Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

7

Static

static

3

a0d6a6e4eb...18.exe

windows7-x64

7

a0d6a6e4eb...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    17/08/2024, 02:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0d6a6e4ebae0e39740e09f1628d7fda_JaffaCakes118.exe

  • Size

    1.5MB

  • MD5

    a0d6a6e4ebae0e39740e09f1628d7fda

  • SHA1

    3040f4bc073903e12c36f56a12cb54c5b4cd5193

  • SHA256

    8686c7a85969f0745fdd310b49f4855b4797209031eaedb3b44fb83ace875172

  • SHA512

    9e2d49ab1b1d46588e71570611daf88dbf398495e5913c69e5af6bfaa88c86829b3586e226af562bd09419703b08c81a08e738d220c20568015d859f61eb90ad

  • SSDEEP

    24576:xYY+TBzrafXb8zsMb5U/TKY3cGSLivIJHTY5Nfaxsm4ki7CLJulh07HH4fbOW0Kv:xGJzsMq7DcGSLxUf0N5LJuKYqef

Score
7/10
discovery

Malware Config

Signatures

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 40 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 28 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0d6a6e4ebae0e39740e09f1628d7fda_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a0d6a6e4ebae0e39740e09f1628d7fda_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2488
    • C:\progra~1\kingsoft\KSWebShield.exe
      C:\progra~1\kingsoft\KSWebShield.exe -install
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\progra~1\kingsoft\KSWebShield.exe
      C:\progra~1\kingsoft\KSWebShield.exe -start
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\lnk.bat
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 5 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1092
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:688
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:264
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1756
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2240
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2216
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2204
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2084
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2316
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3048
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2132
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:540
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2304
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3012
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2320
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2192
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2344
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:1596
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2912
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2444
      • C:\Windows\SysWOW64\attrib.exe
        attrib "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" +R +S
        3⤵
        • System Location Discovery: System Language Discovery
        • Views/modifies file attributes
        PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:948
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Documents and Settings\All Users\Application Data\Kingsoft\kws\kws.ini" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1456
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1924
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╘┌╧▀┬■╗¡.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:928
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2064
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\├└┼«╩╙╞╡.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1692
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:912
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╘┌╧▀╡τ╙░.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2856
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1776
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╨╘╕╨├└┼«.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1384
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2720
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╠╘▒ª╣║╬∩.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1156
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1536
      • C:\Windows\SysWOW64\cacls.exe
        cacls "C:\Users\Admin\Desktop\╥┴╚╦┼«╨╘═°.url" /p everyone:R
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1948
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.6626.net/?ukt-yt
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:2396
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:848
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:668679 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1572
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:537621 /prefetch:2
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1568
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.31166.net/?uk-yt
      2⤵
        PID:2260
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.779dh.com/?kj-yt
        2⤵
          PID:1244
      • C:\progra~1\kingsoft\KSWebShield.exe
        C:\progra~1\kingsoft\KSWebShield.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2716
        • C:\progra~1\kingsoft\KSWebShield.exe
          C:\progra~1\kingsoft\KSWebShield.exe -run
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~1\kingsoft\KWSSVC.log
        Filesize

        202B

        MD5

        1e9932706e4220119b078c346d4f4dfa

        SHA1

        2aaa44bee466ef8fe6503e64c2057d14ab3873c8

        SHA256

        68e87c48112488efe59bf97848aa216aad98b98ca47edab207caa3de976b1e9c

        SHA512

        92c32aa93152c82bd74b874251e9990116b5f6f69ce92ea66317db1eecb6350b62053d0834234b36f590c828e6e7411835e745c02dd01062f31f16d3f78d65b5

        Download Submit

      • C:\PROGRA~1\kingsoft\KWSSVC.log
        Filesize

        296B

        MD5

        6267f94451c2f255cf97e5fcdff3bfd9

        SHA1

        04f118e415d29d49c5025807bcb4bbd05a3c2d48

        SHA256

        5cef48aaa826d22ac8f76ef10b72faa61216202d21a55a962f859aec42eadbda

        SHA512

        9c7645d7601fce25f5c486ddeab1b48ec1c46bd22ba7fe47e68ce37ab4a444c1f2ba4b565944b8fefbbeb552fd624b4f3f6a965348a83d104b50a153d646f575

        Download Submit

      • C:\PROGRA~1\kingsoft\KWSSVC.log
        Filesize

        546B

        MD5

        b56710335a80eb328172c608f0fa79a8

        SHA1

        df0528f1e620722f2f9d2027c86bd752cc95af5b

        SHA256

        bf5237c8d93cd4df7f6f40921d5be0d6e52ae4faa749f6533d0c2c3be7b5dd52

        SHA512

        352f6c7c8a9f30460bf2ff56517a0215ed32901d572518f5c568e23439fff66fb71371164cfea2d1b44404498855377fa450765238f190933299a9417217ff55

        Download Submit

      • C:\ProgramData\kingsoft\kws\kws.ini
        Filesize

        57B

        MD5

        5a4748b80129aae3995874a70cec08d1

        SHA1

        6ad41b07a54d4ded59d778faa273c6c4ad628bda

        SHA256

        b260556167ed0cc2512b38d01a1c003e6ff57bedfd0497d5e2195326d823dd85

        SHA512

        d9ec9c49c9f369795369edcac184e5ffa9b93a512a4156a109905dede95893c8dcdab344dc6aec959f3cd327cf603684dbdbf01bee6f2e960a53f56a1205d570

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        0a6aa7fe40e416da95b41ea63222bb69

        SHA1

        8a663208b18d7a0864935fc0b885c2bd8e4ae8bc

        SHA256

        ed669caae92dcb46e307e1e7c65c388f256aeed4e091bd6cafe5d5b8c3fb5f91

        SHA512

        dc57daa92f552057821924ed22ddbcb70aa00331fb7b848c2a6c53e4ed2744c142582740d753c31b7ca9a45842e317530dde50d424123e76e887cd2765bec6ee

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        124452a8b7dd23832bb142aaef09c760

        SHA1

        0826bdd95d39f4576a41052e82adb34004899f6d

        SHA256

        265c6acf1023b18afe23411c9a28c5e10560ca78c6398effeccfd986328b20a7

        SHA512

        44033b6dea74121a482ccc266dda9cf76344f4093adffa932a52a6529c4d57d663b7b434a74c2a63d973379d4cf6af47b5f81544dacfe7559a8f7fc795b70434

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        fc05a6a67152d57a801fb7cf42bb6763

        SHA1

        9490593672eb999035838db75c4900dda2f32364

        SHA256

        c282119be1472f4991b0ff79e8e8bf949d45c56529e4a5ded8c11d73a24752ee

        SHA512

        554f094c771121c6fac30c92d02c5f27f31a5e40979a8f4f1357df607b2553ec77ab0ab79d702416129ac48ec46819ae6d8dfea22968c30749fd014cc7f7fa0d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        b9cac21374af3f39b55ad3459a01d52a

        SHA1

        9b129f6d42dcac2dc5cfcbe64d0280bad713c6f4

        SHA256

        b91d61072c5abcef7ff13867d05a44da9b50bab0a814e448474fee50a92d1315

        SHA512

        fa2424838be4a4ac32c631f05c97d1a26a86353b017add35f28a518fd5d0d18d2948dceb69ef3e3607421c6a44614e22cb1b5d145096bad17ba95d10b5e30eb2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        5e50ca60d7786fc9aaca091f22294507

        SHA1

        36853f9d5951d0634ff1c230fcd98fc972e73845

        SHA256

        4ac87718e7e21eeb26e184158714ccc987bc791fdcf64ae9021cccf8c658cf49

        SHA512

        259fdd148148fbe2124b7930ad92ba83bb57a9035570fa3c96724a799e15919c449bf2045552b2ad0ec4684a120ee9f9dd0251326e2a27bb6f1948bfb6847fb9

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        776dad246177b151de51499f6a74321b

        SHA1

        c00365e39e0e2714e5d0a116f35e99953c44cf01

        SHA256

        4fc9ef5b29734dcdbdb690bd268d6aed72049202e0ca78b41971ba407d115215

        SHA512

        f7a0889d87885eae43d5ebce79f060aa013f546b32bbedf469ac380fb5e86df025a186cb0697ad70c2d6cf1a3c915a3780f8284f91f7d2d168cef7d12ab35ca8

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        df5943208286f3ee561e1ee072175540

        SHA1

        1883040f1c23db346279be0137ad4bf79c2cd6dc

        SHA256

        1ed2724a88d9c9564c034a6599c0b79b53123527c8c8c0923e454d65c014ef06

        SHA512

        12fd591cf519a8a15a71675e31412bb3a0f646370c00693950fd2efa0d2ed6a54c5fcf5c8ea9ee1465311cb36784be5a9dd5b5fabec990f16c3d2ff7ad8a3392

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        a736cdc21eb6730f8dc835993f993816

        SHA1

        f6136da69d4795477cff76eddc27049c7cda6812

        SHA256

        7364c9b121911290414e84f1a80d324d5ec494c7de9246e69422a0bfca44afe3

        SHA512

        ca373f6add72327ccbad7f855bafde6a6baa088d3b58498f21be4895ec918d8c0d116e943c9b9afe8256d36abc7addd8ab822e4b3ca32319befebe7aac33f847

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        751139dd8546c0d0f9271e10a9637819

        SHA1

        d6dc72d8b9d33060df9b20bfa6bad7b4c0f20b70

        SHA256

        d3e4a3875b4f2c3b6b4b1586f2dd32c6118aff1fc93f7ca7e5d6f78aaf1c0c3c

        SHA512

        1e7702e07bdfc5ab027e8ca54e14e48977c46eef80c3c5e0899a9e0117077bcf9a003a695dcdf912c2ac63012f0a9aa1d82762f97b39a7c74a5e684f6f5f805d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        342B

        MD5

        915d624a79e73b48b1410516ab6755d0

        SHA1

        752b1233de1f5020306f3196b63445b795517b73

        SHA256

        f451d056d9fe80f054a65f410c39d97235aefa0b4ef1fe8fa6a815b5bf47267c

        SHA512

        bab263dc72dfad33e078404752df14c7c87693897377798102abe8abdd7c70572880874ed3a5e8aea8b7f07c0d45f37f96a1629fb94e0f37a0933d0d0735ed06

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab8B31.tmp
        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar8BA3.tmp
        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\lnk.bat
        Filesize

        1KB

        MD5

        90c75b8659294e166a60782eefc4f3bc

        SHA1

        97028e1233c09be6cefb6b3843dc477e56a98d56

        SHA256

        0c3e179547b62b770ab31f7cab5c3cbd3ac2019a3f467c6808763a125b500655

        SHA512

        7d33578c574f2f8b74a5379c616bd8e7cbcf4b1c65227c1a6e98287b6acf4edf259ffb4a68c0f39fe64b00ad3ce03be013acce5a11fbccea9a697fad13815b3a

        Download Submit

      • C:\Users\Admin\Favorites\ÌÔ±¦¹ºÎï.url
        Filesize

        133B

        MD5

        08da998377776a44d7bb742f6a18f952

        SHA1

        635dadea1f8f772fa2752868ef039e62fedbbd48

        SHA256

        b593eaf8db263415e3b021e87ff07220ecc6e9940ccb2360aaaed24b130c143f

        SHA512

        9b312ff0f3ed4d7bd318192b3336a3fbcd53bb4fd1e1cd2528bace9ce2ca7574c27cfcd7fe33253a63b844116a1bb417ed19c69fbaba8e05c9e44adcae25a403

        Download Submit

      • C:\Users\Admin\Favorites\ÔÚÏßµçÓ°.url
        Filesize

        141B

        MD5

        1b19102072a4801951e4852a62332364

        SHA1

        c4c34a89f3b474c9d22c0ca89f6d6fb6b5bb53ca

        SHA256

        f5a8018fec89146166b52ae67ad0359c6561c5b38e9e0ed6925692156c63926a

        SHA512

        6f7216dd7ed15a5014e2e80c82a7278f698488fbdaa10dd7a8ffa6821c8004beebd95ef362f4883bd28b12586d5503a728b8753d4b111e83721f3d5e68287f92

        Download Submit

      • C:\progra~1\kingsoft\kswebshield.dll
        Filesize

        437KB

        MD5

        0b629e4318e64a6ab7e2c43ad6cc3e83

        SHA1

        27e835072fb85614f49e7cd586f64bd10bfcd497

        SHA256

        41ef17fdff69930c658773f394f2f33f2f9ddab4b638e2b962da76a63a975be5

        SHA512

        298d43fb819a9257bdef1392bf68209423c82ea47f22f32657943dec0a6407be6ce8631e633b38e9d31df1ff9391b01010f6ff293835a1e6953dee09d30de24f

        Download Submit

      • C:\progra~1\kingsoft\kwssp.dll
        Filesize

        633KB

        MD5

        8c8dc085ab24bd23b77f146c78c8ff14

        SHA1

        3c01f9a5338fec055dd2fea36e468d160420a0b8

        SHA256

        ee50170b1c1829b98b647ea81d286f8a3630de1737be914ea02c409f1da1c217

        SHA512

        4754af26541d1737c8bae42a89c16570618b5bb5a44a4812f5e9819c852a2c6e235a9111bae98008037e94c614f4aabcf5166d041dce6e16be30683e80a1990c

        Download Submit

      • \PROGRA~1\kingsoft\KSWebShield.exe
        Filesize

        197KB

        MD5

        2bcfdc7e51a9c556e5fb04e4d02fed39

        SHA1

        33e6eca60078affa733c2300605c91adddf992b0

        SHA256

        ee47b58a5464ceb75d73a82935a217970270958030eabc4e03100c61e7222fb1

        SHA512

        86b7a88d0aa5bacac2fd2a1eb60b5ac80a0fe012a1fb9105b7d7071e594a73e8fa049bebcbde144acc2e8116f682f47286d56c1302dd7153902fa5c2d617881c

        Download Submit

      • \PROGRA~1\kingsoft\kwsui.dll
        Filesize

        457KB

        MD5

        272764640b4b296e13c7c136cfbaaca2

        SHA1

        8c4f405469d370db5270c64f119d5b5ba0eece4e

        SHA256

        50723b6ad935609de87df9f838756bdbb6cbdf801d3c0ce8e08cebb35ef04b3b

        SHA512

        97c4520913f968cf591d996c7aa82004455507d81f50968f8e7cbb5122b57be715c34b8de4f9d391195f4c1864747781b69632a8850119df4977524d002a604a

        Download Submit

      • memory/2488-558-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-559-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-983-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-104-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-108-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-105-0x0000000000401000-0x00000000006C5000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2488-102-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-551-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-0-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-47-0x0000000004980000-0x00000000049F0000-memory.dmp

        Filesize

        448KB

        Download

      • memory/2488-560-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-561-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-562-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-725-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-728-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-900-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-955-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-974-0x0000000000400000-0x0000000000847000-memory.dmp

        Filesize

        4.3MB

        Download

      • memory/2488-1-0x0000000000401000-0x00000000006C5000-memory.dmp

        Filesize

        2.8MB

        Download

      • memory/2536-40-0x0000000000440000-0x00000000004B0000-memory.dmp

        Filesize

        448KB

        Download