8bbb55ab3cd37734c13c32ce6096fc353f997a850a4d175d1f7e3ad3c81c7b30

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RunGame.exe
Size

71KB
MD5

6cbf23d640553b01afb2bcd64e513603
SHA1

85553697fa8aa86bbc5de321c94b20664018ea28
SHA256

bdf45e650caaf214fadbeb8a534893bcdf45541e5d641d4beda97ce49317ee83
SHA512

232e910ae2f0fc551f8fa2b6157824b44f95389546b5f42797b225dec7a1c28a5ce89702d6393809cc4f3d057d31889b4bf12d9644e89207ed354fb8d157957c
SSDEEP

768:TUntxZvPzGB6rVz3gFobjZkVfW9HPCfv+I6rhPX3aH8+GbebcYaSMP5aGNSNg:TUtxhkFKjmVfW1PC+xhl+DbFarPfug

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	KGGWSetup_1003.exe

Executes dropped EXE 3 IoCs

pid	Process
624	KGGWSetup_1003.exe
704	KGGouwo.exe
3120	KGGouwo.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	KGGouwo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
100	msedge.exe
100	msedge.exe
2260	msedge.exe
2260	msedge.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3120	KGGouwo.exe
3484	identity_helper.exe
3484	identity_helper.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	3120	KGGouwo.exe
Token: SeSecurityPrivilege	3120	KGGouwo.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
3120	KGGouwo.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
2260	msedge.exe
3120	KGGouwo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2260	1664	RunGame.exe	87
PID 1664 wrote to memory of 2260	1664	RunGame.exe	87
PID 2260 wrote to memory of 2380	2260	msedge.exe	88
PID 2260 wrote to memory of 2380	2260	msedge.exe	88
PID 1664 wrote to memory of 624	1664	RunGame.exe	90
PID 1664 wrote to memory of 624	1664	RunGame.exe	90
PID 1664 wrote to memory of 624	1664	RunGame.exe	90
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 4636	2260	msedge.exe	91
PID 2260 wrote to memory of 100	2260	msedge.exe	92
PID 2260 wrote to memory of 100	2260	msedge.exe	92
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93
PID 2260 wrote to memory of 3848	2260	msedge.exe	93

C:\Users\Admin\AppData\Local\Temp\RunGame.exe
"C:\Users\Admin\AppData\Local\Temp\RunGame.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://game.kugou.com/AdsPage/2013/01/DiscMicroStartBox.htm?cid=1201
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84a0946f8,0x7ff84a094708,0x7ff84a094718
    3⤵
    PID:2380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:4636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
    3⤵
    PID:3848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:1856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
    3⤵
    PID:3668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
    3⤵
    PID:1428
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2396 /prefetch:1
    3⤵
    PID:3988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:1912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3728 /prefetch:1
    3⤵
    PID:3276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
    3⤵
    PID:2020
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13132772843883653251,17510311320775769498,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2376 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4860
- C:\Users\Admin\AppData\Local\Temp\tpm4F87.tmp\KGGWSetup_1003.exe
  C:\Users\Admin\AppData\Local\Temp\tpm4F87.tmp\KGGWSetup_1003.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:624
- - C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
    "C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe" /install=1
    3⤵
    - Executes dropped EXE
    PID:704
- C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe
  C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe mini#1|from#12
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0498d72962673318baecdf670ee5450

SHA1
25013b7bb04cdcaef592fd70fb2a925c3199ebb0

SHA256
9110315d934828b872037ed695da3c96a747c85b6cc3bce4fef27a580de96677

SHA512
b05d67afea0b0e212a4b9db4b0d3425df258c38907e96ca491b9d565c6ff6853cff6b109d591834b0e77e4307c43ea1c423ac716b8b0885e378c2c3535cb3ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f403a616e1adc92f702a7e256114b5f3

SHA1
a4f71857b56c778a959d026031691923c3eee374

SHA256
6fbc86d9fc89087013d2560e4ffdb911ec8b025f1b753f50420589c2472db5f7

SHA512
8a1bb7556ab855f6249e32c4cf1c41f3ce49ec21c05525ccd344b15e469c40b848a716734f73928d13e7698c9f002f20d4631355385fae4e0b2a4909f7caabcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
14139ff6055ccf52a33905224a69eee0

SHA1
9c8062fc5ecbc03288eedf8fa06d0f3888aea6f5

SHA256
5ba5eaba5b243c7f6e96f4431ba0370453f39212b2a6644808bb751ea558b571

SHA512
97825a8d9147681f0dca4b3219f4bd9e897acd775708ed7963252bb3c3586a39cfb65ade472e41f4fd89619eb1d6b4e8f74b7218a58f6404324639b3c7a3803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpm4F87.tmp\KGGWSetup_1003.exe

Filesize
1.9MB

MD5
56c3f6c9eb6f7e8223e49d7a032a3eb6

SHA1
7626a176ef3f9571a53a443e809ad3ae96526d7c

SHA256
5143a8115e9d6d0199a6e67de56b98bcdbcb4adda9ed85e062558b1d05710826

SHA512
31ef589f8070c3ce5454744a7d01c1bf6c44f40f9ff86dfd3034cddbc0f9a3e01f36d9a7aeea2927e858349e75f38f8203da8dead84d635f580995cc102b2021

Download Submit
C:\Users\Admin\AppData\Roaming\GouWo\1006\KGGouwo.exe

Filesize
2.4MB

MD5
cb937008ac49500aa24b505c5b6105a6

SHA1
aefef477251967316ca2b1169150ef9c0865cbea

SHA256
5b672cbfb422bc4531bb4f5146b24b4b05111879d1c3a746aaee57dee4f9b6f5

SHA512
a1015d0e51167d89ecd1d512bb76058452902729a5657b950e6a5476f14826ec1637ef436bf882645585971757bb6deb387a8ae47bbdbb04b26223ac7f33de9c

Download Submit
C:\Users\Admin\AppData\Roaming\GouWo\1006\config.ini

Filesize
238B

MD5
facefafbd85ec1dfa578a065b36a1a0c

SHA1
52b91352dbc662f17318b3580d49d5055f36d4b5

SHA256
7b2f181858318061b0c504890a01cc2fb07b9d38562fe2bbb6a83312e5b41929

SHA512
edf3db6afb7a8a0c7e470941bdc6060043f397b3d69aa59fef60bbba1f73610ab36eba7e272f99afef06a29d8806b91343b701a5d1410e976afb7334a6f49dd1

Download Submit