Analysis Overview
SHA256
17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80
Threat Level: Shows suspicious behavior
The file 17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Installs/modifies Browser Helper Object
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 09:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 09:47
Reported
2024-11-07 09:49
Platform
win7-20240903-en
Max time kernel
116s
Max time network
114s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Loads dropped DLL
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}! | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}!\ = "360°²È«ÎÀÊ¿" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\helpme.vbs | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\helpme.ink | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\sysurl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sysurl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Win32Games\wingames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Win32Games\wingames.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\syspowerues.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "syspowerues.360SafeMode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = 00000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D) | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\ = "Safemon class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "shdocvw.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p%:%/%/%w%w%w.6dudu.%c%o%m%/" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe
"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Win32Games\aaa.bat" "
C:\Program Files\Win32Games\wingames.exe
"C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files\Win32Games\doset.bat" "
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files\Win32Games\URL.dll" helpme
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files\Win32Games\URL.dll" doset
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 syspowerues.dll /s
C:\Program Files\Win32Games\QvodSetupPlus3.exe
"C:\Program Files\Win32Games\QvodSetupPlus3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | reg.weiguan8.com | udp |
| US | 8.8.8.8:53 | w.2xi.com | udp |
| US | 8.8.8.8:53 | so1.5k5.net | udp |
| CN | 121.46.21.200:80 | w.2xi.com | tcp |
| US | 8.8.8.8:53 | update.qvod.com | udp |
| US | 8.8.8.8:53 | track.qvod.com | udp |
| US | 8.8.8.8:53 | stun.qvod.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | stun01.sipphone.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | agent.qvod.com | udp |
| CN | 61.139.219.200:80 | udp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp |
Files
C:\Program Files\Win32Games\aaa.bat
| MD5 | 7391dc80d581fb94646d5ee534a77d1b |
| SHA1 | 1d67613f26b7cc4c01f407817ab80cb84b100115 |
| SHA256 | 5b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed |
| SHA512 | c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d |
\Program Files\Win32Games\wingames.exe
| MD5 | b63c3aab2e123fe96a4e7adac47913ec |
| SHA1 | bc59745b880794d99d498c5917be23434de09440 |
| SHA256 | d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d |
| SHA512 | 29cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0 |
C:\Program Files\Win32Games\doset.bat
| MD5 | a7ed90b88fd89dfd6558ab3c9b610ed4 |
| SHA1 | b0f8b86e1546f8a1408b7f47a50208bca38b9b9c |
| SHA256 | 6fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85 |
| SHA512 | 89809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec |
memory/1560-54-0x0000000000220000-0x0000000000221000-memory.dmp
C:\Program Files\Win32Games\Xianjian.ico
| MD5 | cdad1c273cbf6e059022029dfbd9bee6 |
| SHA1 | 7fb484f24929070097237db926f240e887a23bd5 |
| SHA256 | c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1 |
| SHA512 | 1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c |
C:\Program Files\Win32Games\Config.ini
| MD5 | deafb00b9e7bdeef9f28c8856cfd3fef |
| SHA1 | aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405 |
| SHA256 | e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec |
| SHA512 | 12d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e |
C:\Program Files\Win32Games\URL.dll
| MD5 | 38fd3a889940f8d5160c0340cfc6a451 |
| SHA1 | 6d78fdc78573cbc675d0f20f943cbe03c15f6557 |
| SHA256 | aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af |
| SHA512 | 59b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3 |
memory/1848-71-0x0000000000210000-0x0000000000240000-memory.dmp
C:\Program Files\Win32Games\url.txt
| MD5 | 44fb4e7d1a22004c3d0459e3cc89d156 |
| SHA1 | e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65 |
| SHA256 | 0757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9 |
| SHA512 | 274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0 |
C:\Program Files\Win32Games\Internet.vbs
| MD5 | 1e09fbfc0cc38a82530c27c61f72f170 |
| SHA1 | 89344f847e4f0261b1138de7cc6f92ab48b9d111 |
| SHA256 | 23bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf |
| SHA512 | d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41 |
memory/2492-92-0x0000000000230000-0x0000000000260000-memory.dmp
C:\Program Files\Win32Games\taobao.vbs
| MD5 | 1f8ba37a69e383b466921b0658c87a11 |
| SHA1 | 6a334328b4c66eb35534411b004b7883e2cc2faf |
| SHA256 | f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c |
| SHA512 | 9f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1 |
C:\Users\Admin\Desktop\Intenet Exploer.ink
| MD5 | 937776029e6c9bfcc8f28ca019323415 |
| SHA1 | b92a2d7972d0b0a9d0a44d1bc08d7cbf83f5bf72 |
| SHA256 | d49f754b19fc84f61abc3a39cfa72f8af308e8eeb463399bdd2ea423bc9a9ae4 |
| SHA512 | a5065556e5f45b00c50f0d85812b392d3632c88400471b4e197fc2e1923f2cb2e97d7f225e1bb17bda1277817a7caffc084c2b8c827440839cef027bd393c0c6 |
C:\Program Files\Win32Games\minigame.vbs
| MD5 | 2d1b6f4bccda34d2ea67f964e1807f31 |
| SHA1 | ef2944b0c437fe0fc2b7fd04a6522b8294180c6e |
| SHA256 | 8e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68 |
| SHA512 | 64e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b |
C:\Windows\SysWOW64\syspowerues.dll
| MD5 | 4a463f93d431014383aef5af103aca5e |
| SHA1 | 4e45cfd382a61c684d502c606ccee63b8b3c0b5b |
| SHA256 | 895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d |
| SHA512 | b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5 |
memory/1548-126-0x0000000000220000-0x0000000000294000-memory.dmp
\Program Files\Win32Games\QvodSetupPlus3.exe
| MD5 | 8da481acb7ce2508f68071da569ce84a |
| SHA1 | 8cbac6dd58a715f1618588e97ccd8889f8e6e976 |
| SHA256 | 8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4 |
| SHA512 | ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6 |
memory/2088-149-0x00000000034C0000-0x0000000003517000-memory.dmp
memory/2744-154-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-157-0x0000000000320000-0x0000000000377000-memory.dmp
memory/2088-152-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2744-160-0x0000000000320000-0x0000000000377000-memory.dmp
memory/1560-159-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2744-162-0x00000000032F0000-0x00000000034F4000-memory.dmp
memory/2744-161-0x00000000032F0000-0x00000000034F4000-memory.dmp
memory/1560-163-0x0000000000400000-0x000000000055B000-memory.dmp
memory/2744-164-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-165-0x0000000000320000-0x0000000000377000-memory.dmp
memory/2744-166-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-168-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-170-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-174-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-178-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-180-0x0000000000400000-0x0000000000457000-memory.dmp
memory/2744-184-0x0000000000400000-0x0000000000457000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 09:47
Reported
2024-11-07 09:49
Platform
win10v2004-20241007-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}! | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}!\ = "360°²È«ÎÀÊ¿" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\sysurl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sysurl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\helpme.vbs | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\SysWOW64\helpme.ink | C:\Windows\SysWOW64\rundll32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Win32Games\wingames.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\SIGNUP\\iexplore.exe %1 h%t%t%p%:%/%/%w%w%w.6dudu.%c%o%m%/" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "syspowerues.360SafeMode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\{305ca226-d286-468e-b848-2b2e8e697b74} 2 = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\ = "Safemon class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ = "shdocvw.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ÊôÐÔ(&D) | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink\ = "lnkfile" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open\Command | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = 00000000 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ink | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\syspowerues.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.uri\ = "InternetShortcut" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\Open | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\syspowerues.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\QvodSetupPlus3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
| N/A | N/A | C:\Program Files\Win32Games\wingames.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe
"C:\Users\Admin\AppData\Local\Temp\17952d5e57248ec6214170eb335e2b4a9039823d3433a66aee3352ffca990e80N.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\aaa.bat" "
C:\Program Files\Win32Games\wingames.exe
"C:\Program Files\Win32Games\wingames.exe" "http://reg.weiguan8.com/sqtxj"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\doset.bat" "
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files\Win32Games\URL.dll" helpme
C:\Program Files\Win32Games\QvodSetupPlus3.exe
"C:\Program Files\Win32Games\QvodSetupPlus3.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files\Win32Games\URL.dll" doset
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 syspowerues.dll /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | so1.5k5.net | udp |
| US | 8.8.8.8:53 | reg.weiguan8.com | udp |
| US | 8.8.8.8:53 | w.2xi.com | udp |
| US | 8.8.8.8:53 | update.qvod.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | track.qvod.com | udp |
| CN | 121.46.21.200:80 | w.2xi.com | tcp |
| US | 8.8.8.8:53 | stun.qvod.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | 127.0.0.1.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.21.46.121.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun01.sipphone.com | udp |
| AU | 1.0.0.127:65535 | udp | |
| AU | 1.0.0.127:65535 | udp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | agent.qvod.com | udp |
| CN | 61.139.219.200:80 | udp | |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | 200.219.139.61.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| CN | 221.194.134.216:80 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| CN | 221.194.134.216:80 | tcp |
Files
C:\Program Files\Win32Games\wingames.exe
| MD5 | b63c3aab2e123fe96a4e7adac47913ec |
| SHA1 | bc59745b880794d99d498c5917be23434de09440 |
| SHA256 | d9c65c2ac25b5ec22ddc699dca821e92838834d61f4bcbd4b795a416939afa3d |
| SHA512 | 29cd845a31cb46e941166fddc7e8cdb3f554743f76dac6ca1d6b7ebae922529adef3b92e1e9c668b4e3572fd7010af714cb260c928bce1ec03295a324ee723c0 |
C:\Program Files\Win32Games\aaa.bat
| MD5 | 7391dc80d581fb94646d5ee534a77d1b |
| SHA1 | 1d67613f26b7cc4c01f407817ab80cb84b100115 |
| SHA256 | 5b6c03e4940bd851aee7fdfe145b1b69f2d3519acb88b6210c5de6e2fbd74fed |
| SHA512 | c4c15b149b0f5fe4be065acf604a68fd9e46fb81ddab98ee261c820f26e827c11281338c75616673b76cc0cf13f27aab88f81f262f389c87a17c05f17dbab92d |
memory/3280-44-0x0000000000810000-0x0000000000811000-memory.dmp
C:\Program Files\Win32Games\doset.bat
| MD5 | a7ed90b88fd89dfd6558ab3c9b610ed4 |
| SHA1 | b0f8b86e1546f8a1408b7f47a50208bca38b9b9c |
| SHA256 | 6fd3d63e5a2c5cb7e7a5fbdbf44681454175d29c7b29d39510a19429f6fd2e85 |
| SHA512 | 89809a38e8fca2069f5c0b4428bdc731605db8114ca889db4316623be8de443b833f3e42f140102fd5bf63b84de76f34cce1348eb8a0979547c4593a92f78eec |
C:\Program Files\Win32Games\Xianjian.ico
| MD5 | cdad1c273cbf6e059022029dfbd9bee6 |
| SHA1 | 7fb484f24929070097237db926f240e887a23bd5 |
| SHA256 | c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1 |
| SHA512 | 1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c |
C:\Program Files\Win32Games\Config.ini
| MD5 | deafb00b9e7bdeef9f28c8856cfd3fef |
| SHA1 | aaa520a9d7e7d66d8cc9f46eaf8b7a22fc613405 |
| SHA256 | e506df6ed0400ebdc6881225f230fe8ebd9fc0cc4ca0f2fd8e8ce0d5a9baacec |
| SHA512 | 12d2b2b4a72e786a6118b1f0d04d45cbdc0781ec95508738375134c78833b07a21674c52ccf720199a43977de8fc570566ab84029eca3ead689415df6b01746e |
C:\Program Files\Win32Games\URL.dll
| MD5 | 38fd3a889940f8d5160c0340cfc6a451 |
| SHA1 | 6d78fdc78573cbc675d0f20f943cbe03c15f6557 |
| SHA256 | aedd37ac77dbffd56d4fc1fd4f72f58a7b575f51ab32845c32a55676609872af |
| SHA512 | 59b7bb1c066d9f85a93a2af7aefc90e1dcd217229cc8eb9e9764e01692b321570400b1dd33cfab161123f61cac06173dd7aa9c22f374ba58150094ed5b99a7c3 |
C:\Program Files\Win32Games\url.txt
| MD5 | 44fb4e7d1a22004c3d0459e3cc89d156 |
| SHA1 | e7ad2634c4cd7c00dd9447f3ae235d1ff3664c65 |
| SHA256 | 0757723787c1c60d2312afc46790c4ea5794b4bd2810a4477003b485cc9be0d9 |
| SHA512 | 274454707726b6a6cc29f78b7a46cf5c984b8222e28e15cd98c5bc3808e26208d18c13f0329b48894acb976cf6c850cac119fa1e6a11bf9ad76dba08f0818fe0 |
C:\Program Files\Win32Games\Internet.vbs
| MD5 | 1e09fbfc0cc38a82530c27c61f72f170 |
| SHA1 | 89344f847e4f0261b1138de7cc6f92ab48b9d111 |
| SHA256 | 23bc24a0e52be16cdab5895319e888efaff6b65606b3adafdc34d3871480f1bf |
| SHA512 | d903fcb92d34b63348812ffd53b1e2b794f45ced2e59e3d8556b369395b96c4be240e6e9ecbcbbed226989b135804e581a6d4fae7f377d849c8f1c7a68100e41 |
C:\Program Files\Win32Games\QvodSetupPlus3.exe
| MD5 | 8da481acb7ce2508f68071da569ce84a |
| SHA1 | 8cbac6dd58a715f1618588e97ccd8889f8e6e976 |
| SHA256 | 8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4 |
| SHA512 | ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6 |
memory/4112-79-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4676-78-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2416-84-0x0000000000C00000-0x0000000000C30000-memory.dmp
C:\Program Files\Win32Games\taobao.vbs
| MD5 | 1f8ba37a69e383b466921b0658c87a11 |
| SHA1 | 6a334328b4c66eb35534411b004b7883e2cc2faf |
| SHA256 | f03ea6fa8d3f042e8edbf6f7c90cde3bb183fc5ee1ce6461766dfccc67dfe72c |
| SHA512 | 9f8973019a2b586fd8335505ef70e7d18661942b260bb616ccd3e3755eafcd4c180aa7fbddc4ff2622ae5e97c654dff2491f2befe24be97521bb609fb6ff7ea1 |
C:\Users\Admin\Desktop\Intenet Exploer.ink
| MD5 | e91ba28655bf00c2ed71a900f260a8b0 |
| SHA1 | e9e8c6c60f399ffac98857f051b30cb6806efb63 |
| SHA256 | 579b390750bfaa77e052dde89631024b6ca0b425508d5c6f4741dcee0ac5e5d0 |
| SHA512 | b827816c20a4a51f2dea3e806ef256a1528679dd0b482d2f9853cdad16819f06828d551097267ea0645548f06586237a830a3b1ba5e2def2824e6d781d643072 |
C:\Program Files\Win32Games\minigame.vbs
| MD5 | 2d1b6f4bccda34d2ea67f964e1807f31 |
| SHA1 | ef2944b0c437fe0fc2b7fd04a6522b8294180c6e |
| SHA256 | 8e18d19fbcbae7563fc69b71fa5fb3b88f51dc46c244f2c3f70d533368d8fe68 |
| SHA512 | 64e6a7aab48141edfad71e23a14c47d5527e72c56e709b63f68d4f67d500d3f3dfe3fb2296f256a18a6591447e3bf6cc88d47888519c153c5239652a3db5e82b |
C:\Windows\SysWOW64\syspowerues.dll
| MD5 | 4a463f93d431014383aef5af103aca5e |
| SHA1 | 4e45cfd382a61c684d502c606ccee63b8b3c0b5b |
| SHA256 | 895b4248d40e513b46931a4eb9f32990d14d4984d4bd7536280303c3f92a022d |
| SHA512 | b5b64318c96bd61e25126fa936e325886d83b89af321a0bbc22a5a374f4e7057af7ee05d49397017bf3857c22d094d44a7bd3cfb8d471c92efe58a8a8756b8e5 |
memory/2856-122-0x0000000000650000-0x00000000006C4000-memory.dmp
memory/3280-123-0x0000000000810000-0x0000000000811000-memory.dmp
memory/3280-124-0x0000000000400000-0x000000000055B000-memory.dmp
memory/4112-126-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-128-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-132-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-136-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-138-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-142-0x0000000000400000-0x0000000000457000-memory.dmp
memory/4112-146-0x0000000000400000-0x0000000000457000-memory.dmp