538

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\火焰谷_6.bmp

Filesize
354B

MD5
19122f2d183cfa57ad92d80381ea7176

SHA1
66c5e9bc2e8fd62a226e093a83ccf11c98cb31d0

SHA256
b2c07486e0f5685d8b6fa33a22a38c0e86454d7991b5869eccdc28767b15c072

SHA512
4409c326a29c997c5c3ed58370d3bf1c0662d4dcb6425142e9e947f11c936d62e59923830a5d5d291dcd6261e5216f4f04b06e27994847f21622608fc1c3a5b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\迷宫_1.bmp

Filesize
354B

MD5
740f451ef06067db5bb0c4df972e2e3a

SHA1
62aad77912d4794467cf6a80af7d2710e20aee26

SHA256
427950ad3aa2cfcaddee8e03714becdbed02b3eb036e858cfb2e0dce70471b4d

SHA512
eee3eef4f4e9ce3fec5dc5ed00cf837464ca6da58ba1ce37280cbf1e8757d29b45b11b1222583bb5f64f7acba4d29dc6bce8273fb0554a21d749b5e5e3cc7168

Download Submit
C:\Users\Admin\AppData\Local\Temp\728e57788b\迷宫_3.bmp

Filesize
354B

MD5
ea7f6358710acdfd78faea35281aa049

SHA1
a0d1ead265ddca669d9f4b8fadc65a0a4338ae21

SHA256
76db1dfb03e17a878aa0597bde124b9dccfbfca8d192eb9c3a13dbccc539e81d

SHA512
5d7c6d19d41b8b2acc88d30f2984f74dbcaf7e84eced85bbb74be858467bc69c166bd813c2e6004daed10600ae8f4121e310ce1faedb67c27627d30ee2430f0b

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\2345网址导航.lnk

Filesize
1KB

MD5
23560df1aae5e4fdfe5ede80a7b81a22

SHA1
b24ea08515bbb87f56da373f97d8cdad8ed8517b

SHA256
29a3f73bab02091bfa5ed5dd637cda68de76b3a76e459be499ba3befa64526c2

SHA512
03c9cff5573a67a49a76bcc05e5289cba723edb2b48035c531dcff240fd5c04e85b15af0b5cfb8bf85377814f838375e8d1877a1080d86b60a21e88b99d919e9

Download Submit
C:\Users\Admin\AppData\Roaming\2345.com\url.ini

Filesize
161B

MD5
b7dd4b8096376d46c362cb166b02d7ec

SHA1
84422459a47cfe8523ea774da59dade7ffd7546f

SHA256
2ac1ce1b6b7c18ebc604645c3c7826450e348129bdaa75446b138e343631a836

SHA512
cfad52e59de26c82ba95684432aadc00d6837bc3cc83333ebd4e0a7a9284d6acea70719def261c52e9d6a5f8ddf9c48c6457f445893ec8feb26d49e1e17a155b

Download Submit
C:\Users\Admin\Desktop\2345网址导航.lnk

Filesize
1KB

MD5
9eb7d812902c32b844390df6e3bfbe76

SHA1
e8c14a492d2c945cfedf345587547cd3e713541d

SHA256
4ab10a42914e96aeda8270d33ce92c25cddf38ef04d6962afe1e573d196ec38a

SHA512
d6383f5c49f8145b71b977490ae88c70ffe6dcf4ddf32bca2a497c0edabe0d8e07e0fec58bb31b5097a93a7cd1466d25a243b4dc71cdfe09251ca14b653b0826

Download Submit
C:\xtl\plug365new.dll

Filesize
93KB

MD5
4de2349bc0d5050d9b3d158bd848571c

SHA1
1a2a5f2595b37ee70aaea4b72fe0bf10bfeb3eab

SHA256
479675997caca67b9f317915c233d5f0a706195a65ef9d90e5b3637ed0152b69

SHA512
a7e9dcf62e40a708ac25d86ab30e99c3f8fcfdaa2118f12a97750cc063b79c7ecae44ea5eb7c00f5fe200975a2a7cd6aad7a02468c95108d616380df875f715b

Download Submit
C:\xtl\san.dll

Filesize
357KB

MD5
6973fd042dc7347d98e537b42436e2c7

SHA1
6fea3f0e017a15411e499493da47ce6e37fb7875

SHA256
f42b0dc9e4e73c584f6ceebe9993a703a45e5209b8bfbd49d6d48ca43a445883

SHA512
28031c6c2eea73fbf20598b69787c8e6f87d9fb56a212dcb654ea84c42bced6dd035cc8eb32ac73d397f56cf955537d192ba7397608938c3a6af169e3cac5f23

Download Submit
C:\xtl\sydt.dll

Filesize
284KB

MD5
947c9951318543240dff20a84d9d90f7

SHA1
57a29f690ec98954e3591a98bfc3c288817c3ffb

SHA256
d87a3a0d623f98a5bdefacf38e6c1c9a75860a5c553e206ea7515042688ef057

SHA512
9857830924e92fca74756e3785e6fc04f7c500b98a591a643fa35fb9e0b1219869f1d1260f1b1c367da49aa09e08da6eee7e719430600d5380f464d1aa2f4486

Download Submit
memory/728-504-0x0000000072C10000-0x0000000072F55000-memory.dmp

Filesize
3.3MB

Download
memory/728-502-0x0000000010000000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/728-500-0x0000000010000000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download
memory/728-477-0x0000000072C10000-0x0000000072F55000-memory.dmp

Filesize
3.3MB

Download
memory/728-436-0x0000000010000000-0x0000000010179000-memory.dmp

Filesize
1.5MB

Download