6522ab0c608cdccf5327ecd28c5e751e8960dc84748e5558c03aeb7020d2015a

Analysis

max time kernel
147s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RunGame.exe
Size

71KB
MD5

6cbf23d640553b01afb2bcd64e513603
SHA1

85553697fa8aa86bbc5de321c94b20664018ea28
SHA256

bdf45e650caaf214fadbeb8a534893bcdf45541e5d641d4beda97ce49317ee83
SHA512

232e910ae2f0fc551f8fa2b6157824b44f95389546b5f42797b225dec7a1c28a5ce89702d6393809cc4f3d057d31889b4bf12d9644e89207ed354fb8d157957c
SSDEEP

768:TUntxZvPzGB6rVz3gFobjZkVfW9HPCfv+I6rhPX3aH8+GbebcYaSMP5aGNSNg:TUtxhkFKjmVfW1PC+xhl+DbFarPfug

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	KGGWSetup_1003.exe

Executes dropped EXE 3 IoCs

pid	Process
3620	KGGWSetup_1003.exe
2904	KGGouwo.exe
4288	KGGouwo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	KGGouwo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3356	msedge.exe
3356	msedge.exe
824	identity_helper.exe
824	identity_helper.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4288	KGGouwo.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	4288	KGGouwo.exe
Token: SeSecurityPrivilege	4288	KGGouwo.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
4288	KGGouwo.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
3356	msedge.exe
4288	KGGouwo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 652 wrote to memory of 3356	652	RunGame.exe	88
PID 652 wrote to memory of 3356	652	RunGame.exe	88
PID 3356 wrote to memory of 1788	3356	msedge.exe	89
PID 3356 wrote to memory of 1788	3356	msedge.exe	89
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 224	3356	msedge.exe	90
PID 3356 wrote to memory of 3440	3356	msedge.exe	91
PID 3356 wrote to memory of 3440	3356	msedge.exe	91
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92
PID 3356 wrote to memory of 940	3356	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\RunGame.exe
"C:\Users\Admin\AppData\Local\Temp\RunGame.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://game.kugou.com/AdsPage/2013/01/DiscMicroStartBox.htm?cid=1201
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa546046f8,0x7ffa54604708,0x7ffa54604718
    3⤵
    PID:1788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
    3⤵
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:1056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
    3⤵
    PID:5068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
    3⤵
    PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4708 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
    3⤵
    PID:4968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
    3⤵
    PID:3696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1048 /prefetch:1
    3⤵
    PID:4328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,7909231363464432079,4027026249252468970,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6012 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4820
- C:\Users\Admin\AppData\Local\Temp\tpm48F0.tmp\KGGWSetup_1003.exe
  C:\Users\Admin\AppData\Local\Temp\tpm48F0.tmp\KGGWSetup_1003.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3620
- - C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
    "C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe" /install=1
    3⤵
    - Executes dropped EXE
    PID:2904
- C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
  C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe mini#1|from#12
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7aef33b7a3d26b2e65952741a9028bdc

SHA1
dbf22ae05104aa799e8a84f2119a7acec8ab9077

SHA256
939b92966726a1a5641403f1fb058c594b16fb9e92d5b1fea9716c5adc74deb3

SHA512
32e307a729669bba84d464b169dc80dc2d90d425cc183fb8954c0b3f7db56b51cfe6cdf6d2b22ceadec51e5f0a20c3c6706d026ac6e85dc19fb74cc54ca3ff2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2d82d8f4ab251b45185f8660d31c51a2

SHA1
636d4379d76c7065a1bc576ac2cb5934b157b1c9

SHA256
cae2968fc936a225958da0d7cc6e17f2b7fd11546dfd94a7ac3d66d9442cb684

SHA512
e76a49c13f9831930cdc05943fc8936aaa44ffb1b4cc4811d24670b4e2b4dccb68140d356dfd04b7c742958e8da3a6d8c3ddfb0e9b9b24326bc49dc349c72cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
81e5c0322cea3ec05452306a7c6ff23e

SHA1
0b333e7bfa77323ca896133990dbbb0305952b18

SHA256
0683280858d704a9b6b9b76ac20dabd92f88f0701854a2e15d7d1e506d8aa60b

SHA512
e1b8b78ffbef112277006c46a53f21ef3df6012f3e935ba8ee30ed71bf29d4c0bdd7d9f68483a441ffd39484e834e84bf7c3c351a573d7b3a52ba98e2d5064f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpm48F0.tmp\KGGWSetup_1003.exe

Filesize
1.9MB

MD5
56c3f6c9eb6f7e8223e49d7a032a3eb6

SHA1
7626a176ef3f9571a53a443e809ad3ae96526d7c

SHA256
5143a8115e9d6d0199a6e67de56b98bcdbcb4adda9ed85e062558b1d05710826

SHA512
31ef589f8070c3ce5454744a7d01c1bf6c44f40f9ff86dfd3034cddbc0f9a3e01f36d9a7aeea2927e858349e75f38f8203da8dead84d635f580995cc102b2021

Download Submit
C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe

Filesize
2.4MB

MD5
cb937008ac49500aa24b505c5b6105a6

SHA1
aefef477251967316ca2b1169150ef9c0865cbea

SHA256
5b672cbfb422bc4531bb4f5146b24b4b05111879d1c3a746aaee57dee4f9b6f5

SHA512
a1015d0e51167d89ecd1d512bb76058452902729a5657b950e6a5476f14826ec1637ef436bf882645585971757bb6deb387a8ae47bbdbb04b26223ac7f33de9c

Download Submit
C:\Users\Admin\AppData\Roaming\GouWo\1006\config.ini

Filesize
238B

MD5
facefafbd85ec1dfa578a065b36a1a0c

SHA1
52b91352dbc662f17318b3580d49d5055f36d4b5

SHA256
7b2f181858318061b0c504890a01cc2fb07b9d38562fe2bbb6a83312e5b41929

SHA512
edf3db6afb7a8a0c7e470941bdc6060043f397b3d69aa59fef60bbba1f73610ab36eba7e272f99afef06a29d8806b91343b701a5d1410e976afb7334a6f49dd1

Download Submit