7def699015891e9dd06f9dd4a80a7527f392f81d968699506f40cff0c69bf65e

Analysis

max time kernel
159s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45a03e186bea80f11a6fcbb0ab39cf0b.exe
Size

1.7MB
MD5

45a03e186bea80f11a6fcbb0ab39cf0b
SHA1

cf3ec91668dac25b094e2cd845b4cbea58dc6e45
SHA256

7def699015891e9dd06f9dd4a80a7527f392f81d968699506f40cff0c69bf65e
SHA512

2f8198e0d46d97dd435172040b37eb761217e9c686b1affb93cf52440790493396059156810cc7a9e94ef84a08dfa6f0241ef245b9bd30a6b2af7ee61797c559
SSDEEP

49152:l911nWuvZGTdsIeYUNA1N+E6GOx7UiR6O:lnd0TCII2N+E6z7QO

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	45a03e186bea80f11a6fcbb0ab39cf0b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 4 IoCs

pid	Process
1568	wingames.exe
1504	setup1.exe
4632	setup1.tmp
4556	QvodSetupPlus3.exe

Loads dropped DLL 8 IoCs

pid	Process
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
4264	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe
1640	rundll32.exe
4840	rundll32.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000200000001e7eb-87.dat	upx
behavioral2/memory/4556-94-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-101-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-121-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-152-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-154-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-157-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-160-0x0000000000400000-0x0000000000457000-memory.dmp	upx
behavioral2/memory/4556-163-0x0000000000400000-0x0000000000457000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd\ = "360°²È«ÎÀÊ¿"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}asd\ = "360°²È«ÎÀÊ¿"	rundll32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\doifa.bat	rundll32.exe
File created	C:\Windows\SysWOW64\url.txt	rundll32.exe
File created	C:\Windows\SysWOW64\runfonce.bat	rundll32.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files\Win32Games\taobao.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File opened for modification	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-13N9I.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\AddURL.dll	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\dangdangwang.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\sysdkeys.dll	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\url.txt	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\wingames.exe	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-9A9IE.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\bb.tmp	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\bookmarks.dat	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\jiuzhou.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\unins000.dat	setup1.tmp
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-13N9I.tmp	setup1.tmp
File opened for modification	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\unins000.dat	setup1.tmp
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-G3M3V.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\2xi.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\install.exe	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\zhuoyue.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\is-0431B.tmp	setup1.tmp
File created	C:\Program Files\Win32Games\Config.ini	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\setup.exe	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\Thumbs.db	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\SuperRepair.dll	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\Xianjian.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\runbat.bat	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\baidu.ico	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\QvodSetupPlus3.exe	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\setup.bat	45a03e186bea80f11a6fcbb0ab39cf0b.exe
File created	C:\Program Files\Win32Games\shffolder.dll	45a03e186bea80f11a6fcbb0ab39cf0b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\ = "Safemon class"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "Safemon class"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\ = "Safemon class"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "SuperRepair.360SafeMode"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\SuperRepair.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid\ = "{B69F34DD-F0F9-42DC-9EDD-957187DA688D}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\SuperRepair.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SuperRepair.360SafeMode\Clsid	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "SuperRepair.360SafeMode"	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4264	rundll32.exe
4264	rundll32.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4556	QvodSetupPlus3.exe
4556	QvodSetupPlus3.exe
4556	QvodSetupPlus3.exe
1568	wingames.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4556	QvodSetupPlus3.exe
4556	QvodSetupPlus3.exe
4556	QvodSetupPlus3.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1568	wingames.exe
1568	wingames.exe
1568	wingames.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1568	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	97
PID 1340 wrote to memory of 1568	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	97
PID 1340 wrote to memory of 1568	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	97
PID 1340 wrote to memory of 2364	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	99
PID 1340 wrote to memory of 2364	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	99
PID 1340 wrote to memory of 2364	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	99
PID 2364 wrote to memory of 4264	2364	cmd.exe	101
PID 2364 wrote to memory of 4264	2364	cmd.exe	101
PID 2364 wrote to memory of 4264	2364	cmd.exe	101
PID 4264 wrote to memory of 4284	4264	rundll32.exe	102
PID 4264 wrote to memory of 4284	4264	rundll32.exe	102
PID 4264 wrote to memory of 4284	4264	rundll32.exe	102
PID 4284 wrote to memory of 1504	4284	cmd.exe	104
PID 4284 wrote to memory of 1504	4284	cmd.exe	104
PID 4284 wrote to memory of 1504	4284	cmd.exe	104
PID 4264 wrote to memory of 2900	4264	rundll32.exe	105
PID 4264 wrote to memory of 2900	4264	rundll32.exe	105
PID 4264 wrote to memory of 2900	4264	rundll32.exe	105
PID 2900 wrote to memory of 1640	2900	cmd.exe	107
PID 2900 wrote to memory of 1640	2900	cmd.exe	107
PID 2900 wrote to memory of 1640	2900	cmd.exe	107
PID 1640 wrote to memory of 4980	1640	rundll32.exe	109
PID 1640 wrote to memory of 4980	1640	rundll32.exe	109
PID 1640 wrote to memory of 4980	1640	rundll32.exe	109
PID 4980 wrote to memory of 1772	4980	cmd.exe	111
PID 4980 wrote to memory of 1772	4980	cmd.exe	111
PID 4980 wrote to memory of 1772	4980	cmd.exe	111
PID 1504 wrote to memory of 4632	1504	setup1.exe	112
PID 1504 wrote to memory of 4632	1504	setup1.exe	112
PID 1504 wrote to memory of 4632	1504	setup1.exe	112
PID 1340 wrote to memory of 4556	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	113
PID 1340 wrote to memory of 4556	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	113
PID 1340 wrote to memory of 4556	1340	45a03e186bea80f11a6fcbb0ab39cf0b.exe	113
PID 4284 wrote to memory of 4840	4284	cmd.exe	118
PID 4284 wrote to memory of 4840	4284	cmd.exe	118
PID 4284 wrote to memory of 4840	4284	cmd.exe	118

C:\Users\Admin\AppData\Local\Temp\45a03e186bea80f11a6fcbb0ab39cf0b.exe
"C:\Users\Admin\AppData\Local\Temp\45a03e186bea80f11a6fcbb0ab39cf0b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Program Files\Win32Games\wingames.exe
  "C:\Program Files\Win32Games\wingames.exe" http://reg.2xi.com/yst01
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\runbat.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Program Files\Win32Games\shffolder.dll" movefilesuper
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Program Files\Win32Games\setup.bat" /SILENT /SUPPRESSMSGBOXES"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4284
    - - C:\Windows\SysWOW64\setup1.exe
        
        setup1.exe /SUPPRESSMSGBOXES /VERYSILENT
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\is-LRI6C.tmp\setup1.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-LRI6C.tmp\setup1.tmp" /SL5="$80230,255539,51712,C:\Windows\SysWOW64\setup1.exe" /SUPPRESSMSGBOXES /VERYSILENT
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        
        PID:4632
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 "C:\Program Files\Win32Games\AddURL.dll" addurlp
        5⤵
        Loads dropped DLL
        
        PID:4840
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Windows\system32\doifa.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe "C:\Windows\system32\sysdkeys.dll" huise
        5⤵
        Checks computer location settings
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\openonepage.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command" /v "" /t reg_sz /d "C:\Program Files\Internet Explorer\iexplore.exe http://www.506520.net/ys.html" /f
        7⤵
        Modifies registry class
        
        PID:1772
- C:\Program Files\Win32Games\QvodSetupPlus3.exe
  "C:\Program Files\Win32Games\QvodSetupPlus3.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\·½±ã¿ìËÙ°Ù¶ÈËÑË÷\FangBian.exe

Filesize
474KB

MD5
e67b91674b1bce96301e9a03df43453b

SHA1
d5a6510bc2bff64689abcf4fed62dabd4960a4d9

SHA256
af790c25a309c275ab9d7cbbcfd63efe6d545d6cd851993fb8cc6d288902c49b

SHA512
780b6842a375eb8feba4dd0d1fa691ca5c89b73ddb66fd1113960db6dfff31c12585788662d253af1de041ed251ac679ac0281dec9bb3919dada94eb2ee06e48

Download Submit
C:\Program Files\Win32Games\AddURL.dll

Filesize
119KB

MD5
0a8bdcbb1998fd1ed0c534128d746317

SHA1
7034704fcd8d1311a7dfa3f3572bda3e5e647777

SHA256
6b632af7516e724035c90f71b5587d905c8433d36086d1bbe5d60f9ed79ec702

SHA512
06c27fd32f66b191202a497e6c6bc5c5e00cf62a89d1a68cab6ea5fa343ca4d18b787707d0378aea9784ad8add6c0784b3a633830491f78c0a149d03894bb2a2

Download Submit
C:\Program Files\Win32Games\Config.ini

Filesize
1KB

MD5
7ef8296597c3b1fe7b8d27711d76f05f

SHA1
b261633985ae03b48d9b936c2305ee0e747317d6

SHA256
c01c5b8381b4b3373d600d580ff7bea1df10da685fa4efa4e0c0e54dfcc78bd6

SHA512
215aed79970d468e729aa312b6e7199069a6ce25cce32f55e00eae9407ca3f26ef9b4dc96a485e5d773899c07bb91f1704998a89740c08c7c5ae1ddadae895d3

Download Submit
C:\Program Files\Win32Games\QvodSetupPlus3.exe

Filesize
149KB

MD5
8da481acb7ce2508f68071da569ce84a

SHA1
8cbac6dd58a715f1618588e97ccd8889f8e6e976

SHA256
8faa31e39d329b8d86f4c7668832c6e7e557e24538fe57e097171db4516e16d4

SHA512
ede7b12bce408532c95f2a9a2224af2bcfdda340926a613d562ef8f1356cbfff07c62d6188b3a0de51fc0d5db28508e91a5e037c5d08798ad40d6a7c122654f6

Download Submit
C:\Program Files\Win32Games\SuperRepair.dll

Filesize
439KB

MD5
16ce2273a47462893fc40bc7f14a765e

SHA1
46da13b34481a9a56b3086da8e87245df176bb97

SHA256
9a43839b7ffea39e1ed620e93e0c480dbb7347084f31d2c9d46f589b71b3a1b2

SHA512
8cae72c20a1cdc4f6e16f44b02c29f0f67caa4adc74bdd65a28dd4b840dc9fa680f004efea89404b7b6d402d661f2cb2c47fb697363b7bc88f9ba227450c16ab

Download Submit
C:\Program Files\Win32Games\bookmarks.dat

Filesize
31KB

MD5
37856ab54f4884347ca7399511b1e451

SHA1
434eed05a783325094d6dc177809640edd17434b

SHA256
97cbbefb6c945d81c6189905cf21645ae38c14349de4afd4511a4dca9471deec

SHA512
635a2afb8329cadbde52274f623002c269dad38175affea4e66ebde59fdbbfaf9641f51fdc98dc2ec2ab85086e49a66356367bce65546c839d59ef939b8433b9

Download Submit
C:\Program Files\Win32Games\install.exe

Filesize
88KB

MD5
3ff37f7120c893d4181b91730de00891

SHA1
7ebdb7b29897e1d3ce1b0b3a894fed7b05a0ab40

SHA256
be838574f77449da02d7bd432b87b8e8b1809c439ae241ca1f4bf198d61fe670

SHA512
91de6092937e76a3aa188e7194c5951ab8515d1a88a4ad0252b1f8500353d9bd65a8ae291cbfd68e4ae24fa1b0dab0188ad855acd959cac2baac01857aaec569

Download Submit
C:\Program Files\Win32Games\runbat.bat

Filesize
129B

MD5
73059092d399c7e46689cec258c4e28b

SHA1
aabf043c06d3aef6a5ebaa882c1445a6615e02d7

SHA256
efad88fa1a72ae39ac1214e7b8e79f997877886e370151bfed92a0af249e4848

SHA512
3df9b70231cf9ea3f3417b665c2a7d8d12bface366130b727210e075fa695cd8ad9b8f140fc6d793f47dec743eb477a70339280deca1921db023588eb766c969

Download Submit
C:\Program Files\Win32Games\setup.bat

Filesize
168B

MD5
59595f6e3e2dc287a9437b05d2c3658f

SHA1
a5e7d3d8425b30d71c7f0ddf18f844405228d121

SHA256
8ee18eebd8869fe8d3d4c9a854ced4606bcf7666a814bec59625e1a60e3f27a2

SHA512
222b41676dc242ef3c5e746167c85b9fd2c5f9f407a5b1f13d24621a08fbd51b9defa1575196bd6b66fa814106a0d2bbc5de8fd9d73778c3a1334977a8bb66e9

Download Submit
C:\Program Files\Win32Games\setup.exe

Filesize
488KB

MD5
3e678908518b5008c34a2d2311a26a39

SHA1
9b6aa325af60f7e0cb3a0f3e1a85b0351c292d95

SHA256
0338794f257e87a0fd18b0b4569c6101368f94935b6769a1ffe76013f74ea25d

SHA512
3384c83181c6abc693fb3d07ca99ad05d95afeffffa9b43c2f39ff849e73d4c40a030a1c402445ec56b94e65a80224f97b59100960088d069e15bf6cc94a4c7e

Download Submit
C:\Program Files\Win32Games\shffolder.dll

Filesize
90KB

MD5
b16a2ffdc99fad06910e4f5840b09b7e

SHA1
a6007e4a23a466d770a4530e88f4fce674321686

SHA256
4d0f7f715e56326d1a1ad1dc38253d1e1c981f11e45f7ce3bcda7466c28439cd

SHA512
511bf69bae59bc67254f535dda5679e05bf7f412ace4d50ab5b683992f12ffa95f193ace6edd933fa1f0fbbfd9d1ce8e2995642748c3329cae8454f649c32c06

Download Submit
C:\Program Files\Win32Games\sysdkeys.dll

Filesize
125KB

MD5
3982fa5123761e6d95120fcfbc734f31

SHA1
4f6827444af7bea4a6fce6d572acc0c3c43b57dd

SHA256
0348feba8869603b5501dcf68421e4e68a18bcc861bb4536a38d50c405f64eca

SHA512
5eb5dc9ac58a2e96b2bdfb64858efd14bb382235911aa16e3c2f7a650eca014aea9691df6a52f1a1968c1e20b0080011cd21d92019a95808d5487956b909e641

Download Submit
C:\Program Files\Win32Games\url.txt

Filesize
31B

MD5
f558c96f83a54f4a5242bb905e99ddb6

SHA1
412360275b2b9c51f2060476fe1891845db7fcf7

SHA256
edc6fae9af108d02f772d033af1d89d019b4fdc77fe4682d25f1e6c1e7f2c7a0

SHA512
b51c02be3e6bd7085fabdafece7bd75e7e61b2d37d88931c7421bb1c9f3cf8676cd988953d2af23e20c48a2a462e656cf5f28a7e23595c0865b5b35af89e5bff

Download Submit
C:\Program Files\Win32Games\wingames.exe

Filesize
1.3MB

MD5
a3809af6e4577e5373905d9d8fba7b32

SHA1
e3537de67613e72025c0f6ee707c9118e12b3101

SHA256
ecd6226fcd7898b00b308595a6923384ac0d944939771e66a8d4c6fac8cbe60e

SHA512
772a407bcf4711ff47c04a44189ceed76ba34d1278c85cc340c2788a339d30cae62a8162de919fb5f403023c0c11d0f6ca93a8ddaf73287624d9c401bbd9f50b

Download Submit
C:\Program Files\Win32Games\xianjian.ico

Filesize
23KB

MD5
cdad1c273cbf6e059022029dfbd9bee6

SHA1
7fb484f24929070097237db926f240e887a23bd5

SHA256
c8eb519eb05ea06daf3c9e7d059266c53adda91611514ecf7904eebeb3297fc1

SHA512
1c631fe1a03f32513a451e2259387161637094be8b0eea0d636ecd8e35c85c13e6add5d05c2346a634ee9ec042efd2da73faf023d8f4636edd84a05883ec372c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LRI6C.tmp\setup1.tmp

Filesize
690KB

MD5
867a12e0f5ee621dc2ba872027a0c3af

SHA1
16f73e48c5c1831776a04b42a850d7a3c4d646b7

SHA256
81659ebef12ada97da313b86a865bfd3606d7fcbdafd75927dcbd51e2e3fa273

SHA512
2468ec1d3479039a56bd3517692852adfbd908d1b13b60ce5dbec9439847aad80428c0d3f6249012bd704ebd4ffe75676ffd1241e7b5fa766d20aba216d4c387

Download Submit
C:\Users\Admin\AppData\Local\Temp\openonepage.bat

Filesize
214B

MD5
433997e502fd84b72fc9d6d63fd5c268

SHA1
257bc2163554519cb49e570b4f98e3d46dca73f8

SHA256
e78273d14b9b80187133234bbd2a25b0e28de596736b5c66b5b317c70f73d11e

SHA512
fd1ae6aff6eada875486f251efd0508376720de7d10ede473ca82d2e635da1488af642f553ffa91cfd3291c970294c558bd3a1f053ba824f37c4a1ebac954866

Download Submit
C:\Windows\SysWOW64\SuperRepair.dll

Filesize
192KB

MD5
750d6ef07260dccf25b9e43521e26a71

SHA1
9a7aad9b66510db8205a601cb917887814fbdf19

SHA256
8995a580e9c094f416d159ec44eb118a24d7ecab89caec041fc9fe47b64a7631

SHA512
9663e4a47c6ece752ecbd254674b9b7e8bc773021151ddd2e49e8ff3057b6db9a08c69906939ed2d3122bcff88a943280108dfb07a576fe480a8a3d9915c89f4

Download Submit
C:\Windows\SysWOW64\SuperRepair.dll

Filesize
128KB

MD5
733a44a05c0ef06305ca759eadba9872

SHA1
436e39a7cc55f2a43f05a1d638c621c0395896c0

SHA256
a0b508ae69dc23c5e88392dc59f5dc01f28f1f34f6e9132799ec9072636d5f8b

SHA512
4c8434626ba16630a652f0c422e8bf206025668ac8a387010eedffff73604b9ff661992981f72034eff7b620c10b28d284f1a40a2833b4df5f55ac5b0c170994

Download Submit
C:\Windows\SysWOW64\doifa.bat

Filesize
103B

MD5
04bc98078381e1261a16e4320feac43c

SHA1
a98afe6907d0aedaee261e0ba04a987d745706b9

SHA256
8fe651f0ad2de63fee51a6b2c1531c5837ed8f861b88dc9fa8cac7760987dbf0

SHA512
1d7c64ccc799dc2cac9529020a472db4a72f4272b77e3cd14c2627ac3ba9be9b23686c79310a3a7a053644224ae260c53af4e1cdcb8bd52bbdf94b38b435bb9f

Download Submit
memory/1340-27-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-22-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-51-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1340-95-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1504-97-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1504-74-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1504-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1504-110-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1568-96-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1568-153-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1568-68-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1568-40-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1568-109-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/1568-105-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/1640-67-0x0000000002CC0000-0x0000000002D33000-memory.dmp

Filesize
460KB

Download
memory/4264-44-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/4264-54-0x0000000002820000-0x0000000002893000-memory.dmp

Filesize
460KB

Download
memory/4556-154-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-101-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-163-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-121-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-160-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-94-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-152-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4556-157-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4632-120-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4632-98-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4632-132-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4632-106-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download