Malicious MSI:
cdceea00a5f53e49063c455eea3f6a62c0713d01813a55a2427ad758d11a15bf
b330ccb0877b27bd67966bb9ad86d3f2ce3d59c67493f9ce152f13d92f4b3de6
cdf8a481d305d87661b440c717c6095154cd519b3ec302eea32279de28162044
f18896c3016ea675f092502604dd85a61b990c5d6c1eba40f34ef57e4315cdab
ffafc11d8569f1df18da1bf41571870ca84e8f59b193d85631bbad8dfbf7334b
9ca14ae3d4324847a0903f11dcee74164f823bc635f80861e1033af27cb4a1c4
611341e64eb6864e3b3b9cd0cb433bb5ff185a8158174ee02aea9307216ee96d
342dbf7c84e35622f680d65e15a82ccd0f0938fa38ef29292db81d71f9f4de45
6776a4680f26756100f4b65e326e726bbdb4f35a8b906069b0489ebae7955160
eecc00360b0a0649d954da34ef1b8212dc6a9bf74b8624882aaa97209b97b582
5bf7821b32bf188e0890f56dc5c832651c7cb35328029f6b87d47328376d4d13
8fc1931fd9206ba78f348a14317cd8be8f135810787b6555a8439fdd65da81a0
e5ae87f46ff88c819ff236f0f290c7c6bda3e80019db093d35cae6b087d528ae
a12cb2d529a95798160114bdb6fb389553d3cc1d8bd10a5c8295d5a0c74e257c
bd462515ea9ffe66fc27d9baa0fcc4bf733385829c2fc5676129aaeeb2e0af88
44abf0cadee82f049bbc3dfeb8277529d3650f6f76fb76e00ec65228b8ec21e6
d555bc8a99c7ae22302201f1bae997aa9539502728a419e63c03f329c364a32c
29097fab695ba54082d64fd31a511d93ee16ee94039282afd7e63dd661f5654b
437d6223c13675c1824bc4b17cd0986cbffb1f87cd1cf6a72560bef1e51eb62b
fae4f96beda54a1ed4914537b0542182d3a020dd9db9d9995df37d303b88e6df
4e54ddbfcbbf78d031d9743be4229171554fbca5aafb5f2a924e59435b79e858
aa7cc08e0b29cd9022cde6b0c9307cb2f93365d098f71fb37478339daff80714
8444b6066e4171f49ea18a2cf8992226f1ad683eb2a1828c9f63557156a22d99
84d888ff8691635682c7f612189ac0fd77d13810301fca31c4a1336c1ed8876a
acd98cfbe4cc1c19441eac76e7bba60a57eb1d68634b1f912fdc519fb1e0fdf1
5a98acbd41f0dd445fc60246be9738f73a090379e5d320b06801bb3cb5b75a7f
1e8e2dbac76dd41afd990949059832467b425521147ca4281e8958076daf2c83


C2 servers:

103[.]214[.]147[.]14[.]webcamcn[.]xyz
hm[.]webcamcn[.]xyz
156[.]248[.]54[.]11[.]webcamcn[.]xyz
hm2[.]webcamcn[.]xyz
98[.]159[.]98[.]114[.]webcamcn[.]xyz
103[.]214[.]147[.]101[.]webcamcn[.]xyz


C2 Internal Plugins:
播放监听.dll	Play monitor.dll	           7ed8c7ea5e2feeadb1966f53c48ab3a580f53a4d20725031d764db7e962607a9
查注册表.dll	check registry.dll	           49120dfcef430df1c90c9c370b92b969c876b9b4327d81eae720cd71fcd75b87
差异屏幕.dll	difference screen.dll	       5f7e00017b16db29fa7cba60993d7af909ef41d3fe9d3f7ca9f693c1f7ef6d37
代理映射.dll	proxy mapping.dll	           023822a8ad26f2d7330a2afa310ccf943058f2765b7cbc6975c51c144739b55f
服务管理.dll	service management.dll	       3ac0afec0ce29b69d57c54663c6e4fa6fee703696069cb5b8f00783b5504cf80
高速屏幕.dll	high-speed screen.dll	       bc01cf528086de6a1b231dee01c1624cf58911b171904bf7a6b08ddfba661d83
后台屏幕.dll	Background Screen.dll	       2066dd040fe020ca32e5ebfeeb4fa75094d3ac43155c83fe222f380d4940df42
急速搜索.dll	Rapid Search.dll	           5759fc938f228579fc5e64e74cee083581a975d4054deb715c0f371b66b96263
键盘记录.dll	Keylogger.dll	               976837663b25f793470f24925198b06e79a72ede014a84ba62311fadede5062f
上线模块.exe (stager)	Online Module.dll	   436499efe94c7a1bfefaa84c52f8187bffb3d4d1a49de1cbc8885e7807d11b42
上线模块.dll (stager)	Online Module.dll	   5684fc4f33c168519b2fdcae59cc3be2e6db1f0b0f3718524ef57e0e7423f59d
视频查看.dll	Video Viewing.dll	           7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af
视频查看.dll	Video Surveillance.dll	       7a3841a5315c01df299d8844b62dc150b1c3e5b5ebe7547c1a211349879659af
文件管理.dll	File Management.dll	           5abc2006c7a3a27e033075ba881a668aba5e70797677ed2220f7ab9fb36fc927
系统管理.dll	System Management.dll	       827ed4f36ea7032395bfa35da54c6e9d06d6633aa7396792e8511adf366c1fcc
远程交谈.dll	Remote Communication.dll	   c61c8ded2a9481c2e50b4872c8f7bcd8ecc33997a6004e62aa06b60742f54e57
远程终端.dll	Remote Terminal.dll	           409e09ac0fcf7d39044ef0b3eb798aea6dc0650e5214056760694c1340fc8488
注入管理.dll	Injection management.dll	   ecf5394d78392b11daec1016c6b447f9da7eae69f7702ecf8c4d1d3f69e3fe64
娱乐屏幕.dll	Entertainment Screen.dll	   6ce947e21128687ed37f247e297f29609251deed934b7b5722d27f4a1f72a90e
压力测试.dll (DDOS module)Stress Test.dll	   61d73a8920c41483d0832c9a5c5bc9f57ac5f71146a98faefc0cb4d988e77bab
计划任务.dll	Scheduled Tasks.dll	           4791c23aff8a09061b76a05bb88ee37149995584a87aade236ea4eebab79ed1c
登录模块.dll	LoginModule.dll	               16d3c176ca94c84b60e26981231bf59ebe75057ac10dd6f583ce65a3bed11dd0
(shellcode)	-	                           b022e0f0b2ae9e27847cfc909bfcdbc89a732fcdde6e473443aaab2592a84910



C2 External Plugins:

删除360急速安全账号密码.dll	Delete     360 Speed Security Account Password.dll	        03669424bdf8241a7ef7f8982cc3d0cf56280a5804f042961f3c6a111252ffd3
提权-EnableDebugPrivilege.dll	   Elevate Privileges-EnableDebugPrivilege.dll	    11a96c107b8d4254722a35ab9a4d25974819de1ce8aa212e12cae39354929d5f
体积膨胀.dll	                       Volume Expansion.dll	                            186bf42bf48dc74ef12e369ca533422ce30a85791b6732016de079192f4aac5f
提权ShellExecuteEx.dll	           Elevate Privileges-ShellExecuteEx.dll	        202c378deb628a8104a1dd957bbd70b945beea8e11d55b9ce3e4787fbe496797
删除sogou账号密码.dll	               Delete Sogou Account Password.dll	            2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b459a
提权-RtlAdjustPrivilege.dll	       Elevate Privileges-RtlAdjustPrivilege.dll	    47dfa891fc347187ba4ac161980a7e7c47cf656ddbf7b269a74c32a5a1365d4e
删除ie账号密码.dll	               Delete IE Account Password.dll	                538382dc7a7839f125ffe08a854512b78fc4a657697227e53f832ae566ca2505
提权-CreateProcessInSession0.dll	   Elevate Privileges-CreateProcessInSession0.dll	616c7270a21ecc9ccd880e04563343e9ac53cce88a77244388dbb1fc7bfa4360
写启动目录.dll	                   Write to Startup Directory.dll	                61981a0324586ad83e6cb7015df91a6e4887537ad36a4674be82cb3cfcf5b18b
写注册表启动.dll	                   Write to Registry Startup.dll	                d2e15264c786917a6cb194bf0cf586a69b8678c6d4d4c87cc14082d7b76fe0b2
删除自身.dll	                       Delete Itself.dll	                            6ece1e12d50ade02bf424007a9b70b4a14580244a9a1f5cd32c0a129ec069d6e
内网主机扫描.dll	                   Internal Network Host Scan.dll	                6f5574d00ffce206525835f72ac083692a183e69114f1551b7ecb99dec3d1d19
解密数据.dll	                       Decrypt Data.dll	                                6f923b94a614e61cbde73c5b09036b9482f3770c02161ecb0875dbb56bc65843	
删除chrome账号密码.dll	           Delete Chrome Account Password.dll	            fbc23b84b2c83e99ab1c5cb7075bd5d26b55dde4afc06eddc0471c6d6b2cc5f2
写计划任务.dll	                   Write Scheduled Task.dll	                        65ac9f036b1d8a02e4c9041eeafc230562088e57f2535bd194e8bf592e62cb06
删除telegram账号密码.dll	           Delete Telegram Account Password.dll	            2d1904dfc5a555b8bfdd4fa2db46d532e19479fd99affb169449ff2a2a4b459a
删除qq账号密码.dll	               Delete QQ Account Password.dll	                b71e6c4ff7c910dd666f442e98597f90bd2eb3fce4c8889af0ecc694f282bf64
删除skype账号密码.dll	               Delete Skype Account Password.dll	            b396bfd7bec043cf402e04fa810983c93c79d1a632fd4558098e68eb144abb17


Malicious component:
LetsPRO.exe                             768881a43d2ffd9701bf2e241a1d59d8a0c116cf20e27a632a8b087bb81de409
1       Encrypted second stage loader   4b323ab024562e6f25eb91c7bbcd3f752f67ed5274dd83cf45b9d55aa0f37522
183803.vbs                              c0aa7b470e2e76ba0aaa65de2257aec5ff23485115f38b7a7a1285067c69e0e8
aischeduler2.dll                        f6216d72f4d9a7d46f3b878650b2f26982e4f05b8b5ce363a60c564159db781f
NetFirewall.dll                         81c30a63161d40fb6df55b6147b2d9577830f08bfc9121ba8574c8bb6ec3a2a2
ShortcutFlags.dll                       41f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773

登录模块.dll (LoginModule.dll) - Winos4.0 core stage implant  78f86c3581ae893e17873e857aff0f0a82dcaed192ad82cd40ad269372366590
上线模块.dll (Online Module.dll) - Winos4.0 stager            1dbb3d08931aac2a76c9a72fe38d038e172b29f898acaf5db1ec91e180f7ec22