Malware Analysis Report

2024-10-18 22:58

Sample ID 221115-x9jpbsbd31
Target 56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08
SHA256 56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08
Tags
bootkit persistence upx joker aspackv2 infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08

Threat Level: Known bad

The file 56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08 was found to be: Known bad.

Malicious Activity Summary

bootkit persistence upx joker aspackv2 infostealer trojan

joker

UPX packed file

ASPack v2.12-2.42

Writes to the Master Boot Record (MBR)

Program crash

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-15 19:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-15 19:33

Reported

2022-11-15 19:35

Platform

win7-20220812-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\check.zerowork.cn\ = "63" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\zerowork.cn C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe = "11001" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\zerowork.cn\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\check.zerowork.cn C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\zerowork.cn\Total = "63" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

"C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 check.zerowork.cn udp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 121.41.229.19:8000 tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 8.8.8.8:53 www.taobao.com udp
N/A 47.246.48.233:80 www.taobao.com tcp
N/A 47.246.48.233:443 www.taobao.com tcp
N/A 8.8.8.8:53 world.taobao.com udp
N/A 47.246.48.233:443 world.taobao.com tcp
N/A 8.8.8.8:53 hm.baidu.com udp
N/A 103.235.46.191:80 hm.baidu.com tcp
N/A 8.8.8.8:53 at.alicdn.com udp
N/A 8.8.8.8:53 g.alicdn.com udp
N/A 47.246.48.251:443 g.alicdn.com tcp
N/A 47.246.48.251:443 g.alicdn.com tcp
N/A 47.246.48.251:443 g.alicdn.com tcp
N/A 103.235.46.191:443 hm.baidu.com tcp
N/A 8.8.8.8:53 bat.bing.com udp
N/A 204.79.197.200:443 bat.bing.com tcp

Files

memory/1672-54-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

memory/1672-55-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/1672-56-0x0000000000D30000-0x0000000000D7B000-memory.dmp

memory/1672-58-0x0000000000310000-0x0000000000329000-memory.dmp

memory/1672-57-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/1672-59-0x0000000000280000-0x0000000000289000-memory.dmp

memory/1672-60-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/1672-62-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/1672-63-0x00000000003F0000-0x00000000003FB000-memory.dmp

memory/1672-64-0x00000000003F0000-0x00000000003FB000-memory.dmp

memory/1672-65-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/1672-66-0x0000000000D30000-0x0000000000D7B000-memory.dmp

memory/1672-67-0x00000000003F0000-0x00000000003FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-15 19:33

Reported

2022-11-15 19:35

Platform

win10v2004-20221111-en

Max time kernel

62s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe"

Signatures

joker

infostealer trojan joker

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\g.alicdn.com\ = "190" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe = "11001" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\alicdn.com\Total = "0" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151560" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\g.alicdn.com\ = "0" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\alicdn.com\Total = "133" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\zerowork.cn\Total = "63" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "58" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151114" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151405" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151078" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\zerowork.cn C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\alicdn.com\Total = "28" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\zerowork.cn\NumberOfSubdomains = "1" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151628" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\check.zerowork.cn C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "152050" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151153" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151391" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151405" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151153" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151193" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151322" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151272" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151405" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151560" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\alicdn.com\Total = "179" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151114" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151232" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151286" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe = "11001" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151641" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\g.alicdn.com\ = "28" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151704" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\taobao.com C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151193" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151232" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151272" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe = "11001" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\world.taobao.com C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151639" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151628" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151628" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\world.taobao.com C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151193" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151322" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151391" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "14" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "0" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151628" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "151930" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151797" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "14" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\taobao.com\Total = "151286" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\world.taobao.com\ = "151391" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\g.alicdn.com\ = "133" C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 3104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 3104 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 2380 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 2380 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 2380 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 3852 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 3852 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe
PID 3852 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

Processes

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

"C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3104 -ip 3104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 732

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2380 -ip 2380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 704

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 704

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Users\Admin\AppData\Local\Temp\56c4fa9170f338384391f229b42d8981596f4f8dfc60559a397fc98fb37c3f08.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 704

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.taobao.com udp
N/A 47.246.48.233:80 www.taobao.com tcp
N/A 47.246.48.233:443 www.taobao.com tcp
N/A 8.8.8.8:53 check.zerowork.cn udp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 8.8.8.8:53 world.taobao.com udp
N/A 47.246.48.232:443 world.taobao.com tcp
N/A 8.8.8.8:53 at.alicdn.com udp
N/A 8.8.8.8:53 g.alicdn.com udp
N/A 47.246.48.252:443 g.alicdn.com tcp
N/A 47.246.48.252:443 g.alicdn.com tcp
N/A 47.246.48.252:443 g.alicdn.com tcp
N/A 47.246.48.233:443 world.taobao.com tcp
N/A 47.246.48.232:443 world.taobao.com tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 47.246.48.252:443 g.alicdn.com tcp
N/A 8.8.8.8:53 unpkg.com udp
N/A 8.8.8.8:53 s-gm.mmstat.com udp
N/A 104.16.125.175:443 unpkg.com tcp
N/A 8.8.8.8:53 d.alicdn.com udp
N/A 8.8.8.8:53 img.alicdn.com udp
N/A 47.246.48.252:443 img.alicdn.com tcp
N/A 47.246.48.251:443 img.alicdn.com tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 47.246.48.251:443 img.alicdn.com tcp
N/A 47.246.48.251:443 img.alicdn.com tcp
N/A 8.8.8.8:53 gw.alicdn.com udp
N/A 47.246.48.252:443 gw.alicdn.com tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 8.8.8.8:53 bat.bing.com udp
N/A 8.8.8.8:53 gm.mmstat.com udp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 8.8.8.8:53 ynuf.aliapp.org udp
N/A 8.8.8.8:53 region1.google-analytics.com udp
N/A 216.239.34.36:443 region1.google-analytics.com tcp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 8.8.8.8:53 log.mmstat.com udp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 59.82.33.226:443 log.mmstat.com tcp
N/A 47.246.48.252:443 gw.alicdn.com tcp
N/A 203.119.169.141:443 ynuf.aliapp.org tcp
N/A 8.8.8.8:53 fourier.taobao.com udp
N/A 8.8.8.8:53 stats.g.doubleclick.net udp
N/A 142.250.102.154:443 stats.g.doubleclick.net tcp
N/A 59.82.31.182:443 fourier.taobao.com tcp
N/A 59.82.31.182:443 fourier.taobao.com tcp
N/A 47.246.48.233:443 world.taobao.com tcp
N/A 47.246.48.232:443 world.taobao.com tcp
N/A 8.8.8.8:53 check.zerowork.cn udp
N/A 47.246.48.252:443 gw.alicdn.com tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 203.119.169.141:443 ynuf.aliapp.org tcp
N/A 47.246.48.251:443 gw.alicdn.com tcp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 59.82.31.182:443 fourier.taobao.com tcp
N/A 216.239.34.36:443 region1.google-analytics.com tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 47.246.48.233:443 world.taobao.com tcp
N/A 47.246.48.232:443 world.taobao.com tcp
N/A 47.246.48.252:443 gw.alicdn.com tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 59.82.33.227:443 s-gm.mmstat.com tcp
N/A 8.8.8.8:53 bat.bing.com udp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 59.82.33.224:443 gm.mmstat.com tcp
N/A 120.76.195.116:80 check.zerowork.cn tcp
N/A 203.119.169.141:443 ynuf.aliapp.org tcp
N/A 47.246.48.251:443 gw.alicdn.com tcp
N/A 204.79.197.200:443 bat.bing.com tcp
N/A 216.239.34.36:443 region1.google-analytics.com tcp
N/A 8.8.8.8:53 assets.alicdn.com udp
N/A 8.8.8.8:53 oneid.mmstat.com udp
N/A 104.109.249.151:443 assets.alicdn.com tcp
N/A 203.119.169.158:443 oneid.mmstat.com tcp
N/A 203.119.169.158:443 oneid.mmstat.com tcp
N/A 59.82.31.182:443 fourier.taobao.com tcp
N/A 121.41.229.19:8000 tcp
N/A 8.8.8.8:53 hm.baidu.com udp
N/A 8.8.8.8:53 ynuf.alipay.com udp
N/A 8.8.8.8:53 err.taobao.com udp
N/A 47.246.48.233:80 err.taobao.com tcp
N/A 103.235.46.191:80 hm.baidu.com tcp
N/A 8.8.8.8:53 error.taobao.com udp
N/A 198.11.189.30:443 ynuf.alipay.com tcp
N/A 47.246.48.233:443 error.taobao.com tcp
N/A 8.8.8.8:53 ocsp.dcocsp.cn udp
N/A 103.235.46.191:443 hm.baidu.com tcp
N/A 47.246.48.226:80 ocsp.dcocsp.cn tcp
N/A 87.248.202.1:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/3104-132-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-134-0x0000000000E90000-0x0000000000EDB000-memory.dmp

memory/3104-135-0x0000000002B40000-0x0000000002B59000-memory.dmp

memory/3104-133-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-136-0x0000000002B60000-0x0000000002B69000-memory.dmp

memory/3104-137-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-139-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-141-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-143-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-144-0x0000000003090000-0x000000000309B000-memory.dmp

memory/3104-145-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-146-0x0000000003090000-0x000000000309B000-memory.dmp

memory/2380-147-0x0000000000000000-mapping.dmp

memory/2380-148-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

memory/2380-149-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2380-151-0x00000000011F0000-0x0000000001209000-memory.dmp

memory/2380-150-0x00000000029C0000-0x0000000002A0B000-memory.dmp

memory/2380-152-0x0000000002A10000-0x0000000002A19000-memory.dmp

memory/2380-153-0x0000000002EF0000-0x0000000002EFB000-memory.dmp

memory/3104-154-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3104-155-0x0000000000E90000-0x0000000000EDB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\RVDRV0N4.htm

MD5 72fa0fca20c82853e6dbbc1f13c78100
SHA1 4e9b01e3ad0b56c9409bb02e5700430792fecacd
SHA256 4555de589ff9b307e20c708d6f112bc47bb377df29ff0a5914f8fb0932926887
SHA512 9c233b279c9e3f934752310443d31409f7236ea6d45fcf130b408558a5f6c35a9ea63684a3f9e5a01321c558cc278bc55dfaf01850cd1e56546b9f0fec3e96e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 509130c790e2cf6d6d464eab86ead573
SHA1 ca5ff39e9b95ac78dcad1b8f000eaa36f1d59493
SHA256 88a02c8708494bc5514094501b028dcb70342206e00c737340ddd8ff1346b492
SHA512 be1584eb4e90a24fd5d7d41ddb56bbf94be41791dfc2a4bf9dc77c61ae63c0d15909c37e27b60eb12f7d309871b667401f916da1f9672ad98b9daf2b36a7bc24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 09eb6aaacf9deb9c00f804fd43cf29be
SHA1 67de0f55e3527cd09f7a4bc0dda329241c8d5c99
SHA256 37b10118ec99eed4032a021a1b6b508263ac9dbd26a84d7660cdc67f7631a476
SHA512 198f97256e35a81d911181d5e9be2ee87a738970fdd3ca47d0e322f12083fa750bbad98ceb57d33e6c8f7ab487766ff706eeb80dd91fec0c71681529a6f02781

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_E415CEEF5F3C45D0FAECEBC57258EF8D

MD5 f02b6c049f277f5e546050f9c8d38e78
SHA1 c95ff60d2ef9d4c5838183806489956c95353801
SHA256 23b96d5a57010278ae56374fc0059a381316789ade9b936175432a51493833dc
SHA512 e4f3f119251b39abf91ca5e1237b0488c58f9dfe3399165c802967193427dc4825da63ce437567e0065c9aadda89d0034d880f9e34b2c61b3fb99775b7d93a61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_E415CEEF5F3C45D0FAECEBC57258EF8D

MD5 4a6631ed1e7533802fe8aa3fe7628262
SHA1 4d5933f8f4f11e1b340dc76ceebdaa8e6754787b
SHA256 5233551e084cf84c9128412186f615a5220049fb3e4c27fcb499e50a30972aae
SHA512 7249bba36052859fd1ba9334472f2dc9f325c66bf06fcbd278c66eca6b7dad2900537224c8cf75901a012865d9887242703de714b371d717c47d505e50315288

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\RYHUCZOV.htm

MD5 5e7f9198743f50515775691e58bd8da5
SHA1 ee4bd11947a8903c65b9c0f82db547fe5ec815bf
SHA256 0680b127930b54c9e558954c284645b4b0c404abdde81336eeb4d0779d6dc1cc
SHA512 5684fda79b60181754f9db85fc2f36ed20f6dadd82692abd7414613b875bfe5a98044040705a5da10b35864123490259ece0714ad247ad846b482528f5eb7bc4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\font_2438252_1tmea3b46sf[1].css

MD5 9ee2e5b9e49dd2e398bfd67fab850cd9
SHA1 83b46a00149fd9fa683301151b1d4d20acbf36b6
SHA256 492c26c1f802e4956e4e1d365fa1a787ff0440038f8644e8e481d9621854fdb0
SHA512 949ddf5d47b95819d61a791eb4e3142deb4d5f6cbf31b64017cef4aea9592830edc14cac73883bc386742f888afa5e15785fbe3e880c0e7148b8c3aa568f2cbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\index[1].js

MD5 fedbc28a12642c51a88594540671d47a
SHA1 b7a1463ade4d5a853126491a8d3caaca31fe78eb
SHA256 3ca09760ac85bbda66a87dd2e30a637f21a09889766e43af3d6b8a3d2068b030
SHA512 db1775d36594f00f54deefe5698f6f7444305abf519433125c85f3c95dd8d34dc20b39f30421d753aec5d857ebb67743bb45c2e0f8c951e4909bab83d77612d0

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\index[1].css

MD5 03789780b1299999437bac67cce3ae1d
SHA1 336a0283a037ac19041ee24fa558d9e39a6d067d
SHA256 0a3c3739afce3d27cac73bd76779e2edf925067656f7db7de77d5e9207fd64ff
SHA512 baf4960112dcf39e90c598a964aa600a1c14c0725bb1351c0ec989ae51f2709800cdbb7cc43e9d2264b5eab49e76aaf3ef95228fc8da20a36228e81b327ce495

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\awsc[1].js

MD5 a4ec3dbc9fc0ab6b33853bcdf1b8a04d
SHA1 3e81e820cef114516a867c3729212d23a524911d
SHA256 3e70cf8a9412da0ceac966a2ae83575b5ac798f9740a5dd767e48a8051946d4a
SHA512 51b787237edd61a272c8bb738e4b7f54aa8826687f36efe06203e9a1b70a70ff952b79afa9c9af00e33ee098ef031a2740eb5ee1dc9b2e339adb0dc3cc10f1f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\index[1].css

MD5 8846f7f9c50f2d9e444f570e7b7c8008
SHA1 d8ec4cc23fcc517847392dbb6f810f2d607523f6
SHA256 35492f9ded59db209c633ac67d50a208b7d1bcf94946777b207c92721ec54a8d
SHA512 d6082fc54bba8b0d23466b9420cb47f0cd3c16e295c273d4960514dbbb441492e065bb19d9651299dc0942933cd2568c8770d19b2e32bcfb9ece3d01045ca936

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\index[1].js

MD5 821db86a02cf4f7234922c4763308583
SHA1 76b1db7cf69f9f76e5ed1cb5b16f1f012c9d9d4b
SHA256 0b580e5a7c0c3c6eb4c47367953f5707d9a6ec4a652a47bcf3910b64012abb06
SHA512 68fc14e6fbccda3592ca90067c82e9f8c82533da502668078544deec7cb43cbe46f0eaa2907408a4bf21ecffbb0d196e360ca05ced964bfe33455dce81d6e9ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\index[2].js

MD5 ecae200fb4b335aed28cffceab545dac
SHA1 162ec81fcc438f73d56bd3ba865fac88ffe4182a
SHA256 e547b71a181adcaeb2ab2db119183198e2ad66bc5a2a8c99385fd1c192d16ef8
SHA512 7fd20e5221be59d403af5fe22685c5c1a11740d649a309868dcb3baf9c77cef5609fa7e7556f8fc87f56a8e53c834c444ba42123e770468c727bc84318e07d1e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\index[1].js

MD5 610c107a92894ee8b19b25e363fa761f
SHA1 41e61f863d90d88683584c638690620fb557aeb9
SHA256 5b244faac1794e13502718a2593e944f438d2bdfa4a759e2235476f7e06da9c6
SHA512 98ac1aca302415ab00a4599a71ddb8c2de3e85269c5bb1c34d433db7915eb88ce007a918568a72e9278c57926042febe6b4a63932efa55aab19a4eb2b957883b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\trace[1].js

MD5 7c9a1212417ff52c95bc2958b35761e7
SHA1 fe5d13741e0da35b372857183ecbd676891104cb
SHA256 3cc2aec961a0865ec1b2b3b20d2a3ee33e7099e07ffbb4e221c77c0a195b1c5b
SHA512 ac0430d097f34b8264468361aad8c600049829bb71fff635ecc256d920003d73cbe4f1692e3621e8676458a93d8a11bb8fee8df68bff87c15ebbc72248c0435b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\js[1].js

MD5 c32f39b6d866111461cda308aa861050
SHA1 a46d370a8d58b8c36ec1fc38a011356b8fc96b30
SHA256 02deb56179929db49b01da16e23505ff480a90a26e055e2da1c83c46c7c939a0
SHA512 844489747124af88378c018169c7470d80c469d6594a5d7659e0686a0f7d1f91bb040d2b2b46bb4cb875e94a606c073ec32146657b7c48ba0f15157e1966ee5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\um[1].js

MD5 64b7c9d9eed004ff6a5ff2804e8ca3db
SHA1 86b6c3e7532fcdb389c3f31e50955a1355bffb20
SHA256 36e6f4520d9cc3bd9be58b1721d2feee174b1c55b78ef103ae00b32aee848e5b
SHA512 f489dc742d2d63bf42ba7c04983931275356e9661511739657c2e9495e192829706c683033907051e6a9c7c053c1852cd96d5f03f534ac83ecc9c8e7fefc73c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_01B1031F6736E831E4D73D2798F7305E

MD5 8e47a552a0c1bddcb2fcbf69cef9122e
SHA1 9bea0cf682eca9b3bd4da8688e45c14e53fe4669
SHA256 f95856bf24741ec1aef9e49beaa6576a8f049ba7d3353b48d27e18f4af6f422b
SHA512 d6d3fd72de2be94f26b907cc25dd8429c1656abe70daad83f455b41872a21d0bf66e10ad86afdd139a9ea6b2c58016e7e7152ac67bcda4a1eedb33b58c018c60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_01B1031F6736E831E4D73D2798F7305E

MD5 aa1d804d9f3d44166aa4f98bdc6eadb5
SHA1 f89b0e57397d4cc424d82f768e80935f6afff8a2
SHA256 0502487e98b27f84545a580ca9870d101b8904bc9d04a3d395a509219d212359
SHA512 190b9247aa81d2c65c3eb4bcf101fe1a176dd2eb9f82d31c957f80ee38988c690d1ddf82c5e6d522d06672eb12076c58240a4e7fd1067a8192a537a9973a657e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 f569e1d183b84e8078dc456192127536
SHA1 30c537463eed902925300dd07a87d820a713753f
SHA256 287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA512 49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 db79ea29d81fdfa25e95783b6d096a15
SHA1 b96eb5ce7c8ac30eda5c68524f55f151c5463785
SHA256 cb816c228859432878f13ec84916fa3834c80a7dbe425096121ecff1560905fe
SHA512 bd557ddec9e07491e4dc1be5a1246dc92337377587cc57d9df002d89eed76da5186e2da05acd1f61a098c0d2c515a45c0bbbbf4d48a24dbbe54602f06e793ba3

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\collina[1].js

MD5 75fb6b94dcb3a9c89abb59a3ffd7546f
SHA1 96101820857ef511ba83017e928aeeb88353b162
SHA256 04975704505b42dc124568d9d4be26aee2d4592826a0487920cb1d016d1a8e58
SHA512 e02e6e241f2c231af62b43429b6ca36e2f25df8349642c22fcb6fb1e16e4ecc607895811fb42b181f8acea5045a89418613f3d84675741f85deb1dab8bba9b32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4acaf7f7e9e8cf275cf4fc76dcb0741a
SHA1 f7608debdc106286080a2ca798b66d8c182818a0
SHA256 b156da7f0adcf366b431b78729f88940ab2395e468038adbb62257b33e2de17a
SHA512 54b311a887cce296c89b7f24103d42520b9b7a53177783c409c57ab30200e7fb24d00ea6aecf9dfe3e08630bd1f2fcac1931634f2c697b02a57203f8df4568ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 772e971aa2dcf6a0016a863f0a946b55
SHA1 950d45fd6d321edbaeb3c9aeccc4c306c646ca5c
SHA256 a4a9e1781c3219116091368afd7dd5ab19c58a8e1ee81566f83bf3213dd46611
SHA512 f140d0db82219e8f008a8f2c1d5d2de92aa5f0296a302d71e4b727c757f2f3fdc0e14fb4c1850a15e2ca0a965056f6ed19275c88c1170af35b5181b0989ef981

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\CheckProperty[1].htm

MD5 3f2df13c6edd85e6b6f224507eb37b1c
SHA1 5a796f49aa7e2f5c2cf705db11c5094a3674b801
SHA256 9805e07eaafd763ec801e86b8c17f9b105d99b5476178f131d59316c5ede2196
SHA512 43724fb142175ace4138a1438bf24ffab8b83a2b6a027f5dfef5423900f09d64998a0961b80afbaa52e7d88a7c776600172bfffd6238a988a7e5ab0b31efa1e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\aplus_v2[1].js

MD5 3301490545322a17ab4e4825215f1fa2
SHA1 082757ba8dbb405d809d2bf20215374c3564184a
SHA256 086c6fcbdce0815e886575829603f8f9e0b9b928793281bbe9fdd81efbac1c53
SHA512 314ff383d05a506ab0d71706b4ea6c47f2df0930e6c2d57eb1fc6eddbf34599cb97d0e38735c29547a5da787cb9da8445333d3ab87368d22be3a6846c2180815

C:\Users\Admin\AppData\Local\Temp\DownPic.exe

MD5 cb7111fd511a1b177df71864298db1c5
SHA1 24a8d780e9a95870ff823ff1ab402d62de105695
SHA256 207a02fa9ae185cc08afcc6060c81a5120d8cea72552f461b76f9a963ee29052
SHA512 9235697f2a4699acc97220051003a77ecd915bf45c1f90ab35c60c021564356703cfb77967a9ada38016b5a7311cbcf9951e96bfd2fc5fc91bc27e0bdeb698be

memory/3852-183-0x0000000000000000-mapping.dmp

memory/3852-184-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3852-185-0x00000000011C0000-0x000000000120B000-memory.dmp

memory/3852-186-0x00000000029F0000-0x0000000002A09000-memory.dmp

memory/3852-187-0x0000000002A10000-0x0000000002A19000-memory.dmp

memory/3852-188-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3852-189-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3852-191-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3852-192-0x0000000003060000-0x000000000306B000-memory.dmp

memory/3852-193-0x0000000003060000-0x000000000306B000-memory.dmp

memory/2380-194-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2380-195-0x00000000029C0000-0x0000000002A0B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\getregex[1].htm

MD5 a9af47a91a07213900bb86b11dabb88a
SHA1 bcdfeea6f51a69087a4ebda022e0a98ff0724de8
SHA256 ae3239693ce40b2e6e1a0e2629be6b09931ce9a9d27cc4626d8bf3180bbe8385
SHA512 b8b81128ed5ea43b61173e4360415b21460ecf8a54f3c7b5ddfd6b69543951f2f5b2f69bf949e8bba3f7ad12097e90d3f8f817be9db1befcdf15e23c03cde70e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\trace[1].js

MD5 7c9a1212417ff52c95bc2958b35761e7
SHA1 fe5d13741e0da35b372857183ecbd676891104cb
SHA256 3cc2aec961a0865ec1b2b3b20d2a3ee33e7099e07ffbb4e221c77c0a195b1c5b
SHA512 ac0430d097f34b8264468361aad8c600049829bb71fff635ecc256d920003d73cbe4f1692e3621e8676458a93d8a11bb8fee8df68bff87c15ebbc72248c0435b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\js[1].js

MD5 f8127ebcd1a6c48755522823ebc96382
SHA1 0fda33214538584cc2f5e56e58e2b898ef4719e4
SHA256 df050aac387dd4b299a5521e68dd2ad3cd526b181bb0654c4e9183be3164a7fc
SHA512 aa2465a316c9774d0d2baae575f294e038cc4c361be9619f35c100ec3d3a0458e164b9db26c4020ad6aae3e8a286374e9379bddd80a4c4eaf3520da966ea9c67

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\web-vitals.iife[1].js

MD5 d4eec6d7ad84dc17a2d8b65de9615c85
SHA1 618ff77bf31657b8a4d07193633de79f3d162a9f
SHA256 3c60d2056c4b51601d6d6a1ddc4afe9fd561c415c0bf1e5e730a9a0fac78fb9d
SHA512 4cb0c2ec000c671701a4d27f5cbc86a5fd47e8b1c9999e483c692dfe2aa233d0e661157567499e7a88b9152a978a1cc64c8f3a2043a9d5b07e5d834b0192bd57

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\aplus_v2[1].js

MD5 3301490545322a17ab4e4825215f1fa2
SHA1 082757ba8dbb405d809d2bf20215374c3564184a
SHA256 086c6fcbdce0815e886575829603f8f9e0b9b928793281bbe9fdd81efbac1c53
SHA512 314ff383d05a506ab0d71706b4ea6c47f2df0930e6c2d57eb1fc6eddbf34599cb97d0e38735c29547a5da787cb9da8445333d3ab87368d22be3a6846c2180815

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\80MUFKB1\world.taobao[1].xml

MD5 ca7621426031a4b7ea4063e4c47cb775
SHA1 16575c125cf87b9f6a2d1bcd0090c43b6e7e72d7
SHA256 2f10c2c84156bbdd5fdf864e0a14e0fa6d26bb2c269adbc01af859e7f9678ff4
SHA512 e24272f75e905414aab32f89bf2643ef00ee103f74d262a447631d323329785e901e91f01dc913f58c63ad166c947b0f7a3e02c371719aade31d593826f85700

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\O1CN01IRMbxn1NLmAQ6vyKX_!!6000000001554-2-tps-901-46[1].png

MD5 7d1515a95203300d7565c00f81b12470
SHA1 020284b0c98d3e4643301be864adbe9602f6d079
SHA256 5f6d6ea9eabd2f0140429db4086981608711431d362ee69cf11041142c0d5746
SHA512 e015352e3b4c1b000a531617a87dcb022649a86e70eb722c82d885a239a6a3b9b6fb0240ce2b1c0f38c4cb953fb7a45ed3ae1f229bef5d840c364f279eb23bf8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\index[1].js

MD5 b1602c98c1f00f4422a96a0ccd6e8007
SHA1 b67becb54062c50d5d6dd185f733b2516d9a9f6b
SHA256 b195e1b21b5741be60a4627a959c930eca6676a800631f18233592291aaa05fb
SHA512 975422f98aa28ca68d2bb82ddb4d28d46831410b928d1a9431eed069d559a00b34b9b1832b83bf74a9813b48dbfa0a7aa93e91f3475fa05c0fc0c33e7a293633

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\font_1404888168_2057645[1].eot

MD5 1da30ae7733100c4411a11d851465533
SHA1 e04e38add4896c7c51fbc93f67d4b921fb347c02
SHA256 a70ff3a8ece73a174d3aeb40ac018193719329c7aa2e11fa067de0ed6a7da39e
SHA512 9af8ef19cad6f7e41d3a31a870709409c46d2405b9568bce24d73274f9463b6a3566f288296e52ad9891fd96c86440f54ad9f3595c1a84d20aa72b67cb26816b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\TB1N7kwRVXXXXbAapXXXXXXXXXX-500-127[1].png

MD5 aca8f2eaac509e1ad916a3db3020ea45
SHA1 83980c19ec17caa310216b1382dcf576c4cc7f05
SHA256 553a2a6ba53ad05d4af1ae4e8101f68a7f01378bae79180cf0310d087ac7a5d7
SHA512 5b30221eca54de0ceedc43379314e8c2e03ed92bd3da8470aa384a7a86736a52aa634b0ae34d9bf61098eac9bc475212e6ed3a831ecd094bf8bbfa104db8b468

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\O1CN01Tr5MzE1FrMdQVXJbC_!!6000000000540-2-tps-238-40[1].png

MD5 c0514ec477acac11923814612b62048c
SHA1 5bd82787fef507e32a0929a86033a34c0e059b20
SHA256 d1f4867a07162f76c163d6bcd91b066e24a0bc82d301734ba1d7445732f93ef9
SHA512 73e71ce27827dc208e4d2259426f0f3fdd7d896671c302cac4b512fe110c4ebb1d4ae6e0b98a53de7edd2a636cc2bfde2e1c89e75dcd462ca3fa5be1a6cec42c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\O1CN01rjCXEO1yXoR5lsMZO_!!6000000006589-0-tps-198-40[1].jpg

MD5 85978e1ae413770dcceab9c5d699c9d1
SHA1 2962accf3dc4382466df4a3bcc00ce168251476e
SHA256 2785d7856b2762af0ca10380839ded166ff618acd35c75992b1c9d0c7971e87b
SHA512 4bc59939a4bd8225d5e3e88c8966d6fb2749e91882560731eb7f2b5c428ef4b5b71d5dd511e76e584ae62094e2c852512d04565c6e90b54fb4e84ff16bcd18ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\TB1SKn6MAY2gK0jSZFgXXc5OFXa-249-40[1].jpg

MD5 c9d4249740bdc1a85784e0fb0d88a95c
SHA1 59925a3b21a92d87e8efb8e441166d9bbeae95d5
SHA256 6b8fc503894727913e16e0f4bbc6e41d9ce77bd72d45d2d1a468db14d1c170d8
SHA512 f561f19e1ea5482f0fd2487cb754805bddcd5c9dad8e3fd0ecc526d86a1042cf143236eae4584064c27ee414145f9f82ed5f6aa089adf4e5a66f75abdc9a6473

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\TB1EPnIQXXXXXaSXpXXXXXXXXXX-1133-35[1].jpg

MD5 89542891446ef952e9365b7109eb4d19
SHA1 5f7330bebf9b322536332c894bea135f8d534e3b
SHA256 bc26ade47b7c2fa72334e3799f8346fac3643b58c00f9416cd58fc80b24b289c
SHA512 73ad41f2bca6518560096cee8b690f302a932d4641ad3746904fafb57139f447a5803e4be25740b6235e4f38a8a31ba785db76638823b67a7530ef5f377efa24

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\O1CN0108Mv2B1VBiUZxdc4j_!!6000000002615-2-tps-30-30[1].png

MD5 4b039ca8878334eee5579c059195c119
SHA1 a2ca2e58f1cd43aada9ba19d4bdc7535ed55f3ed
SHA256 65339b927bc7279262762195c3cc467fc5d58e8456b6fa71ac82dbe866cd9055
SHA512 f8899c585614f3e8468ba6c82d7330bf47aa1ffb456bd6996d094086a06a769c8f4a650d28f08844957dbd0f936f60a6fec9938d205816375828957a87407468

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\O1CN01HkVitO1V8VhPKSICa_!!6000000002608-2-tps-174-40[1].png

MD5 f8bb73d819d827dabd536b42d0b7c731
SHA1 de2870b86296417fe18146cfd9be711d3cf2c23e
SHA256 ea7b826b39be02291f054c01798c6a4cb24968d851b101dce0dcb3a15a909739
SHA512 dca1debf6d9f69f1e80b18eed071781c798387468b3b48953abbc8a8e626cddd9d9da32d7542d96b6e6ff84d86b796bf19796c6cd702f8335085b0fd0a79989f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\O1CN01y1sR2j1iIfUL4VsKq_!!6000000004390-2-tps-202-40[1].png

MD5 f56b60610ba613f05d47eeab6e8abd7d
SHA1 4c8537e366feeeb9a6a9ef1c937ac75bd74b95e1
SHA256 18c369b86148e0386a8640fef25c4a6fd5284b431c0b3725a22b4ccadb41747f
SHA512 52ac5e7a00bcc99712284a61b413e2b6b60bb042213a5a9bbcfd6ee1beef5a3596bbe08fedc8addff9217f057c991a70bd6b641c110c60a9cb9f1710b43e52d9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\O1CN01WRHxRD1HlWox5UNuN_!!6000000000798-2-tps-99-40[1].png

MD5 fa5b4e5562f8d3b2e8572a9a78c1b7b6
SHA1 7274b3385aa74f78a9dc4ef1130d0d245fd09790
SHA256 36da4325bf0974eda093ff713a99859b39bdbca9f62eafea1b7570ec356cbaaa
SHA512 6d66d1e465a799ac9b5795fec4ae92bd46a4c6578e2e0ae8cf6abbd4f5f754dfba77854b2257f9cecb0d19ddcbcc0eaf312210200018569baac2711b842fa21f

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\O1CN01pGmNhS1LbgnABvxrV_!!6000000001318-2-tps-170-20[1].png

MD5 897022079568b67469f7be3035689809
SHA1 4974d13304140e1741aa746441c7d4ce7d5b5d98
SHA256 f4de745a01ba7399edcb78ad993e73dab87bf86b3c8a4b224f45bd997fc0a5f9
SHA512 afe80bf02e6612ce7bd1725b99e4b5bb9d9dd8355d65490399d1fc44f9336f98a458bc1c3b396e2bd138c8244e4a5be9202f79016356de183a8e9d675eddf2f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\bat[1].js

MD5 4ffa93c7b72214cba0395e236738648c
SHA1 89a3b99eebfa5ebcea11ba92e0e3e63f0007b6f9
SHA256 492f3de5b6bff06f8b26f61d37e2e565f8f31e00315600c73d9caa85713e8c29
SHA512 551ee29c9cc8a7fcc89e8b5a1efc9f70068f04bc7dd1b3a7cdaf6b9ebb6e806b55ad92b8d6bc1ccde3088e9b096e22817e7e906530e59c276a393a0285e7ba5c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\world_taobao_com[1].json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\index[2].js

MD5 91b4d2562a0813932d3c310a344a67e6
SHA1 757704323ec62758409967de8519644c632ed457
SHA256 424966629c8b21d6705eefbc06bec99d577084c59875f3cb5be09cfa1e01acd4
SHA512 80dd292201045f5205a686eca2cef9ac36b8f65272f6eb1d3e06aba1ddcf89ab22ecc3dcf4cf52f899ed128eba482c937fc82f01fa8d40ddc8ec80bd2a3a0dce

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\index[3].js

MD5 2622168886577549c855be9407599465
SHA1 a68a7ae2f7fab0474608c8bf0b0ac5256051ada9
SHA256 31f1f204196058f1a7e564a991b42e3e7475933f223b85181adc76820a231812
SHA512 7bf58a500bbaf95818b71901b0f4f929b5f3e649d9f66a28629705a6c9ea42cfd1808ba05b1fdd3320ede778cad78103cbea1c6b994a0af369f9da0de46dba06

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\index[3].js

MD5 0ad4251158abb9d73a55ab7dd24fbf66
SHA1 350d23bc2e5036ac20a9513d7d30a8e7391916c4
SHA256 8a978233505986e37cf952a7656e6c31f4a8d13902d76c68f28de30bf9f1d57c
SHA512 193d027c8680bb5fc8e0324d45cd460e968a8b4d04455b61fa4dd23af35706bc9d1b070c44f182bdc74314ab7cff88765501141b3458d4b914643462e1554602

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\E63ZE6O5.js

MD5 4b9954eca159a609abd860f24def4092
SHA1 337a9af5a7d5a91d97e2be4aedde1aa62b137655
SHA256 3618f2c2faf5652ad5ca0243c163136784c48252796c4dad9c0633c93ec13b34
SHA512 b1cace189fc1effb618c82734dcfe27492e9cf676d4c5a52d22e0adad91aa45354afd06c09160085e2a62ba5c398374c33a4fad5c39c97e5ce779091cd4949cd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NMSO4O58\et_n[1].js

MD5 97b6c61e26db08c305205b68cdf68ac8
SHA1 ae0a900042897de3cdb8a6e8317bc19686bcea6f
SHA256 23efaab0233a71426cdfe8398921fae6c9d19b43db05f5e61800141dc90d449d
SHA512 de76bfe377d92322613066424af031815b1930a97cca42224975e4c40b99cc63593f7360b1a7fe6ee29319a485c6cec7335c53579fa0d0cbef2442dd161bb64b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\5L546K0V\CheckProperty[1].htm

MD5 3f2df13c6edd85e6b6f224507eb37b1c
SHA1 5a796f49aa7e2f5c2cf705db11c5094a3674b801
SHA256 9805e07eaafd763ec801e86b8c17f9b105d99b5476178f131d59316c5ede2196
SHA512 43724fb142175ace4138a1438bf24ffab8b83a2b6a027f5dfef5423900f09d64998a0961b80afbaa52e7d88a7c776600172bfffd6238a988a7e5ab0b31efa1e9

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\baxiaCommon[1].js

MD5 8b0a4b81c6ac84b7dc9938bde8f36b65
SHA1 7ad423e3165e65a4f187820318f35a69bd045ee1
SHA256 7ce6b93c26b5611e079a88c10103fef4f867c13d1e880e761dde4258845c24ac
SHA512 b7ce25d707ecf5a6e9dca810f268c6335ed3ef8ec7703520e82278d2532f407d703514bb9a3ced790f51ddf3320f0e2081a79c0c1660a0f3f85dc55b4e76b3ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_3BD28B7620D132856D5CF08262694688

MD5 5f7b405a901c350c8e353ab28434cb44
SHA1 fa83af65ce9df2b9bc468c286a7aa05b7496037c
SHA256 a54231f9ed9c5c45665b36927bdaedd245ce841a5c85bd2d9243c2bd68e2d32b
SHA512 9484b08aa26008459c77e79a3dc03a80f72a19d7c81779b32fa8961d4316f793091ef2d97b9de3e162d36eb65b6c94e90642646d0492170705c5d38d84ea6e4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_3BD28B7620D132856D5CF08262694688

MD5 dd37e38c8426abaff698c77608205b3f
SHA1 807f273d9488c036ba651edf91182b52ae5c93aa
SHA256 36d1210399fdee0eb089ea6efe3de7816f74c4f8ac41e4bc36b236b59e85be9c
SHA512 d2b2cfb67426e880f7f65d9c2700a40950f4b575253cc798dd0a0788609053fe965a2eb5d1acc240bc1e9010090cdcdbc7be9bc32eb9068526dfa8536bb2ab4e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V0JOWNXB\js[1].js

MD5 9173701a780634af26df8563c817f77b
SHA1 c0585df51cb6b69d2c72c4596f2e7e3ddbdad737
SHA256 fa6193a3b6b8f0af8d51f59717814059400f5573ddfcd75f64738371bb91b022
SHA512 3cdb4dcc12343f83c9e2d0ae1a0a6c4cfca433cff4612ecba0b2ee6bc96d2d52ba2b2b7e8bfda7b2c3377e3b7d55c434fdeb5f16aae552657b699b4aecf32d9b

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\analytics[1].js

MD5 fda30e8a22c9bcd954fd8d0fadd0e77c
SHA1 ae47cd34cbde081a48d7f92fc80aaf06a1381193
SHA256 b42e4a056cb5b80c5a315040826866445ec9332f0749e184509ab2d9d3b86719
SHA512 bf551c26ecbdbca8d8be0bc05aede18db415318a8143226e03311e235b7d8d497d6e08d73417926c878d253ad38f0dfc11571df2700500d02e68596b903309ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_9F112C29E206D20D66B0A183D3D91DC4

MD5 ac9015b5c5376280c736570b78ff7ec5
SHA1 e6cc9781a201562ca877dd0e862eb7fceee5a20e
SHA256 0065f6fbfb2b636527c770f035c152aa3917d69fb9607e8cb1119f3842ed949f
SHA512 78cee27d5df888072296c54b1cb0f2a93d9c5ea94ffa8434d9d041f9277c2804e93b4687a2d7e2349d54f0f6921f3d392ff88b0f7583df5b88e1494352b4728e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_9F112C29E206D20D66B0A183D3D91DC4

MD5 3dc58f0dcba4ac9021f62c5c1c862e91
SHA1 d67cf5a8968b75d0d6893054f5201e015be19ecc
SHA256 75d4e57dc6c25d2456a7513572a97de5f1c1caead2822c8a985da9b8dfa55f89
SHA512 5f3f0f955dbb741e259b837e1ed935bca5e374216d758067aa282f8fb31184573d6d3de7baeb9c876e5a8f97bb718c611935e1f680874dd198978e06c7b12f1e

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\E3KT0FLH\CheckVer[1].htm

MD5 e19dd088188c131778d882de94916cd0
SHA1 d062a25d756fbc8c9739473a476bae5246bd9037
SHA256 0c1e0a1414361af5711c91b3bc01c9eeb16f0148d4d1ef062357c73d226a1f95
SHA512 6fac6dd794774d0ec5b978755de375b9f6af52cd074b0e6c05484065a7533b9bfd8a435c4e853fff1389f73fec4a82badb04c08ea10cff2e8402d6a8c4e99504

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_3BBA15B82CC01F1EE53C3E9A89C80F28

MD5 5ccd31e85026b3ac2e0c05d730148f4f
SHA1 9d55cf59b6778b606f625a977eb9a2c24e26d7a8
SHA256 7033b502c130da1e4135596254ba1e53f93df4d7969391b49631ad11587c4467
SHA512 fe12a2b018a1f0d1153151ca6225e9098d9cb3e75a251923619771a5a176df789d84fb646f78a55a50ff17ac406730263a277ac3c25272da41ec4192195f4166

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_3BBA15B82CC01F1EE53C3E9A89C80F28

MD5 91d913d5435be98542d068725952c99d
SHA1 11338445f09248d8d09fac03a7643f0f2ab8ef9d
SHA256 49b4c35abd94bc83226b1fb676d2887068b1ea393d711f9536f8b5e6b73207a8
SHA512 f52b1fb83f3c1cd12090acdeb4f83cb008e0d7e4ae72c73d8d4464ab025db75a18a2e8baaa2f48720046e596978d17903b680a22595f6a9c10858a0077e715bb

memory/2060-233-0x0000000000000000-mapping.dmp

memory/2060-235-0x00000000011D0000-0x000000000121B000-memory.dmp

memory/2060-234-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2060-236-0x0000000001240000-0x0000000001259000-memory.dmp

memory/2060-237-0x0000000002A10000-0x0000000002A19000-memory.dmp

memory/2060-238-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2060-239-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2060-241-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2060-242-0x0000000002E00000-0x0000000002E0B000-memory.dmp

memory/3852-243-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/3852-244-0x00000000011C0000-0x000000000120B000-memory.dmp

memory/2060-245-0x0000000002E00000-0x0000000002E0B000-memory.dmp

memory/2060-246-0x0000000000400000-0x0000000000CA1000-memory.dmp

memory/2060-247-0x00000000011D0000-0x000000000121B000-memory.dmp

memory/2060-248-0x0000000002E00000-0x0000000002E0B000-memory.dmp