Malware Analysis Report

2024-09-23 16:00

Sample ID 240507-xdc7nsaa2t
Target 01ee6aa88ccfb589bde33b360ad45300_NEAS
SHA256 3f95350bec78f3895ea0c097358108f965eadfd3063d3754db8f864f3a5cbb6e
Tags
qr link discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3f95350bec78f3895ea0c097358108f965eadfd3063d3754db8f864f3a5cbb6e

Threat Level: Shows suspicious behavior

The file 01ee6aa88ccfb589bde33b360ad45300_NEAS was found to be: Shows suspicious behavior.

Malicious Activity Summary

qr link discovery

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Unsigned PE

One or more HTTP URLs in qr code identified

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-07 18:43

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 208 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 208 wrote to memory of 972 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 972 -ip 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 106.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 240

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3716 wrote to memory of 2744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2744 -ip 2744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240215-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ltzn.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\ltzn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ltzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ltzn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ltzn.exe

"C:\Users\Admin\AppData\Local\Temp\ltzn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wvw.4366.com udp
CN 47.107.36.124:80 wvw.4366.com tcp
CN 112.74.125.148:80 wvw.4366.com tcp
US 8.8.8.8:53 yygame.yy.com udp
US 8.8.8.8:53 www.4366.com udp
CN 58.218.215.166:80 yygame.yy.com tcp
CN 218.60.100.165:443 www.4366.com tcp
CN 118.123.207.186:443 www.4366.com tcp
CN 221.194.141.165:443 www.4366.com tcp
CN 120.221.252.95:443 www.4366.com tcp
CN 115.223.9.118:443 www.4366.com tcp

Files

memory/1200-0-0x0000000002530000-0x0000000002570000-memory.dmp

memory/1200-1-0x0000000002C90000-0x0000000002CD0000-memory.dmp

memory/1200-2-0x0000000002530000-0x0000000002570000-memory.dmp

memory/1200-3-0x00000000024D0000-0x0000000002510000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240226-en

Max time kernel

145s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ltzn.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ltzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ltzn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ltzn.exe

"C:\Users\Admin\AppData\Local\Temp\ltzn.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 wvw.4366.com udp
CN 47.107.36.124:80 wvw.4366.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 112.74.125.148:80 wvw.4366.com tcp
US 8.8.8.8:53 yygame.yy.com udp
CN 180.101.203.215:80 yygame.yy.com tcp
US 8.8.8.8:53 www.4366.com udp
CN 218.60.100.165:443 www.4366.com tcp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
CN 118.123.207.186:443 www.4366.com tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.179.234:443 chromewebstore.googleapis.com tcp
CN 221.194.141.165:443 www.4366.com tcp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
CN 120.221.252.95:443 www.4366.com tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
CN 115.223.9.118:443 www.4366.com tcp

Files

memory/228-0-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/228-1-0x0000000003A60000-0x0000000003A70000-memory.dmp

memory/228-2-0x0000000003B30000-0x0000000003B40000-memory.dmp

memory/228-3-0x0000000003B80000-0x0000000003B90000-memory.dmp

memory/228-4-0x0000000002FD0000-0x0000000002FE0000-memory.dmp

memory/228-5-0x0000000003A60000-0x0000000003A70000-memory.dmp

memory/228-6-0x0000000003B30000-0x0000000003B40000-memory.dmp

memory/228-7-0x0000000003B80000-0x0000000003B90000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

136s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4532 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4532 wrote to memory of 4948 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4948 -ip 4948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240419-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 224

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uninst.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 68ef438bbe0ab520fef59f1b873ce8b0
SHA1 2e7bd1304307958e22e6c5db69bc02e6e8fa5720
SHA256 6f16f519d7ffb4328129845db52ee57ccee69933a45ca7b238b42e08e573ad86
SHA512 540d3dc30563b054440ed0b6e93518be2b5bc6ca43ddf375f295dafc0a18c0417d7daf6fa102cab3407bbec940be3d3ae0701100c9c8ae0e7b4232930c391c86

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

MD5 68ef438bbe0ab520fef59f1b873ce8b0
SHA1 2e7bd1304307958e22e6c5db69bc02e6e8fa5720
SHA256 6f16f519d7ffb4328129845db52ee57ccee69933a45ca7b238b42e08e573ad86
SHA512 540d3dc30563b054440ed0b6e93518be2b5bc6ca43ddf375f295dafc0a18c0417d7daf6fa102cab3407bbec940be3d3ae0701100c9c8ae0e7b4232930c391c86

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 220

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

133s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2436 wrote to memory of 1088 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1088 -ip 1088

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 224

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 220

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2492 wrote to memory of 2596 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsProcess.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2596 -ip 2596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2596 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.27.33.23.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:47

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe"

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe

"C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 wvw.4366.com udp
CN 112.74.125.148:80 wvw.4366.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.246.64:443 tcp
CN 47.107.36.124:80 wvw.4366.com tcp
US 8.8.8.8:53 www.4366.com udp
CN 115.223.9.115:443 www.4366.com tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
CN 218.60.100.173:443 www.4366.com tcp
CN 218.60.100.165:443 www.4366.com tcp
CN 118.123.207.186:443 www.4366.com tcp
US 8.8.8.8:53 215.143.182.52.in-addr.arpa udp
CN 221.194.141.165:443 www.4366.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsnB76.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe

MD5 a80dc7bbca76113f10b6dff20c3bc0e4
SHA1 59b4fcb138dcfab9f89c9b1658c098789cce9e7e
SHA256 bb4e34b1a8c69f0dda2ffb8ed7ec532bb63588749861a7dff64098a4655456a8
SHA512 b12b000184483f49bbd9463c12cc311299a32527e37e46e30fc11fe20dffc732302eddff15f6d9d1d1b814f182aa3f6cd9bedbcf8cc1093494e53885dcb154f9

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\DmMain.dll

MD5 3d1f90d87b4cef211e3deee64a3cea61
SHA1 cee8b951718889a566f56a4bac7e6c316cfc4828
SHA256 a2fc2c6e48ad7c96ca4d0f309416e870e232e1745a564ac604fc2472c64cbe8e
SHA512 a0ba182710e8ad27422290fd4e80533da197331b027e47a3b7210d0dd4b4f09f7285610555c199d0ba016c1efce12f6028784dd54e45376e679dc87040fd7177

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\main.png

MD5 017c4a6a114a99ffb0dafd4d2e04224a
SHA1 413c36f12fd7aed56cfbd17fc87a03199ad2ac75
SHA256 7c5e6dc3f3d2682b3376524046354275cde3ba4411f88c57171662bc1698051e
SHA512 be1fa5c879ba3574a339fa09a9162a8ba6b5af82095776a1de9b3a9e17aa48e5750856c5effc3101f65a6deb1e3c908500e5ac59d0d43d6b259be9ecd9c7b305

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\layout\xml\global.xml

MD5 29f3f6709a005537425016e1394bd97c
SHA1 44f7410f0a62e68ad2d21551f42c9c0f6c12d588
SHA256 4bbb8e0eece05dec40e51e2d2c4119d8a133c38346015660f667291074335705
SHA512 f871a6bad8eff55bf65056342769fdbcd7cab233d1af3f7d3de99690bc788e7c37c1d666d873b05a92b31ee15639867cb5272abb02bec22ff705dbc7c3bb1bf7

memory/2428-72-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\themes\theme0\dmindex.xml

MD5 6df0b82758e44e312b0a64a2f2c3e801
SHA1 395323cf935ffe420f5f68c2b720f70044929c2a
SHA256 3bbcccd41dd93f74eb896a8acb5c90341298a99e8427f7f87902d4b4050c1275
SHA512 fc2bb806dcc63982893ef702c63ee6ba181f9a77247062f40dcd220bb6792649a46eca019164f4b928bb7b7d63b803f1b5052e48c76ffc6ea8bf09caffe902c9

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\themes\dmindex.xml

MD5 873a289e3b1ad5b9731374512357d156
SHA1 930e4632f2ed9a21a5421b641277498af4ca4783
SHA256 58790c97f0a7b22d36cf64286c05d9c18141424adfa9338baec248dcd297b583
SHA512 0f140a3323d78bf2ca82fefa13279785d27ede5d70862995adeedebfa5b7d2f6f167910a6e9a9c24f816757ba38cc7ee8da94510fe8dade6432edc536653d920

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\layout\dmindex.xml

MD5 b2daa7c7c825b5d98e4298b53ced20af
SHA1 98c2d293ea5048a6876eefb27c11bd7a9160ed6d
SHA256 1281a4ee54521a99311e8c9b479f1994dadd7b816dcd9b03c9a9cd9d06b344b6
SHA512 17be898d482da16c3ecf89631851b08b1d09b6fa849b0f09a63cbfc29a60c23589e48c747a8cf6f75c73c37dfd0db7841656091719d1babe42312a1f20a99239

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_cancel.png

MD5 2c460be5f3609bee2630fd37f45562f4
SHA1 c4109a42004059a64f36dea3c7d65bbb65589bbf
SHA256 1af49b933a0061739ab1b6a58aaff4cde65a589e0a0394a5d89f4ef5f89f5e39
SHA512 62ef4fe1868c5de6948034cac0d8274eabb0ebe4b3cc4f79b66ac7084353e946c7e8d8d1d61dbcb5c908a2da905f035074dbb395966fd683a8ad61ef4b627f52

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_popup_background.png

MD5 93b8381450a2f178c1e68d4d2d068398
SHA1 5f60b0b1575173a078d6c7469ff3b6ffe63e418d
SHA256 faa04a28e4f713c4efaa354f45eb2c8c836009736ee01c6691a0d22dfb335ba6
SHA512 ed777c1da342fc869ac736a23a3f4025b24e71977ff1bd365022e686a80682afe8b613f7d059501b50b46858cd6f2a4c2277f7cc727069abc48550840515c6b7

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_login.png

MD5 e9deed509a065ad53fcd75e8ee175cde
SHA1 b8701b48caa5eb17ea86bbd8037cab53096db206
SHA256 c2e9d3e049cf41b9a24a67ddd6ca288d67241c696411687b018338562f3d23aa
SHA512 5fc210e075c3c06b990c73c511916415e1ccff7c0c7e6b6f398b92471a797587ef88324e754926da2dbbe533637b04ccb250a054e135dcca734f6c6f9e6828cb

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_ok.png

MD5 eb191a2ca8bf2d52ae52f3ff73753942
SHA1 59b3388d85ab8a706e2bbbb3da95f808065c0151
SHA256 878f1daa331a7f48c2a1a7b38c67c663842d6f718beaad0b5f3ce44d676775b5
SHA512 c2b71aea3b09564e776cc4997c8c07fa77ee5c0eed97f83028993203e9f584b819ae1b749d1c894c64380c66217d0b46a7e9c44c11cb51d1b1524f15c741cb36

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_login_min.png

MD5 02b34b7ce976eec7f27092481fe39149
SHA1 e37c8fe4c6853fa97ee0be4e8282c0ee3f761717
SHA256 4e5ac64cc7d198d499ce7963c1e6a9ee27f1dd36ce6e5c163e5d8ee34a41220f
SHA512 cb173be1bb7d90051b423cf4b5474e32ddae81243462efe0e7060b43d436ff29843e9493f8e4e3488c38a7535e6fafae036c7f1ef87339a4215819c0855c1004

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\anima.png

MD5 0b056799111f308927f5500114e52a87
SHA1 ef1f3e13d16954654caa85cb9c68a1a5a57750a8
SHA256 7cb2f02fb1a8989454e9fedb7b82bed941485a3570e19e0f1c9e1163f538837c
SHA512 1e70f5476f152ea416ef5c0223efaf93c9cc5389e1ad2b82b66d046e658844825a874b38d52f19e29cba088e9509f111aff036508a3d54ccbe48f6fd6b0744c4

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_game_title.png

MD5 a78e88d5f823d4965ae228b79eaf058f
SHA1 0feb8739d59920a780b0c0c1a0e0adc1c84abdc1
SHA256 608fbac9823f581518251daf6a916e9f9c453cadb4b973be0dbe5d16aee3c8ad
SHA512 bd1d437eb3f514486f96ce13686e7e06bf08e9e474f2c2f44eec3cce68dcf02fb658e62356b6fc633c2a205a6bc11bda219cff5f68e4e0a1eb240a7dd9da5c2b

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_bosskey.png

MD5 e7016a060e3c91a7d63348f2fbf6858e
SHA1 3b25cd3e9ed9806e393f8e3ebb3c6b2feb793e30
SHA256 a6fbbbfa24a9abe992d608aa5127ccb16d8b289e94ad8fc01148ba1f47a9e09e
SHA512 5a46a6420aeffe0624f8acc53d0bcfc1a1a347bd9a2bc1252c182f8e2dddc2d1438e7d3e013469f24ae2c1a4710da7b6d428e572c79ff9d424657c8f95653372

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_refresh.png

MD5 83fd25beaa29b360eef4bd602aedfc39
SHA1 355e2d0a9541e1c948890f6a4fb588ac30a3c0b7
SHA256 fe8463a754455a5d0ca90c33d5055059a84cdb7148441d5e44449f1fc7d087c4
SHA512 386adc5bcc4d14e7404b337262357386c776b5bb10989f253117d1442b83850f5b91507c8452004b70f5af16edb0100a07f2afeafd5f385cd09e14a14f7896b2

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_clear_cache.png

MD5 e77937a36194fe3479852bdddb057779
SHA1 1a6668fca1e2244ffebe6e16df0c4cdd4cdb6668
SHA256 21e97edcab96153e181c3c0ee088a7b7651429b3dbe00c0f332379264e1b3beb
SHA512 cae4bfe8c61f0248b3edab0f3c0add7a0b2d3123189fb559d4a1c83c00a5c0b5f0da1da07c75a8100f14a3f2758d773bde46c3cd06e49ced0231545f4719293d

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_restore.png

MD5 1cfe372a6c9b7f4cb36cd8a97cc58363
SHA1 251e8b3f76d7874a83325bb434fb536558fa7c5d
SHA256 a11cd525b81d81d476ef9bbc80f576048997ebdb312e236cb0a2784f7c6bade6
SHA512 041b47dea7c5f8d9e7d996c1d9e6a054384e5c2dd8bdf2e9fee12519937faeaadd5afaf2a1be3d7babb84875cf37aa7da04657c4c5ff5429ae592b1e2a4a0c09

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_max.png

MD5 e44f74a3d4c93dd710bde3964410034d
SHA1 070b200180ed0589552891c33b2ad697d221ac42
SHA256 8ca5455c1054feada0082a380f6b18737e020c580e7ca3e37a9619cefabdcf1a
SHA512 985b933b06f9a704de6cf9a179aef81efcc79a02e482c350d0ef976c8f6f94c065060df5f4f81165930518a5a1ae853a0e19c8c2436dc9b9ba42f5365544f9e5

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_min.png

MD5 f707d718a545e46b8e085e9d4b50dc0f
SHA1 4550beebf58843b03c525b39a93b7ce5e88e9d5d
SHA256 d37c64c2f90041c3dcfb12353354174fadf53f6351c6e52b4b5a0090278f4941
SHA512 e36f40bcc3423519cfe6738e583975fb01ee8946160931a9a0437301cef336a38ea6f3c967f7f457a0026eac66413d046c234cd0de084bcd639537bef49cec48

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_close.png

MD5 a1650d6626f40676cbaf74f36ace12c5
SHA1 bd891103f625a056e9779587f55438da4d2f95c7
SHA256 d4d89eeb192ab3bb4fe4ad8fbb6b624b856e14b0f03aaa59d8f31f697c97c411
SHA512 660d5cc0660749da5b4d1017c007e9c3fbf4198fbae94014f9bcdfbf1425dfcbe71fee78c986fd40b0fd45e051caa3e18bf6bb68c5c8616881bd929dfca0dc09

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_kefu.png

MD5 af197601703c44e4250d9ec66a6fc4d4
SHA1 0ff81419cdff6c3b9a3b347f461a0a0474070444
SHA256 ab8873cbae2231d5457e9695811aaeb53d6ceca2bbb3e1a48cd95b287d601c05
SHA512 5b986703b948b4643c75b7e8a2e01c9031eb065059ac9961cb097e08f6a2a1207be3d7d8f1704eef57590818765c069943afd678150353a792a6290d7870aed2

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_libao.png

MD5 64a322f091497e4e222d92a2f8bf053e
SHA1 0a7c80f36baf83ecc1541d5cadd0c8959a954a50
SHA256 d150f1f42dc26aadc6cf57824c661d492b57c9a3fc8f41ea41c5063fd20e404f
SHA512 7641eda6ccf97a444704effed17ed828003b0cf08ab5b608396d95825d2cbcf604e11fb585a1d54896e51313117a2fdb6b864863a9daf44e88fb43e5aa5752ab

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_gonglue.png

MD5 19f3d9216022170c0dfd4d563290b30c
SHA1 3c28de05763b73dc68368e4c6cefa5eb9a438eb1
SHA256 61f923add742de7491ccba39af7968e3dc642720d8e4e3fcd4ff73bca034cb52
SHA512 f75a2ba6fc7519e96d5dd8763c0ad211a6177d42687abd19c4dd966feddb5788e29384056cc983406331507a9a00a6bc8f7e486aa1e53f5379809ec9af80e3bc

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_home.png

MD5 6d5281aa82034ced0b3cb51cbcffe8bb
SHA1 8bcd84c097a90eb47a0cf314492d4dd8ffa29378
SHA256 daf5e3ebe63e82d88b10996bdbed80c2b2aaa691d7678ab23eb3f77c25934320
SHA512 45bb6114b7736fa81f86951d8354cbc8185c5ef4fb68ce864902fee5241900a47ad81e5bd63caf5f6dae9bb1c55e76b4a23de1bbeda445e14106f11bdfa7850a

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\config.ini

MD5 48bc9f06b52385025020ace3122b13e2
SHA1 2b1856b913f8d0fbf8d1a5c13baa3768c883edc1
SHA256 507a910bb694b098e29ad42bd3b2dd010d1c25fcfe425e7c5491991d337305f2
SHA512 6e67cfe46765125c150c9e8c677d546887d21b449b140c4a14e11f83a49503c4d98854709aaee16f73664745fc1de10457ee81a384fbfd62ee6a6ef8cee8188f

memory/2428-93-0x0000000002D10000-0x0000000002D20000-memory.dmp

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_login_close.png

MD5 9ee8d9b94234b95686f5ce1bcaacd1f2
SHA1 b92447998c0af6b8c419cae2cfae5a28582bead0
SHA256 8f0707696f4e9d8ca3983b384eb838a5d7839c91f851dc2353dd713bced773fd
SHA512 a4953259ee39ebe18caf1434f2e01388626bfdeddb5d0b52f44796137772f9dcd325dfe40455865bbd90fb85c9b639f29ac9a630f400ce9386d4f159bc95b51b

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\layout\xml\dui_loginwnd.xml

MD5 967fbb3f49ac2e7b54656b13eb230111
SHA1 8fdd67ed06fbf730937866db0e4f4bf8507d05fd
SHA256 20b8eb615bd48f6e6edd2c5e8584df307d32a9a470681840ef4c9a6a99369d3c
SHA512 de4488ce7592bf373584a402ea5c8e4f62efd4ea168b0ff34e1422457c83e0d6177448b755da8de498ee4bdaa6124939480641ef0500624dd923d7ef28feaec1

memory/2428-95-0x00000000031D0000-0x00000000031E0000-memory.dmp

memory/2428-96-0x00000000032A0000-0x00000000032B0000-memory.dmp

memory/2428-97-0x0000000002DD0000-0x0000000002DE0000-memory.dmp

memory/2428-98-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/2428-99-0x00000000032A0000-0x00000000032B0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

132s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 4868 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DmMain.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4868 -ip 4868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 636

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20240221-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 240

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win10v2004-20240419-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2920 wrote to memory of 1576 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.112:443 www.bing.com tcp
US 8.8.8.8:53 112.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-07 18:43

Reported

2024-05-07 18:46

Platform

win7-20231129-en

Max time kernel

148s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe

"C:\Users\Admin\AppData\Local\Temp\01ee6aa88ccfb589bde33b360ad45300_NEAS.exe"

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe

"C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wvw.4366.com udp
CN 47.107.36.124:80 wvw.4366.com tcp
CN 112.74.125.148:80 wvw.4366.com tcp
US 8.8.8.8:53 www.4366.com udp
CN 218.60.100.165:443 www.4366.com tcp
CN 118.123.207.186:443 www.4366.com tcp
CN 221.194.141.165:443 www.4366.com tcp
CN 120.221.252.95:443 www.4366.com tcp
CN 115.223.9.118:443 www.4366.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd2128.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Roaming\4366\雷霆之怒\ltzn.exe

MD5 a80dc7bbca76113f10b6dff20c3bc0e4
SHA1 59b4fcb138dcfab9f89c9b1658c098789cce9e7e
SHA256 bb4e34b1a8c69f0dda2ffb8ed7ec532bb63588749861a7dff64098a4655456a8
SHA512 b12b000184483f49bbd9463c12cc311299a32527e37e46e30fc11fe20dffc732302eddff15f6d9d1d1b814f182aa3f6cd9bedbcf8cc1093494e53885dcb154f9

\Users\Admin\AppData\Roaming\4366\雷霆之怒\uninst.exe

MD5 0f1a3d0646e5201790ff1f824d58cacc
SHA1 79b8264ae44315ceec6e87cf2626c86658a71b4f
SHA256 0e2fd6418a40f392edb01e8acacf81fe0dfdd88064d7dc1957d302369ceb96d0
SHA512 2eea72b58e0a49db3ec44a746718db7eb4a27f31fe957d83978728a7da9105cd8f7a5dc8a77e2891f1f7b21d1aa543f60f9a31a180c04d36f7c2fd1864163d5d

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\DmMain.dll

MD5 3d1f90d87b4cef211e3deee64a3cea61
SHA1 cee8b951718889a566f56a4bac7e6c316cfc4828
SHA256 a2fc2c6e48ad7c96ca4d0f309416e870e232e1745a564ac604fc2472c64cbe8e
SHA512 a0ba182710e8ad27422290fd4e80533da197331b027e47a3b7210d0dd4b4f09f7285610555c199d0ba016c1efce12f6028784dd54e45376e679dc87040fd7177

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\main.png

MD5 017c4a6a114a99ffb0dafd4d2e04224a
SHA1 413c36f12fd7aed56cfbd17fc87a03199ad2ac75
SHA256 7c5e6dc3f3d2682b3376524046354275cde3ba4411f88c57171662bc1698051e
SHA512 be1fa5c879ba3574a339fa09a9162a8ba6b5af82095776a1de9b3a9e17aa48e5750856c5effc3101f65a6deb1e3c908500e5ac59d0d43d6b259be9ecd9c7b305

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\layout\xml\global.xml

MD5 29f3f6709a005537425016e1394bd97c
SHA1 44f7410f0a62e68ad2d21551f42c9c0f6c12d588
SHA256 4bbb8e0eece05dec40e51e2d2c4119d8a133c38346015660f667291074335705
SHA512 f871a6bad8eff55bf65056342769fdbcd7cab233d1af3f7d3de99690bc788e7c37c1d666d873b05a92b31ee15639867cb5272abb02bec22ff705dbc7c3bb1bf7

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\themes\theme0\dmindex.xml

MD5 6df0b82758e44e312b0a64a2f2c3e801
SHA1 395323cf935ffe420f5f68c2b720f70044929c2a
SHA256 3bbcccd41dd93f74eb896a8acb5c90341298a99e8427f7f87902d4b4050c1275
SHA512 fc2bb806dcc63982893ef702c63ee6ba181f9a77247062f40dcd220bb6792649a46eca019164f4b928bb7b7d63b803f1b5052e48c76ffc6ea8bf09caffe902c9

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\themes\dmindex.xml

MD5 873a289e3b1ad5b9731374512357d156
SHA1 930e4632f2ed9a21a5421b641277498af4ca4783
SHA256 58790c97f0a7b22d36cf64286c05d9c18141424adfa9338baec248dcd297b583
SHA512 0f140a3323d78bf2ca82fefa13279785d27ede5d70862995adeedebfa5b7d2f6f167910a6e9a9c24f816757ba38cc7ee8da94510fe8dade6432edc536653d920

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\ui\layout\dmindex.xml

MD5 b2daa7c7c825b5d98e4298b53ced20af
SHA1 98c2d293ea5048a6876eefb27c11bd7a9160ed6d
SHA256 1281a4ee54521a99311e8c9b479f1994dadd7b816dcd9b03c9a9cd9d06b344b6
SHA512 17be898d482da16c3ecf89631851b08b1d09b6fa849b0f09a63cbfc29a60c23589e48c747a8cf6f75c73c37dfd0db7841656091719d1babe42312a1f20a99239

memory/2884-71-0x0000000000E80000-0x0000000000EC0000-memory.dmp

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_popup_background.png

MD5 93b8381450a2f178c1e68d4d2d068398
SHA1 5f60b0b1575173a078d6c7469ff3b6ffe63e418d
SHA256 faa04a28e4f713c4efaa354f45eb2c8c836009736ee01c6691a0d22dfb335ba6
SHA512 ed777c1da342fc869ac736a23a3f4025b24e71977ff1bd365022e686a80682afe8b613f7d059501b50b46858cd6f2a4c2277f7cc727069abc48550840515c6b7

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_ok.png

MD5 eb191a2ca8bf2d52ae52f3ff73753942
SHA1 59b3388d85ab8a706e2bbbb3da95f808065c0151
SHA256 878f1daa331a7f48c2a1a7b38c67c663842d6f718beaad0b5f3ce44d676775b5
SHA512 c2b71aea3b09564e776cc4997c8c07fa77ee5c0eed97f83028993203e9f584b819ae1b749d1c894c64380c66217d0b46a7e9c44c11cb51d1b1524f15c741cb36

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_cancel.png

MD5 2c460be5f3609bee2630fd37f45562f4
SHA1 c4109a42004059a64f36dea3c7d65bbb65589bbf
SHA256 1af49b933a0061739ab1b6a58aaff4cde65a589e0a0394a5d89f4ef5f89f5e39
SHA512 62ef4fe1868c5de6948034cac0d8274eabb0ebe4b3cc4f79b66ac7084353e946c7e8d8d1d61dbcb5c908a2da905f035074dbb395966fd683a8ad61ef4b627f52

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\layout\xml\dui_loginwnd.xml

MD5 967fbb3f49ac2e7b54656b13eb230111
SHA1 8fdd67ed06fbf730937866db0e4f4bf8507d05fd
SHA256 20b8eb615bd48f6e6edd2c5e8584df307d32a9a470681840ef4c9a6a99369d3c
SHA512 de4488ce7592bf373584a402ea5c8e4f62efd4ea168b0ff34e1422457c83e0d6177448b755da8de498ee4bdaa6124939480641ef0500624dd923d7ef28feaec1

C:\Users\Admin\AppData\Roaming\4366\雷霆之怒\config.ini

MD5 48bc9f06b52385025020ace3122b13e2
SHA1 2b1856b913f8d0fbf8d1a5c13baa3768c883edc1
SHA256 507a910bb694b098e29ad42bd3b2dd010d1c25fcfe425e7c5491991d337305f2
SHA512 6e67cfe46765125c150c9e8c677d546887d21b449b140c4a14e11f83a49503c4d98854709aaee16f73664745fc1de10457ee81a384fbfd62ee6a6ef8cee8188f

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\anima.png

MD5 0b056799111f308927f5500114e52a87
SHA1 ef1f3e13d16954654caa85cb9c68a1a5a57750a8
SHA256 7cb2f02fb1a8989454e9fedb7b82bed941485a3570e19e0f1c9e1163f538837c
SHA512 1e70f5476f152ea416ef5c0223efaf93c9cc5389e1ad2b82b66d046e658844825a874b38d52f19e29cba088e9509f111aff036508a3d54ccbe48f6fd6b0744c4

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_game_title.png

MD5 a78e88d5f823d4965ae228b79eaf058f
SHA1 0feb8739d59920a780b0c0c1a0e0adc1c84abdc1
SHA256 608fbac9823f581518251daf6a916e9f9c453cadb4b973be0dbe5d16aee3c8ad
SHA512 bd1d437eb3f514486f96ce13686e7e06bf08e9e474f2c2f44eec3cce68dcf02fb658e62356b6fc633c2a205a6bc11bda219cff5f68e4e0a1eb240a7dd9da5c2b

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_bosskey.png

MD5 e7016a060e3c91a7d63348f2fbf6858e
SHA1 3b25cd3e9ed9806e393f8e3ebb3c6b2feb793e30
SHA256 a6fbbbfa24a9abe992d608aa5127ccb16d8b289e94ad8fc01148ba1f47a9e09e
SHA512 5a46a6420aeffe0624f8acc53d0bcfc1a1a347bd9a2bc1252c182f8e2dddc2d1438e7d3e013469f24ae2c1a4710da7b6d428e572c79ff9d424657c8f95653372

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_refresh.png

MD5 83fd25beaa29b360eef4bd602aedfc39
SHA1 355e2d0a9541e1c948890f6a4fb588ac30a3c0b7
SHA256 fe8463a754455a5d0ca90c33d5055059a84cdb7148441d5e44449f1fc7d087c4
SHA512 386adc5bcc4d14e7404b337262357386c776b5bb10989f253117d1442b83850f5b91507c8452004b70f5af16edb0100a07f2afeafd5f385cd09e14a14f7896b2

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_clear_cache.png

MD5 e77937a36194fe3479852bdddb057779
SHA1 1a6668fca1e2244ffebe6e16df0c4cdd4cdb6668
SHA256 21e97edcab96153e181c3c0ee088a7b7651429b3dbe00c0f332379264e1b3beb
SHA512 cae4bfe8c61f0248b3edab0f3c0add7a0b2d3123189fb559d4a1c83c00a5c0b5f0da1da07c75a8100f14a3f2758d773bde46c3cd06e49ced0231545f4719293d

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_restore.png

MD5 1cfe372a6c9b7f4cb36cd8a97cc58363
SHA1 251e8b3f76d7874a83325bb434fb536558fa7c5d
SHA256 a11cd525b81d81d476ef9bbc80f576048997ebdb312e236cb0a2784f7c6bade6
SHA512 041b47dea7c5f8d9e7d996c1d9e6a054384e5c2dd8bdf2e9fee12519937faeaadd5afaf2a1be3d7babb84875cf37aa7da04657c4c5ff5429ae592b1e2a4a0c09

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_max.png

MD5 e44f74a3d4c93dd710bde3964410034d
SHA1 070b200180ed0589552891c33b2ad697d221ac42
SHA256 8ca5455c1054feada0082a380f6b18737e020c580e7ca3e37a9619cefabdcf1a
SHA512 985b933b06f9a704de6cf9a179aef81efcc79a02e482c350d0ef976c8f6f94c065060df5f4f81165930518a5a1ae853a0e19c8c2436dc9b9ba42f5365544f9e5

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_min.png

MD5 f707d718a545e46b8e085e9d4b50dc0f
SHA1 4550beebf58843b03c525b39a93b7ce5e88e9d5d
SHA256 d37c64c2f90041c3dcfb12353354174fadf53f6351c6e52b4b5a0090278f4941
SHA512 e36f40bcc3423519cfe6738e583975fb01ee8946160931a9a0437301cef336a38ea6f3c967f7f457a0026eac66413d046c234cd0de084bcd639537bef49cec48

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_close.png

MD5 a1650d6626f40676cbaf74f36ace12c5
SHA1 bd891103f625a056e9779587f55438da4d2f95c7
SHA256 d4d89eeb192ab3bb4fe4ad8fbb6b624b856e14b0f03aaa59d8f31f697c97c411
SHA512 660d5cc0660749da5b4d1017c007e9c3fbf4198fbae94014f9bcdfbf1425dfcbe71fee78c986fd40b0fd45e051caa3e18bf6bb68c5c8616881bd929dfca0dc09

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_kefu.png

MD5 af197601703c44e4250d9ec66a6fc4d4
SHA1 0ff81419cdff6c3b9a3b347f461a0a0474070444
SHA256 ab8873cbae2231d5457e9695811aaeb53d6ceca2bbb3e1a48cd95b287d601c05
SHA512 5b986703b948b4643c75b7e8a2e01c9031eb065059ac9961cb097e08f6a2a1207be3d7d8f1704eef57590818765c069943afd678150353a792a6290d7870aed2

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_libao.png

MD5 64a322f091497e4e222d92a2f8bf053e
SHA1 0a7c80f36baf83ecc1541d5cadd0c8959a954a50
SHA256 d150f1f42dc26aadc6cf57824c661d492b57c9a3fc8f41ea41c5063fd20e404f
SHA512 7641eda6ccf97a444704effed17ed828003b0cf08ab5b608396d95825d2cbcf604e11fb585a1d54896e51313117a2fdb6b864863a9daf44e88fb43e5aa5752ab

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_gonglue.png

MD5 19f3d9216022170c0dfd4d563290b30c
SHA1 3c28de05763b73dc68368e4c6cefa5eb9a438eb1
SHA256 61f923add742de7491ccba39af7968e3dc642720d8e4e3fcd4ff73bca034cb52
SHA512 f75a2ba6fc7519e96d5dd8763c0ad211a6177d42687abd19c4dd966feddb5788e29384056cc983406331507a9a00a6bc8f7e486aa1e53f5379809ec9af80e3bc

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_home.png

MD5 6d5281aa82034ced0b3cb51cbcffe8bb
SHA1 8bcd84c097a90eb47a0cf314492d4dd8ffa29378
SHA256 daf5e3ebe63e82d88b10996bdbed80c2b2aaa691d7678ab23eb3f77c25934320
SHA512 45bb6114b7736fa81f86951d8354cbc8185c5ef4fb68ce864902fee5241900a47ad81e5bd63caf5f6dae9bb1c55e76b4a23de1bbeda445e14106f11bdfa7850a

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_login_close.png

MD5 9ee8d9b94234b95686f5ce1bcaacd1f2
SHA1 b92447998c0af6b8c419cae2cfae5a28582bead0
SHA256 8f0707696f4e9d8ca3983b384eb838a5d7839c91f851dc2353dd713bced773fd
SHA512 a4953259ee39ebe18caf1434f2e01388626bfdeddb5d0b52f44796137772f9dcd325dfe40455865bbd90fb85c9b639f29ac9a630f400ce9386d4f159bc95b51b

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\btn_login_min.png

MD5 02b34b7ce976eec7f27092481fe39149
SHA1 e37c8fe4c6853fa97ee0be4e8282c0ee3f761717
SHA256 4e5ac64cc7d198d499ce7963c1e6a9ee27f1dd36ce6e5c163e5d8ee34a41220f
SHA512 cb173be1bb7d90051b423cf4b5474e32ddae81243462efe0e7060b43d436ff29843e9493f8e4e3488c38a7535e6fafae036c7f1ef87339a4215819c0855c1004

\??\c:\users\admin\appdata\roaming\4366\雷霆之怒\ui\themes\theme0\image\wnd_login.png

MD5 e9deed509a065ad53fcd75e8ee175cde
SHA1 b8701b48caa5eb17ea86bbd8037cab53096db206
SHA256 c2e9d3e049cf41b9a24a67ddd6ca288d67241c696411687b018338562f3d23aa
SHA512 5fc210e075c3c06b990c73c511916415e1ccff7c0c7e6b6f398b92471a797587ef88324e754926da2dbbe533637b04ccb250a054e135dcca734f6c6f9e6828cb

memory/2884-93-0x00000000010B0000-0x00000000010F0000-memory.dmp

memory/2884-94-0x0000000000E80000-0x0000000000EC0000-memory.dmp

memory/2884-95-0x0000000001010000-0x0000000001050000-memory.dmp