8bbb55ab3cd37734c13c32ce6096fc353f997a850a4d175d1f7e3ad3c81c7b30

Analysis

max time kernel
122s
max time network
135s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RunGame.exe
Size

71KB
MD5

6cbf23d640553b01afb2bcd64e513603
SHA1

85553697fa8aa86bbc5de321c94b20664018ea28
SHA256

bdf45e650caaf214fadbeb8a534893bcdf45541e5d641d4beda97ce49317ee83
SHA512

232e910ae2f0fc551f8fa2b6157824b44f95389546b5f42797b225dec7a1c28a5ce89702d6393809cc4f3d057d31889b4bf12d9644e89207ed354fb8d157957c
SSDEEP

768:TUntxZvPzGB6rVz3gFobjZkVfW9HPCfv+I6rhPX3aH8+GbebcYaSMP5aGNSNg:TUtxhkFKjmVfW1PC+xhl+DbFarPfug

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2960	KGGWSetup_1003.exe
2748	KGGouwo.exe
2520	KGGouwo.exe

Loads dropped DLL 5 IoCs

pid	Process
2268	RunGame.exe
2960	KGGWSetup_1003.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	KGGouwo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2568E111-147B-11EF-AC1E-72D103486AAB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7593cb2a85d44e8244b845c265b29a000000000200000000001066000000010000200000001802dd4aebb91c289bbe9cdc112ca04a795acbdc82496205f88ffd1dc8ca789b000000000e800000000200002000000093340434ec6a43920fc3c0bcce2574d36df8776c331c531893110b7e0593c89890000000435c91eb6c7300577f5797f8ca740980d22eb812aba4d8bb1429c8c3f5b08207f04832d97b9c683df6e8bea4ee7068d8c7ab51ee80972b611d1a2cd6ff81e647b115d90214cc77dfc1f507bb8d4472d71760436e89c826cf4c6230ab235b0467a246cf1d61006738fe40894e75ff79e59b892ee236dfb4e7a8dbecafd010ce5d28d69b92c34ec1e7945ba524b21553b540000000998c1603ed39b9723321bb472ca20e470cf434a26a19965c67ada6d1d428d7ceeca8b767b96dda83a1bf82f18ecec51a5c21b87e3420261ef950638670baecd0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008a7593cb2a85d44e8244b845c265b29a00000000020000000000106600000001000020000000308552d9e7815fe4c6279c9e40f175fd43778785680dc09b01b88b8afb8ad115000000000e8000000002000020000000ba265b6caad4d8ee5be89cdbe577a502e2aa7ade87ef82363deed0df3079bb0b200000003f9674102a785819951fa48fc481c5cb04c302157943c9f9364e420ed9732e1240000000b42854ea4a9fa907a1cb1ea9a9a85da7efe551749c15d8747619599feb332c903539f674a829b66aa80a6ad94598ee4d95e69d2932f8e9926dd3af4de1e23991	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d01dc7fc87a8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422132329"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe
2520	KGGouwo.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2520	KGGouwo.exe
Token: SeSecurityPrivilege	2520	KGGouwo.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2040	iexplore.exe
2520	KGGouwo.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2520	KGGouwo.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2040	iexplore.exe
2040	iexplore.exe
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE
2620	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2040	2268	RunGame.exe	28
PID 2268 wrote to memory of 2040	2268	RunGame.exe	28
PID 2268 wrote to memory of 2040	2268	RunGame.exe	28
PID 2268 wrote to memory of 2040	2268	RunGame.exe	28
PID 2040 wrote to memory of 2620	2040	iexplore.exe	29
PID 2040 wrote to memory of 2620	2040	iexplore.exe	29
PID 2040 wrote to memory of 2620	2040	iexplore.exe	29
PID 2040 wrote to memory of 2620	2040	iexplore.exe	29
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2268 wrote to memory of 2960	2268	RunGame.exe	30
PID 2960 wrote to memory of 2748	2960	KGGWSetup_1003.exe	31
PID 2960 wrote to memory of 2748	2960	KGGWSetup_1003.exe	31
PID 2960 wrote to memory of 2748	2960	KGGWSetup_1003.exe	31
PID 2960 wrote to memory of 2748	2960	KGGWSetup_1003.exe	31
PID 2268 wrote to memory of 2520	2268	RunGame.exe	32
PID 2268 wrote to memory of 2520	2268	RunGame.exe	32
PID 2268 wrote to memory of 2520	2268	RunGame.exe	32
PID 2268 wrote to memory of 2520	2268	RunGame.exe	32

C:\Users\Admin\AppData\Local\Temp\RunGame.exe
"C:\Users\Admin\AppData\Local\Temp\RunGame.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://game.kugou.com/AdsPage/2013/01/DiscMicroStartBox.htm?cid=1201
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\tpm232.tmp\KGGWSetup_1003.exe
  C:\Users\Admin\AppData\Local\Temp\tpm232.tmp\KGGWSetup_1003.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
    "C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe" /install=1
    3⤵
    - Executes dropped EXE
    PID:2748
- C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
  C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe mini#1|from#12
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7258e7b554cc6d614e4768379c8e29e6

SHA1
dbc5dbcb8b2b686fdcf8e356296c6cdbd37011f8

SHA256
f4157951e4bef1888be8e2f7d9362ed77107d33f11c49bd3e98011c3a442b084

SHA512
e309c73c4b626befeb1f77b85f80f0a80a48fe1206c151bc24c719878df15ab57cf4fd1e7500eecb71f520902cc9adf3ac1c76e7201e4712ea74ff01703cc3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a5d7cfc77e91c40ffc74e10a625dc42c

SHA1
19821c8cf0db21b0836798b2906905386e368fb3

SHA256
436b36f7762406f19397e9f8e0667e29910c2cffb4454114ccfb4ad71bd9b141

SHA512
92f16bfc29475887251dad61ec8a72e4cdad4f57aec8656d1b0ce20aeb72bdeea35ee32b9b425ea0a59be5ca6ab713b0f20acbf9e29b2ded7f12dffcf62b57ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3c71146d200e4dc11192de2468cde7c

SHA1
7e8c0bf4054f4f58ac036cf222ad63b8f6966d59

SHA256
420aa9a6ba51120f90541f18808c9de369e98f9f55afc06eef193a998aa7a2c7

SHA512
dd2bbe7bc7cabb69e02da9e5f2a272dad4dc2a4a75934f5e5ca0b16dd5ab9aa705a5c877e26839565037151a5f5afbc722808ce0bec35f44885763e2a28ec17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e430ffb8f75338b20ef75a4e54a62373

SHA1
f2979f47b5fcc5f1123a2d06966fd69131f287c4

SHA256
a7552fe81f64e028011edcb7c2ed92b2d8da017ac397ad3fb72810125385cff5

SHA512
0cfc91c7c71440341658a8bbc73807f7e8ca9e11a335b06df7342947aee60a011145883b264f80df46c8357375a51a73fdca90922bd0f3356a95f272f643bc75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d19fd07b1c13c16d0627390569311203

SHA1
0df20fcefe77eaab1c2c48350540ce1501cb8284

SHA256
7ea5573870e67f7e719540c9759943fe6222f61bb6efb391ac793b15c9f2b09f

SHA512
0fbe2df73fc79201f6d5525ff3f2afa1ef42cc0940e8f54c3f922a35357cbe946dfc72b622ddfb095c65abccf9d1c4d81f737aec6bcc985e059df6454cf426c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
43050e16b884d8031a497bce2b007ef9

SHA1
4cda315e0104e94bb5e0db812e5ef0c2a9ccb556

SHA256
37c0704e4142cb823a2be477066150a599b4af4fafb4d0badb12c3dc13d3f620

SHA512
1e2aa028c242f998815b45e7cd261f6fee806de9c47655fe57c39f5a01d1b3ec868e164995903258fadb8a42f9f04e721c75b01b73e3f2296c2b858ccfcf0993

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d170fd217a4838a3e051222508b2536c

SHA1
e858177b6f7e2ac5f6ef67c6c46a49141a6e4703

SHA256
63af3cc2e04fee8853ac0b24527a4a0c1782c85b1e0a5816e75a0b7d48fd5efa

SHA512
8c863597f8277889dfa8da82a682b27f95f906c022ea149a03f63103ee221297a1b98cb017125f8a73fa55c810ed7c8890b638cc83bb158a96884ad872501720

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db1b57c6e263a7e1afeba9d3f0dcdd60

SHA1
90a32a333a16fbafc981747f48930264a5e0daa6

SHA256
5f0ab7a6cdb9c75b30d444b8f6415a17d841cf140c2d2980a60f34f0d2c3421b

SHA512
10cffda51daec09e6037b42b6727998572fd59f5a51577bc09d028578d27c21e153f637847c697493ec82b18eae4e6b43b0114455427ac562dee2cc2717f59ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b37c4a88100a3d4892d8825ac57708df

SHA1
a2256d8ce642ba8f27746637a97c3fa990b1d6cf

SHA256
d2236555e374678b19bf4b927b05cdef76d2f11acb2ee844538b6fb03d2949b9

SHA512
f6bdecd8ab85649ee07db690565748bda643547d9c1034caf709ab6d126d2c9f0f6050e6fa841e5cc913903f9f9bc70b347584fbf7731c5a5628c8b871f22d04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
58a77bf9f3a2937a80a6fdfd86fbffd7

SHA1
5c1cda9ef8665d4ffc14ae7d97f82f13827be16c

SHA256
12a1e781fe5ce1f90c0b5c523db2d2e16d1abcc385d50f4bbfaec49f1e75da46

SHA512
2b99b8ae7b9bdc6368ba83cbe879cff8bfaee89fe759f0342389359af8428751894077e824acacf2dc6575a1ebe56d4c6be9c8f135a017aa4727a2dd5532d649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8738343cfdc61c537de6d8a37d1dc3c

SHA1
572c46e374d0b15a4d5a30305810eb7d8d058534

SHA256
37aa91e603a2effb516da244066af870f3eb46f1172a0e2502ef43e07a578063

SHA512
c99ce036399222ccd040cf163c95a5ca2f5f27e8e3ed4e820433dc7a9b20d2835889b8e0644960bb3cc9dd7b8a3a13f087099f9c08daba581320eb770a0e8063

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09ed20bdce223bebb586353b0c5d2bfc

SHA1
a3f799b065d6846462a104c4b2691a2c0ec0705c

SHA256
7acf5755f9243173ffd91f1b629b5a070212bdd833262116cc6bad9ef6b12ae3

SHA512
a1d27811dbbdf70e037aa6ad5ca90255e4c2e6e54a17b08674a2ea4e5145f97c737261eedab4229624fc7bff9f67cafbe22c6e713b220dbcbe848ea32a753fb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f314dc77df140b57f4bada7ee14bd26

SHA1
67ba01e52fae3450fdbc169849bf8595c61b4cd3

SHA256
5979130f87f75ebd00d8e7099729e9d98155f495b1b0978cd38c60c283b1044e

SHA512
a517996adcda3b0e36361ae1a7951530ec9644b3cfb463ef2ff264474310c8b38968070541aae8275307fd30b77f37817fcee1cd90f6abe7f1e317846735b43b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
de19c4076a25b5fa98d2c07398bf62b5

SHA1
91bf9d440647b012ee66e73beb8f5c30b46c5b6e

SHA256
1c0eaced37bd24b3aa0b422516f0bf4b0d181e1017e66ea5348d3deca957db3b

SHA512
69d525b159e96972f78e0758d14f6ac464ff0483ab75ac2ff1f4a42e8044586639bea6efecf090bba854e196ab5bb8bb41c88f545e0d7ba62fdee2bde6b73f5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a9a5df1a90ac101e88957a02ae31a7ff

SHA1
560100731387f1997237a4b107adb3a1e3ee97f2

SHA256
2675f42dbe46716434013c8d114cc80ef95d4b5a10b68fff1fdbe77800aae6e6

SHA512
29b7c75c6469f166300f37ede52e9254ba0ee3011445a6e2825539f4378e450688ecf47255849efd27c400c8af043b3a387c2bf982600def397cac16b9968415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e2df86fbf167f992b76644007334fd6c

SHA1
9b6eb51d9e9d41fe00b53653fef8de749d363a71

SHA256
53f716058b3c413cafe176c479fcbc800dabb6c0d3a8410a488de301b039d307

SHA512
2416bfcc72e7b2cb64360867812e8131e8f112f08aa92e4ba7f328e6ebabe906af7a8adb717401b9b1681c697e8f0b005ce47c394e5d6aa1c7fe8d573d8f3d74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
facce4bb15af372934144b637a9e4d05

SHA1
ebb718a2efa7bdda6ce138689d46c5183cedced5

SHA256
8701d72932209ae1f88bf4e5df83a27a6b38f3ca3ada622b35d3fdd9b7abd27b

SHA512
88e302c674ffc3ad965ddd4423397f5149956793c43568c83dbe876789a5a84a341c77af9095824ae70136cae03bdddaab46a2b13d6cb91369cc64ddfeb69183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e841d5e5d5af20c47aee4e8100122f4e

SHA1
127add04c4f0f548327c78c679c32f33e030aec3

SHA256
a12c6179cd13e3458d1673fbffaa47d2d86a06b7df92191865ff24add1a1075c

SHA512
b69801d9c69910dfeb7c324fed632e3d06612ad3dbb6d268a135e71971399e2a1ba8bca8a6e32305b3f39934dfd85c841280e31c19098fac7bb278beb2b35a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9c643acb9dfe00af786139bdc350506

SHA1
53ca2069309cfcda4c4a657bb058667660cf5d99

SHA256
5d8346dd6862721d4c0e62dd715db796cf42410b9a7c1af80e04755d6fdccc71

SHA512
1c8d2a25e1b08bc2cd54124ec34b907e28aaf1cf955952c430a3f14003d611eefd6c6be7a3271215f7e8158cc14e61dc3448435049482937a5c9c8a904951f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
efbfe387e88768fddf2d0f17b0e7d160

SHA1
03d57b429439200158a63f50b0fa4471027f57c5

SHA256
b4023c86412d8716ed27611fd9cf8d391f7726fc891baecddb5f8f7237ab4578

SHA512
42c338e86ff13fad41f6114d7e536b13a68aecfb1f96763779997a30058347edecd26985871a8bf7928519fc212db7a975ed661ebb6c29a430321eb8c7e2776e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
64699e14eee879d99dbfa6817e293969

SHA1
09d8e97157477ea83285c931bb393d7e115f0dc1

SHA256
d8219b580136cdd70c59fa7679fe9541d1e403297f4a6d337f18429ea698aa5a

SHA512
6afc367a330d0d117c08007f5ed35fd91e6f67e5641887b08e851d54e2a29450dc76ae6270d380faaadd8345af6e9bbbe1ef2a777fa9f50f4c25679026eca670

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d0fd89c93e63bfde31f69fe957ef794f

SHA1
5230000eb10787853a372183c02389a444e74aa8

SHA256
cc05ccde8f8c2ed2b8268c135f7cbed3169dbd0f61be181c76f9eeca0e2b5bbc

SHA512
57d4878149cf13f771d972aa28478968751baec65e891d3e3a665eda92fe352c07de64e237da65cb562d88e3f16ebc7b460d865beec5e889b85a13194567831e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3110.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar328B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe

Filesize
2.4MB

MD5
cb937008ac49500aa24b505c5b6105a6

SHA1
aefef477251967316ca2b1169150ef9c0865cbea

SHA256
5b672cbfb422bc4531bb4f5146b24b4b05111879d1c3a746aaee57dee4f9b6f5

SHA512
a1015d0e51167d89ecd1d512bb76058452902729a5657b950e6a5476f14826ec1637ef436bf882645585971757bb6deb387a8ae47bbdbb04b26223ac7f33de9c

Download Submit
\Users\Admin\AppData\Local\Temp\tpm232.tmp\KGGWSetup_1003.exe

Filesize
1.9MB

MD5
56c3f6c9eb6f7e8223e49d7a032a3eb6

SHA1
7626a176ef3f9571a53a443e809ad3ae96526d7c

SHA256
5143a8115e9d6d0199a6e67de56b98bcdbcb4adda9ed85e062558b1d05710826

SHA512
31ef589f8070c3ce5454744a7d01c1bf6c44f40f9ff86dfd3034cddbc0f9a3e01f36d9a7aeea2927e858349e75f38f8203da8dead84d635f580995cc102b2021

Download Submit