74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328

Analysis

max time kernel
136s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2022 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
Size

7.4MB
MD5

eff789f5b5c006495f56a0960188bf9c
SHA1

db36185547ee6ce2874abe34d2cc57ab652fc970
SHA256

74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328
SHA512

f961a3a504b8a3e8d52180aa39d752c41e4474a331c774c5e37e88007b3588dec8bcca2802552d9d614bc6525a3e1378396f721e6415263a224b9058101e5f9d
SSDEEP

196608:WT2iyZ3gUGKNazMk2IKmzTHVLvbQZAwd7H:WT/yZgUVN65VLzQuwt

Score

8^/10

adware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

xigua.exexiguaupdate.exe

pid process

3076 xigua.exe
4380 xiguaupdate.exe

pid	process
3076	xigua.exe
4380	xiguaupdate.exe

Loads dropped DLL 5 IoCs

Processes:

74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exexigua.exexiguaupdate.exe

pid	process
3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
3076	xigua.exe
4380	xiguaupdate.exe
4380	xiguaupdate.exe
4380	xiguaupdate.exe

Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

xiguaupdate.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	xiguaupdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}	xiguaupdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	xiguaupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}	xiguaupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	xiguaupdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\NoExplorer = "1"	xiguaupdate.exe

Drops file in Program Files directory 14 IoCs

Processes:

xiguaupdate.exe74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exexigua.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\tools\isWrite\	xiguaupdate.exe
File opened for modification	C:\Program Files (x86)\xigua\isWrite\	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File opened for modification	C:\Program Files (x86)\xigua\	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File created	C:\Program Files (x86)\xigua\xiguaupdate.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File created	C:\Program Files (x86)\xigua\bdupdate.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	xigua.exe
File opened for modification	C:\Program Files (x86)\xigua\bdupdate.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File created	C:\Program Files (x86)\xigua\tools.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File created	C:\Program Files (x86)\xigua\xigua.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File opened for modification	C:\Program Files (x86)\tools\	xiguaupdate.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File created	C:\Program Files (x86)\xigua\xiguakunbang.exe	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
File opened for modification	C:\Program Files (x86)\Browser\config.ini	xiguaupdate.exe
File created	C:\Program Files (x86)\tools\tools.exe	xiguaupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999441"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000b06bcd9f2ca84c66100388dae56f4fd9a0d7d15f2917469007e730f84e119c07000000000e800000000200002000000003191fe9d8c360b76847195197e033884115b4034e6cca6acc9754e3d362697b20000000d62849f9ca420cc3008ae6e15119327d9ac09ed1329aa1b59a308b63c6926a6f4000000018f78176d51e03f1cd1dc931f18ede522b522ec18a2eab6918cf8a92c075adc09f5f4a5975dd9cf9d290109a92665b38c3288e1449d943a1a1606965c36bc5b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30999441"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2014853162"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d790600000000020000000000106600000001000020000000819864f1b376f8c482964caa833274be416c11ac17b7ac487698e5bb50765cac000000000e8000000002000020000000da076ab6542223b922cf70fd96f33bef790ae1623bf4215bd305dad711812e7e200000007f5f6d2a50a4faee05574c372260f435f9df530d7762f3b63a33f8eae1a54eeb40000000efde22541b46c0e0b3de1c1e522c8ee2049f12610afd6cddb224a619eef2a3e89da4b70432489341e10238edb0304e0a52cc93dabb0594644098a913d8b220c2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60fed87b9103d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A29F001F-6F84-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001f687c9103d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2000791186"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30999441"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376450074"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2000791186"	iexplore.exe

Modifies registry class 4 IoCs

Processes:

xiguaupdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}	xiguaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\ = "AccountProtect Class"	xiguaupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32	xiguaupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CDD7718A-D29A-4E86-A62D-7A44848A46C1}\InprocServer32\ = "C:\\ProgramData\\tools\\bdmanager.dll"	xiguaupdate.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

xiguaupdate.exe

pid process

4380 xiguaupdate.exe
4380 xiguaupdate.exe
4380 xiguaupdate.exe
4380 xiguaupdate.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid process

4612 iexplore.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

xiguaupdate.exe

description pid process

Token: SeDebugPrivilege 4380 xiguaupdate.exe
Token: SeDebugPrivilege 4380 xiguaupdate.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

4612 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

4612 iexplore.exe
4612 iexplore.exe
3412 IEXPLORE.EXE
3412 IEXPLORE.EXE
3412 IEXPLORE.EXE
3412 IEXPLORE.EXE

pid	process
4380	xiguaupdate.exe
4380	xiguaupdate.exe
4380	xiguaupdate.exe
4380	xiguaupdate.exe

pid	process
4612	iexplore.exe

description	pid	process
Token: SeDebugPrivilege	4380	xiguaupdate.exe
Token: SeDebugPrivilege	4380	xiguaupdate.exe

pid	process
4612	iexplore.exe

pid	process
4612	iexplore.exe
4612	iexplore.exe
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE
3412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exexiguaupdate.exeiexplore.exe

description	pid	process	target process
PID 3248 wrote to memory of 3076	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xigua.exe
PID 3248 wrote to memory of 3076	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xigua.exe
PID 3248 wrote to memory of 3076	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xigua.exe
PID 3248 wrote to memory of 4380	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xiguaupdate.exe
PID 3248 wrote to memory of 4380	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xiguaupdate.exe
PID 3248 wrote to memory of 4380	3248	74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe	xiguaupdate.exe
PID 4380 wrote to memory of 4612	4380	xiguaupdate.exe	iexplore.exe
PID 4380 wrote to memory of 4612	4380	xiguaupdate.exe	iexplore.exe
PID 4612 wrote to memory of 3412	4612	iexplore.exe	IEXPLORE.EXE
PID 4612 wrote to memory of 3412	4612	iexplore.exe	IEXPLORE.EXE
PID 4612 wrote to memory of 3412	4612	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe
"C:\Users\Admin\AppData\Local\Temp\74eb002d55f1f3519b892fa8e240f4d1892e719efa1f338b84f03ccded722328.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3248

C:\Program Files (x86)\xigua\xigua.exe
"C:\Program Files (x86)\xigua\xigua.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:3076

C:\Program Files (x86)\xigua\xiguaupdate.exe
"C:\Program Files (x86)\xigua\xiguaupdate.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://123.a101.cc/u.php?id=89
3⤵
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4612 CREDAT:17410 /prefetch:2
4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3412

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\xigua\xigua.exe
Filesize
6.1MB

MD5
826ff195ce1259a72e4f67ab22db2e7b

SHA1
ecc94ebbd48856d6f5c6519e0845cc49a813132c

SHA256
30db66376d0e894ff8dfb795c329605c5f7c3c509f0cc4bce0dcb78155d9b9b1

SHA512
c70316f9d42a7114dfa9daef80796d945f0903c5cf208b7f7296a37fd269e5ea0baf7fc5515802a198370557a70baab1eaca4a94d276dfa08eb301c15487bd8d

Download Submit
C:\Program Files (x86)\xigua\xigua.exe
Filesize
6.1MB

MD5
826ff195ce1259a72e4f67ab22db2e7b

SHA1
ecc94ebbd48856d6f5c6519e0845cc49a813132c

SHA256
30db66376d0e894ff8dfb795c329605c5f7c3c509f0cc4bce0dcb78155d9b9b1

SHA512
c70316f9d42a7114dfa9daef80796d945f0903c5cf208b7f7296a37fd269e5ea0baf7fc5515802a198370557a70baab1eaca4a94d276dfa08eb301c15487bd8d

Download Submit
C:\Program Files (x86)\xigua\xiguaupdate.exe
Filesize
347KB

MD5
a30ea55c47f9f74aca63023ed2f27429

SHA1
18d5b2786b385e51ec82697270e987cc080dac30

SHA256
55d5db2f4eb62a1c8a419124aea3d236b29261894acc6a1f040f6d14daddf42c

SHA512
8e67d3d466805c57ebdf1f9cd483c9df6c3a45968d7913206569b30248346d21ab8fb52586286cae016b6dc48509693017f103eb14ef3213a098b0a45d68500b

Download Submit
C:\Program Files (x86)\xigua\xiguaupdate.exe
Filesize
347KB

MD5
a30ea55c47f9f74aca63023ed2f27429

SHA1
18d5b2786b385e51ec82697270e987cc080dac30

SHA256
55d5db2f4eb62a1c8a419124aea3d236b29261894acc6a1f040f6d14daddf42c

SHA512
8e67d3d466805c57ebdf1f9cd483c9df6c3a45968d7913206569b30248346d21ab8fb52586286cae016b6dc48509693017f103eb14ef3213a098b0a45d68500b

Download Submit
C:\ProgramData\tools\daohang.ico
Filesize
14KB

MD5
2b80eb58904a9c76c146128c8039534c

SHA1
3c34b4c4ee5036ebef3d411c9c16dcb6127718e1

SHA256
916fddaa8b1b8418b166668dd1d944c654e1d475b795d2dfb1a863d757f88616

SHA512
af18c547228f491e14b25c7a5d3e6e6496cbce6d1128e271028af83f82683c3e8bab8bd475d01c464a8b6524e123f38e2c97b7feb623f839284a3a9ebca5ad3d

Download Submit
C:\ProgramData\tools\ie10.ico
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\tools\ie6.ico
Filesize
17KB

MD5
bf69cff7e66a3aa109dda84eb0232813

SHA1
a5d83c6a2a3adc896a1eba23cd2db139e580d713

SHA256
1c4494e1b1b52d5c9ef5142f084f950cd986159f9652277c496b48ef19d927c4

SHA512
2a842f34dd57854523cc597851bcf4c094653e02ffc8d80228ab1e52742c12c26c19a9137685f202cb93a5c54838c985a814d29c0f9466fb616067bb273ef39a

Download Submit
C:\ProgramData\tools\ie8.ico
Filesize
17KB

MD5
c3e81d293ff596acd5596573c5bc0d92

SHA1
24f7eb541cf59abea6352b53a0b26392f9956017

SHA256
56a625bd2b7aee97368e92154c25da550dad3067b4c2f7f934cba21f40fa5f96

SHA512
e9b150e46493825ffa9aae71fe98579fc04e517398cb97bb473c98544b49022a0851928c95c9f2114bf40b6e113165b5bae5184a08fb18850550ee0af7515ea6

Download Submit
C:\ProgramData\tools\sougou_search.ico
Filesize
17KB

MD5
d9f97bbefebd7f6680a5cd7e428e7c6e

SHA1
b8f27fd1cecd21a0d893cd6c4d2900fcf5e657a9

SHA256
bb445582d1ea6728c3ef6836d0523b3d36b36f3ebc1206cdfcde1ef92493f506

SHA512
5808b085bdb028dae82434b255a0b1da3391409942899ecd4a7a01734e617f5e11a28d56e01d82aace80e5e37f395f43113cc8e96b532726388818f3c41d7f5d

Download Submit
C:\ProgramData\tools\taobao.ico
Filesize
17KB

MD5
530ea7b66b1ada5f28cc390d95c124be

SHA1
48f3e4bf67fff6958c27632d08c93b3e384a7406

SHA256
42a6eda959bcdf843ab794cfd26755baaacccd53482a3e5773155516c2d1b585

SHA512
155915195f006a3a971b7b923e858558238f821b5b990a28d6daa1decf57ed4ae0dd06ba80dbc37cac1b693cdfcd5b99a03fb9fa892dfd30b07bb1de112a3f78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
dedb504b3469b24ec0df79c68f5772e2

SHA1
177a8b1045b456316ca32d90aba942bf34774c64

SHA256
e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

SHA512
101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
434B

MD5
64e4a2e6ac2bcf51776870244c79d472

SHA1
bfa78d23ee2162eb141903057f477c2f3bf3d4c7

SHA256
9f462f4cfef0aba0e2fdef8e44e2a633f727492625fdc11f723af5a6786e2ed6

SHA512
8ae40325f46ef8d55001ece56610f47e14260a4c519910e241ca1a5864fe36ac3f82c7603cbd80d1461c01f1ef02eed401402d74853207e78a7d0a9aea85a012

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5BBE.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5BBE.tmp\nsTools.dll
Filesize
260KB

MD5
6ae9eaa868bcb42ae79bf9701b18e7ec

SHA1
80bd26a403aaee21fc2b9af0d5585a768ea3acd0

SHA256
d4fb435c03841d4911cba57bd01212156d4a0ab4554e5a25b3604e43b3622fb5

SHA512
06c60bb27b39064c237e52d3ccea2371953fc454321eab2046ffcb5cc9771206accb0124fdf1726d5cf821906ee05e03dc7ae9ca2534f6543e585382a9c0a688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi5BBE.tmp\nsTools.dll
Filesize
260KB

MD5
6ae9eaa868bcb42ae79bf9701b18e7ec

SHA1
80bd26a403aaee21fc2b9af0d5585a768ea3acd0

SHA256
d4fb435c03841d4911cba57bd01212156d4a0ab4554e5a25b3604e43b3622fb5

SHA512
06c60bb27b39064c237e52d3ccea2371953fc454321eab2046ffcb5cc9771206accb0124fdf1726d5cf821906ee05e03dc7ae9ca2534f6543e585382a9c0a688

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsiE0B.tmp\System.dll
Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst419.tmp\System.dll
Filesize
11KB

MD5
bf712f32249029466fa86756f5546950

SHA1
75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

SHA256
7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

SHA512
13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

Download Submit
C:\Users\Admin\Favorites\Links\全国最给力充值店-淘宝网.url
Filesize
46B

MD5
b1c843a4469b299bdcdd49fb0a6761b8

SHA1
cc61b0e4d005912c97f914eeadc2215164c2048a

SHA256
3ef62c8f4defa0dfaa1f3785fc6195bdd40652b5da001dbf5d2c40eaf5d137da

SHA512
611738229c6393d9ac1be39cf0d68aabb11bd4cb4135dc48d2ea001e2ecb897bfa378d564d499bbeea869fa1c96abaedd4381ef26367ed337534cc5e8d6ae43b

Download Submit
C:\Users\Admin\Favorites\全国最给力充值店-淘宝网.url
Filesize
46B

MD5
b1c843a4469b299bdcdd49fb0a6761b8

SHA1
cc61b0e4d005912c97f914eeadc2215164c2048a

SHA256
3ef62c8f4defa0dfaa1f3785fc6195bdd40652b5da001dbf5d2c40eaf5d137da

SHA512
611738229c6393d9ac1be39cf0d68aabb11bd4cb4135dc48d2ea001e2ecb897bfa378d564d499bbeea869fa1c96abaedd4381ef26367ed337534cc5e8d6ae43b

Download Submit
memory/3076-133-0x0000000000000000-mapping.dmp

Download
memory/4380-143-0x00000000022A0000-0x00000000022E6000-memory.dmp

Filesize
280KB

Download
memory/4380-137-0x0000000000000000-mapping.dmp

Download