7a2d14aa628aab63b12c0508344b64bed41fca3716f67d62c18a955e1bae35f8

Analysis

max time kernel
120s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 16:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
Size

178KB
MD5

7e7dae10afec3e0c26f1842ca0a7d9c0
SHA1

328fa95901d28a84d55afcda681016871a6a0b5a
SHA256

7a2d14aa628aab63b12c0508344b64bed41fca3716f67d62c18a955e1bae35f8
SHA512

ba7a05dc40656e0dd8be601232dadf8c309d394afc98732dba2ef73c1115ba9b8ebbc5d99ff7c0357ee4bdaef15b0c2eab05b385bc77481bbc91c545a2fce3d5
SSDEEP

3072:oi7oIVHpkiOQdhY2wO+IMsx0UCHsqqRDZ71Xh7uYYytjoutxb:oi7oIVJkiBE28QnDBuytjoSt

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1956	ComputerDefaults.exe

Executes dropped EXE 2 IoCs

pid	Process
2060	AFKVY.zz
3560	Roaming 76F6865787.exe

Loads dropped DLL 4 IoCs

pid	Process
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
4884	mobsync.exe
3560	Roaming 76F6865787.exe
1956	ComputerDefaults.exe

UPX packed file 33 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3568-14-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-18-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-30-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-36-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-35-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-34-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-32-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-28-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-26-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-25-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-22-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-16-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-20-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-12-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-10-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-9-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-6-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-5-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/3568-3-0x0000000002180000-0x00000000021D6000-memory.dmp	upx
behavioral2/memory/4884-121-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-120-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-118-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-115-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-113-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-111-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-110-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-129-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-135-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-133-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-131-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-127-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-125-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx
behavioral2/memory/4884-123-0x0000000000AB0000-0x0000000000B06000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\kernel64.dll	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File opened for modification	C:\Windows\SysWOW64\kernel64.dll	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3560 set thread context of 1956	3560	Roaming 76F6865787.exe	90

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\776F686578123.IMD	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ	ComputerDefaults.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs5.ini	ComputerDefaults.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\ok.txt	ComputerDefaults.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\s2.txt	mobsync.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\ok.txt	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYmain.ini	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\776F686578123.IMD	Roaming 76F6865787.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs1.ini	mobsync.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\s2.txt	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ	mobsync.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\76F6865787\76F6865787.dat	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz	ComputerDefaults.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\s1.txt	mobsync.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYss1.ini	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs1.ini	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\s.txt	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs5.ini	mobsync.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ	AFKVY.zz
File created	C:\Program Files (x86)\Tencent\qq\776F686578\$$.tmp	mobsync.exe
File created	C:\Program Files\Common Files\Microsoft\76F6865787\76F6865787.dat	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ	Roaming 76F6865787.exe
File opened for modification	C:\Program Files\Common Files\Microsoft\76F6865787\76F6865787.dat	ComputerDefaults.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs5.ini	Roaming 76F6865787.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\s1.txt	mobsync.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\s.txt	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYmain.ini	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File created	C:\Program Files (x86)\Tencent\qq\776F686578\776F686578123.IMD	mobsync.exe
File opened for modification	C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs1.ini	ComputerDefaults.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\web\656961666166617C.tmp	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
File created	C:\Windows\web\656961666166617C.tmp	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roaming 76F6865787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AFKVY.zz
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mobsync.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
3560	Roaming 76F6865787.exe
3560	Roaming 76F6865787.exe
3560	Roaming 76F6865787.exe
3560	Roaming 76F6865787.exe
3560	Roaming 76F6865787.exe
3560	Roaming 76F6865787.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
1956	ComputerDefaults.exe
1956	ComputerDefaults.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe
4884	mobsync.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4884	mobsync.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
Token: SeDebugPrivilege	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
Token: SeDebugPrivilege	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	3560	Roaming 76F6865787.exe
Token: SeDebugPrivilege	3560	Roaming 76F6865787.exe
Token: SeDebugPrivilege	3560	Roaming 76F6865787.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	4884	mobsync.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe
Token: SeDebugPrivilege	1956	ComputerDefaults.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2060	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	86
PID 3568 wrote to memory of 2060	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	86
PID 3568 wrote to memory of 2060	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	86
PID 3568 wrote to memory of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3568 wrote to memory of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3568 wrote to memory of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3568 wrote to memory of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3568 wrote to memory of 4884	3568	7e7dae10afec3e0c26f1842ca0a7d9c0N.exe	87
PID 3560 wrote to memory of 1956	3560	Roaming 76F6865787.exe	90
PID 3560 wrote to memory of 1956	3560	Roaming 76F6865787.exe	90
PID 3560 wrote to memory of 1956	3560	Roaming 76F6865787.exe	90
PID 3560 wrote to memory of 1956	3560	Roaming 76F6865787.exe	90
PID 3560 wrote to memory of 1956	3560	Roaming 76F6865787.exe	90

C:\Users\Admin\AppData\Local\Temp\7e7dae10afec3e0c26f1842ca0a7d9c0N.exe
"C:\Users\Admin\AppData\Local\Temp\7e7dae10afec3e0c26f1842ca0a7d9c0N.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz
  "C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz" -z 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2060
- C:\Windows\SysWOW64\mobsync.exe
  C:\Windows\system32\mobsync.exe -EMBEDDING 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B 0
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:4884

C:\Users\Admin\AppData\Roaming 76F6865787.exe
"C:\Users\Admin\AppData\Roaming 76F6865787.exe" -3 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560
- C:\Windows\SysWOW64\ComputerDefaults.exe
  C:\Windows\system32\ComputerDefaults.exe -sys 423B5D51736E6673606C2147686D64722129793937285D55646F62646F755D70705D363637473739373436395D4256542F52495B 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Tencent\qq\776F686578\776F686578123.IMD

Filesize
179KB

MD5
45cdb495f94ef70bd466c8c445385bf5

SHA1
01c2b988cf50276c62cfddb472188a07575e1948

SHA256
d22ff611b4e0adf18051a922bb42a960c303523dac27c826f7909eb279c49ac7

SHA512
d53ed17217dc33b93a44b31cbc5ecd1ca8018d2c3635da5471d5dba2f5d0decb7f223a4ee3d2ba5928b0450b9cb7501cffa76d41fce418adc84ac353937301a1

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\AFKVY.zz

Filesize
178KB

MD5
5f0e54dd6efaa80867307fdd6dfc5370

SHA1
d9e9ea2355b99faea95d1ecf4af7cd06218b2e7c

SHA256
1f97dd6627a1f22a50398109d5109b24a25c29c5b49e8e87bae58d0ebb14f03c

SHA512
19422567fa0af5c24d43120d5149237c5f3d0011a1c65493829a4a30d138c1157bfddd16a59d86db0b7f3899fdff5fceefe726a2c645cac3866257b15cdf0a5d

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYmain.ini

Filesize
1KB

MD5
3b4885d7266e8aeeabc88315ef39b52e

SHA1
7e41af8837655422330c1d204970a41df175543c

SHA256
80e65c0922983c32412af8eafa30b518af7dd3888a3ebd5661668655bf4dad4b

SHA512
453ab13c4f0ff892795bc24702bac47717eb82b62dbbd9082ebc5687f558c54b5cf27af22b7c5a2e6b35f19633a0f17f883b2fb84082980c9fadff262b7e7b96

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs1.ini

Filesize
10B

MD5
2b1c25401a6b8077d821c519264f056f

SHA1
39ec286dcc679ee6459d7e8b42d254294234bc0f

SHA256
028095cb0e6f1453ed24b0457726fefc31913fa74e19be8bd6bf7d82b94a5a39

SHA512
7cf60d1c7cbcf2a9800579587388517145ef2b965e4b8406d054862500f3cc86579e0d066be03ba95ac6bcf6ab8f566e930046a1731043eba91e92fc58c3856b

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYs5.ini

Filesize
10B

MD5
1f536f62b71ec4a409ffee49841a3a2c

SHA1
c69bc06b6c3d7407dc0a022ce4993bfbeb9f9f76

SHA256
f3b24e49af2570fbb8dc960319f856af2a02e4b4ca897a25d0afca04739d875c

SHA512
7b5238f3eb07c1df8c1035b737f2080d3b5e5b068f1516d39cf0c32dcfd761486ab22babce1e15fbb2d11177386ccc58ffe85125b8befa57d9bcf3ec39fee71d

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\AFKVYss1.ini

Filesize
22B

MD5
77c001c62fb95d065e34ec25e5864fc0

SHA1
bd38b0eb0e33ab931fb0d356358b9c086f4997f0

SHA256
decfe4ed60f15089019fa10459c9541b270d767900078f420a4b07458d592c67

SHA512
ca610a3e18f92731108c6038212256be655fc86c6e5284cfc4484e987f436aa1b3922feb623ed04888a5e80576cbd1beb5cee3c6200ba3c17b303e4b12306f1a

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\CWU.SHZ

Filesize
109KB

MD5
00a51edfd6a21ef8bfaad17a05ee8776

SHA1
aebbadb726daf64e65127bbd024cc56dcf41aea6

SHA256
58dba017c96ef288d5ed3d46ce3d41a9e371933c355c515e4165e80acf564f58

SHA512
cacc2be13301d5570a5260b6fa91be23273b5b7db26b57c1ba955b1c74b60c9659aa81146f4f23c82983a96ffe69b161576a20de09937eae8f6833ccf608ca9d

Download Submit
C:\Program Files (x86)\Tencent\qq\776F686578\ok.txt

Filesize
73B

MD5
ad8359d170dde6ccc27a8fadf297b2ed

SHA1
364e62b79e421e24bc0e99160cdce09ca04a167f

SHA256
8011269557f0a54e7966d4e434d4f83b3c09cf2bc24c2ade275ad1f87037cdd4

SHA512
2c46d761f3c612c3cde00ddd84f139e954e73d2c434212dce11fe1a5782985cf9f235e16a5bb190f39981d15df89d6f2b0bec6c728a66c2eafefbd51272e2ef5

Download Submit
C:\Users\Admin\AppData\Roaming 76F6865787.exe

Filesize
179KB

MD5
15708cb205822f1fde9b15d8d8a82ea5

SHA1
a260c12c656e891680a702803f9ca14f4c803c0b

SHA256
bf66b5b6a6f41baf6fb140bd9cc5af8ed38c095bfea8c9623fb959c28304b163

SHA512
80089f98ca547b9ef6394db56ee6bfe7a32fa0e8f71e3e842c43c5449f7ef33a974e970bfa991d0e06bf8e3c5590d708a6a8cc7400a675ec4face1dab798199a

Download Submit
C:\Windows\SysWOW64\kernel64.dll

Filesize
625KB

MD5
eccf28d7e5ccec24119b88edd160f8f4

SHA1
98509587a3d37a20b56b50fd57f823a1691a034c

SHA256
820c83c0533cfce2928e29edeaf6c255bc19ac9718b25a5656d99ffac30a03d6

SHA512
c1c94bbb781625b2317f0a8178d3a10d891fb71bca8f82cd831c484e8ab125301b82a14fe2ff070dc99a496cc00234300fa5536401018c40d49d44ae89409670

Download Submit
memory/1956-214-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1956-286-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-104-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2060-100-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3560-173-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3560-283-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3568-36-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-26-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-12-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-10-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-9-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-6-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-5-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-3-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-16-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-22-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-25-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-20-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-260-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3568-28-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-32-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-34-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-35-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-30-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-18-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-14-0x0000000002180000-0x00000000021D6000-memory.dmp

Filesize
344KB

Download
memory/3568-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-121-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-133-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-131-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-127-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-125-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-123-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-135-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-129-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-110-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-111-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-113-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-115-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-118-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-120-0x0000000000AB0000-0x0000000000B06000-memory.dmp

Filesize
344KB

Download
memory/4884-276-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-105-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-107-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4884-109-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download