Malware Analysis Report

2025-08-11 07:04

Sample ID 241107-lsnq6ssnhp
Target 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N
SHA256 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80
Tags
adware discovery stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80

Threat Level: Shows suspicious behavior

The file 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer upx

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Installs/modifies Browser Helper Object

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 09:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 09:47

Reported

2024-11-07 09:49

Platform

win7-20240903-en

Max time kernel

116s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}! C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}!\ = "360°²È«ÎÀÊ¿" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\helpme.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\helpme.ink C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\sysurl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\sysurl.dll C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Win32Games\jiuzhou.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\minigame.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\URL.dll C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\url.txt C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\Internet.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\dangdangwang.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Internet.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\minigame.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Xianjian.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\url.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\Config.ini C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\taobao.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\Internet.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\bb.tmp C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\QvodSetupPlus3.exe C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Thumbs.db C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\syspowerues.dll C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Untitled - 2.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\zhuoyue.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\2xi.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\2xi.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\bingfeng.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\bookmarks.dat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\wingames.exe C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\taobao.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\baidu.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\aaa.bat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\doset.bat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\url.txt C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Win32Games\wingames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Win32Games\wingames.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\syspowerues.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "syspowerues.360SafeMode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = 00000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D) C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\ = "Safemon class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri C:\Windows\SysWOW64\cmd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "shdocvw.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p%:%/%/%w%w%w.6dudu.%c%o%m%/" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 2088 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 2088 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 2088 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 2088 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2088 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 2492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2572 wrote to memory of 1548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 2088 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe

"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Win32Games\aaa.bat" "

C:\Program Files\Win32Games\wingames.exe

"C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\Win32Games\doset.bat" "

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files\Win32Games\URL.dll" helpme

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files\Win32Games\URL.dll" doset

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 syspowerues.dll /s

C:\Program Files\Win32Games\QvodSetupPlus3.exe

"C:\Program Files\Win32Games\QvodSetupPlus3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 reg.weiguan8.com udp
US 8.8.8.8:53 w.2xi.com udp
US 8.8.8.8:53 so1.5k5.net udp
CN 121.46.21.200:80 w.2xi.com tcp
US 8.8.8.8:53 update.qvod.com udp
US 8.8.8.8:53 track.qvod.com udp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp

Files

C:\Program Files\Win32Games\aaa.bat

MD5 7391dc80d581fb94646d5ee534a77d1b
SHA1 1d67613f26b7cc4c01f407817ab80cb84b100115
SHA256 5b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed
SHA512 c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d

\Program Files\Win32Games\wingames.exe

MD5 b63c3aab2e123fe96a4e7adac47913ec
SHA1 bc59745b880794d99d498c5917be23434de09440
SHA256 d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d
SHA512 29cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0

C:\Program Files\Win32Games\doset.bat

MD5 a7ed90b88fd89dfd6558ab3c9b610ed4
SHA1 b0f8b86e1546f8a1408b7f47a50208bca38b9b9c
SHA256 6fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85
SHA512 89809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec

memory/1560-54-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Program Files\Win32Games\Xianjian.ico

MD5 cdad1c273cbf6e059022029dfbd9bee6
SHA1 7fb484f24929070097237db926f240e887a23bd5
SHA256 c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1
SHA512 1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c

C:\Program Files\Win32Games\Config.ini

MD5 deafb00b9e7bdeef9f28c8856cfd3fef
SHA1 aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405
SHA256 e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec
SHA512 12d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e

C:\Program Files\Win32Games\URL.dll

MD5 38fd3a889940f8d5160c0340cfc6a451
SHA1 6d78fdc78573cbc675d0f20f943cbe03c15f6557
SHA256 aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af
SHA512 59b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3

memory/1848-71-0x0000000000210000-0x0000000000240000-memory.dmp

C:\Program Files\Win32Games\url.txt

MD5 44fb4e7d1a22004c3d0459e3cc89d156
SHA1 e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65
SHA256 0757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9
SHA512 274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0

C:\Program Files\Win32Games\Internet.vbs

MD5 1e09fbfc0cc38a82530c27c61f72f170
SHA1 89344f847e4f0261b1138de7cc6f92ab48b9d111
SHA256 23bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf
SHA512 d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41

memory/2492-92-0x0000000000230000-0x0000000000260000-memory.dmp

C:\Program Files\Win32Games\taobao.vbs

MD5 1f8ba37a69e383b466921b0658c87a11
SHA1 6a334328b4c66eb35534411b004b7883e2cc2faf
SHA256 f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c
SHA512 9f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1

C:\Users\Admin\Desktop\Intenet Exploer.ink

MD5 937776029e6c9bfcc8f28ca019323415
SHA1 b92a2d7972d0b0a9d0a44d1bc08d7cbf83f5bf72
SHA256 d49f754b19fc84f61abc3a39cfa72f8af308e8eeb463399bdd2ea423bc9a9ae4
SHA512 a5065556e5f45b00c50f0d85812b392d3632c88400471b4e197fc2e1923f2cb2e97d7f225e1bb17bda1277817a7caffc084c2b8c827440839cef027bd393c0c6

C:\Program Files\Win32Games\minigame.vbs

MD5 2d1b6f4bccda34d2ea67f964e1807f31
SHA1 ef2944b0c437fe0fc2b7fd04a6522b8294180c6e
SHA256 8e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68
SHA512 64e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b

C:\Windows\SysWOW64\syspowerues.dll

MD5 4a463f93d431014383aef5af103aca5e
SHA1 4e45cfd382a61c684d502c606ccee63b8b3c0b5b
SHA256 895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d
SHA512 b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5

memory/1548-126-0x0000000000220000-0x0000000000294000-memory.dmp

\Program Files\Win32Games\QvodSetupPlus3.exe

MD5 8da481acb7ce2508f68071da569ce84a
SHA1 8cbac6dd58a715f1618588e97ccd8889f8e6e976
SHA256 8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4
SHA512 ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6

memory/2088-149-0x00000000034C0000-0x0000000003517000-memory.dmp

memory/2744-154-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-157-0x0000000000320000-0x0000000000377000-memory.dmp

memory/2088-152-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2744-160-0x0000000000320000-0x0000000000377000-memory.dmp

memory/1560-159-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2744-162-0x00000000032F0000-0x00000000034F4000-memory.dmp

memory/2744-161-0x00000000032F0000-0x00000000034F4000-memory.dmp

memory/1560-163-0x0000000000400000-0x000000000055B000-memory.dmp

memory/2744-164-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-165-0x0000000000320000-0x0000000000377000-memory.dmp

memory/2744-166-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-168-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-170-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-174-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-178-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-180-0x0000000000400000-0x0000000000457000-memory.dmp

memory/2744-184-0x0000000000400000-0x0000000000457000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 09:47

Reported

2024-11-07 09:49

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}! C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}!\ = "360°²È«ÎÀÊ¿" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\sysurl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\SysWOW64\sysurl.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\helpme.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\SysWOW64\helpme.ink C:\Windows\SysWOW64\rundll32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Win32Games\zhuoyue.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\Internet.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\iexplore.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\baidu.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\bingfeng.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\aaa.bat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\2xi.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\jiuzhou.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\minigame.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\taobao.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Thumbs.db C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\wingames.exe C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\Internet.vbs C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\Config.ini C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\taobao.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\url.txt C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\doset.bat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\bb.tmp C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\dangdangwang.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\minigame.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\syspowerues.dll C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Untitled - 2.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\URL.dll C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Xianjian.ico C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\url.txt C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Program Files\Win32Games\2xi.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\Internet.vbs C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\QvodSetupPlus3.exe C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File created C:\Program Files\Win32Games\bookmarks.dat C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
File opened for modification C:\Program Files\Win32Games\url.txt C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Win32Games\wingames.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p%:%/%/%w%w%w.6dudu.%c%o%m%/" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "syspowerues.360SafeMode" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\ = "Safemon class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "shdocvw.dll" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D) C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = 00000000 C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.uri C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.ink C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\syspowerues.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A
N/A N/A C:\Program Files\Win32Games\QvodSetupPlus3.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A
N/A N/A C:\Program Files\Win32Games\wingames.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 4676 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 4676 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\wingames.exe
PID 4676 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 4676 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 1672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 4676 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 4676 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 4676 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe C:\Program Files\Win32Games\QvodSetupPlus3.exe
PID 3968 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 2416 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3968 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3968 wrote to memory of 2856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe

"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\aaa.bat" "

C:\Program Files\Win32Games\wingames.exe

"C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\doset.bat" "

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files\Win32Games\URL.dll" helpme

C:\Program Files\Win32Games\QvodSetupPlus3.exe

"C:\Program Files\Win32Games\QvodSetupPlus3.exe"

C:\Windows\SysWOW64\rundll32.exe

rundll32 "C:\Program Files\Win32Games\URL.dll" doset

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 syspowerues.dll /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 so1.5k5.net udp
US 8.8.8.8:53 reg.weiguan8.com udp
US 8.8.8.8:53 w.2xi.com udp
US 8.8.8.8:53 update.qvod.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 track.qvod.com udp
CN 121.46.21.200:80 w.2xi.com tcp
US 8.8.8.8:53 stun.qvod.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 127.0.0.1.in-addr.arpa udp
US 8.8.8.8:53 200.21.46.121.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 stun01.sipphone.com udp
AU 1.0.0.127:65535 udp
AU 1.0.0.127:65535 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 agent.qvod.com udp
CN 61.139.219.200:80 udp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 200.219.139.61.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
CN 221.194.134.216:80 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
CN 221.194.134.216:80 tcp

Files

C:\Program Files\Win32Games\wingames.exe

MD5 b63c3aab2e123fe96a4e7adac47913ec
SHA1 bc59745b880794d99d498c5917be23434de09440
SHA256 d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d
SHA512 29cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0

C:\Program Files\Win32Games\aaa.bat

MD5 7391dc80d581fb94646d5ee534a77d1b
SHA1 1d67613f26b7cc4c01f407817ab80cb84b100115
SHA256 5b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed
SHA512 c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d

memory/3280-44-0x0000000000810000-0x0000000000811000-memory.dmp

C:\Program Files\Win32Games\doset.bat

MD5 a7ed90b88fd89dfd6558ab3c9b610ed4
SHA1 b0f8b86e1546f8a1408b7f47a50208bca38b9b9c
SHA256 6fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85
SHA512 89809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec

C:\Program Files\Win32Games\Xianjian.ico

MD5 cdad1c273cbf6e059022029dfbd9bee6
SHA1 7fb484f24929070097237db926f240e887a23bd5
SHA256 c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1
SHA512 1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c

C:\Program Files\Win32Games\Config.ini

MD5 deafb00b9e7bdeef9f28c8856cfd3fef
SHA1 aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405
SHA256 e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec
SHA512 12d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e

C:\Program Files\Win32Games\URL.dll

MD5 38fd3a889940f8d5160c0340cfc6a451
SHA1 6d78fdc78573cbc675d0f20f943cbe03c15f6557
SHA256 aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af
SHA512 59b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3

C:\Program Files\Win32Games\url.txt

MD5 44fb4e7d1a22004c3d0459e3cc89d156
SHA1 e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65
SHA256 0757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9
SHA512 274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0

C:\Program Files\Win32Games\Internet.vbs

MD5 1e09fbfc0cc38a82530c27c61f72f170
SHA1 89344f847e4f0261b1138de7cc6f92ab48b9d111
SHA256 23bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf
SHA512 d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41

C:\Program Files\Win32Games\QvodSetupPlus3.exe

MD5 8da481acb7ce2508f68071da569ce84a
SHA1 8cbac6dd58a715f1618588e97ccd8889f8e6e976
SHA256 8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4
SHA512 ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6

memory/4112-79-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4676-78-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2416-84-0x0000000000C00000-0x0000000000C30000-memory.dmp

C:\Program Files\Win32Games\taobao.vbs

MD5 1f8ba37a69e383b466921b0658c87a11
SHA1 6a334328b4c66eb35534411b004b7883e2cc2faf
SHA256 f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c
SHA512 9f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1

C:\Users\Admin\Desktop\Intenet Exploer.ink

MD5 e91ba28655bf00c2ed71a900f260a8b0
SHA1 e9e8c6c60f399ffac98857f051b30cb6806efb63
SHA256 579b390750bfaa77e052dde89631024b6ca0b425508d5c6f4741dcee0ac5e5d0
SHA512 b827816c20a4a51f2dea3e806ef256a1528679dd0b482d2f9853cdad16819f06828d551097267ea0645548f06586237a830a3b1ba5e2def2824e6d781d643072

C:\Program Files\Win32Games\minigame.vbs

MD5 2d1b6f4bccda34d2ea67f964e1807f31
SHA1 ef2944b0c437fe0fc2b7fd04a6522b8294180c6e
SHA256 8e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68
SHA512 64e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b

C:\Windows\SysWOW64\syspowerues.dll

MD5 4a463f93d431014383aef5af103aca5e
SHA1 4e45cfd382a61c684d502c606ccee63b8b3c0b5b
SHA256 895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d
SHA512 b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5

memory/2856-122-0x0000000000650000-0x00000000006C4000-memory.dmp

memory/3280-123-0x0000000000810000-0x0000000000811000-memory.dmp

memory/3280-124-0x0000000000400000-0x000000000055B000-memory.dmp

memory/4112-126-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-128-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-132-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-136-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-138-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-142-0x0000000000400000-0x0000000000457000-memory.dmp

memory/4112-146-0x0000000000400000-0x0000000000457000-memory.dmp