Analysis

  • max time kernel
    93s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2024, 07:38 UTC

General

  • Target

    bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe

  • Size

    3.0MB

  • MD5

    1a8a99c90906c349060944e027fd1550

  • SHA1

    7edb6c08d439c0e581d7a387a2095300061c293a

  • SHA256

    bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913b

  • SHA512

    846dc680a3d1c7487c3bc69ad07256377e2105b5de876997e0a59b64131324dcbc94a605c99a8bb89434e74c95dedff78bea7be116d41da1eb620bb1a7220497

  • SSDEEP

    49152:9gCh1LGumhuW+5S0z0pEhd/l0mWKp719Qq3yobleQD80gboI5/4X0W0z0pEhd/lc:+CPSpED/ppLh3ScE4X0ypED/pg

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Drops file in System32 directory 10 IoCs
  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 44 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe
    "C:\Users\Admin\AppData\Local\Temp\bdc77f1ff86f8c1462a0bf514af25885f06b213018056702b1b14e7c76b8913bN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3820
    • C:\Users\Admin\AppData\Local\Temp\jiedian.exe
      "C:\Users\Admin\AppData\Local\Temp\jiedian.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:662050 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\jiedian.exe" "__IRCT:2" "__IRTSS:0" "__IRSID:S-1-5-21-4050598569-1597076380-177084960-1000"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1876
        • C:\Program Files (x86)\DragonBox\DragonBox.exe
          "C:\Program Files (x86)\DragonBox\DragonBox.exe" -autorun
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          PID:2660
  • C:\ProgramData\Megic\lasse.exe
    C:\ProgramData\Megic\lasse.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:4116

Network

  • flag-us
    DNS
    g.bing.com
    Remote address:
    8.8.8.8:53
    Request
    g.bing.com
    IN A
    Response
    g.bing.com
    IN CNAME
    g-bing-com.ax-0001.ax-msedge.net
    g-bing-com.ax-0001.ax-msedge.net
    IN CNAME
    ax-0001.ax-msedge.net
    ax-0001.ax-msedge.net
    IN A
    150.171.28.10
    ax-0001.ax-msedge.net
    IN A
    150.171.27.10
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MUID=1C95EBF9B27B633F31DDFEEAB37D6236; domain=.bing.com; expires=Mon, 03-Nov-2025 07:38:38 GMT; path=/; SameSite=None; Secure; Priority=High;
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: F735BF50C3BF402790A67AE9B7DA8EF7 Ref B: LON601060107034 Ref C: 2024-10-09T07:38:38Z
    date: Wed, 09 Oct 2024 07:38:37 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1C95EBF9B27B633F31DDFEEAB37D6236
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    set-cookie: MSPTC=V4ywzaElxJBxWVbXjQ7agAb8xbq1ZiqvUq2a4E9bYWc; domain=.bing.com; expires=Mon, 03-Nov-2025 07:38:38 GMT; path=/; Partitioned; secure; SameSite=None
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: BB7C7DA129EC41C4B8FB0548A95878EB Ref B: LON601060107034 Ref C: 2024-10-09T07:38:38Z
    date: Wed, 09 Oct 2024 07:38:37 GMT
  • flag-us
    GET
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
    Remote address:
    150.171.28.10:443
    Request
    GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid= HTTP/2.0
    host: g.bing.com
    accept-encoding: gzip, deflate
    user-agent: WindowsShellClient/9.0.40929.0 (Windows)
    cookie: MUID=1C95EBF9B27B633F31DDFEEAB37D6236; MSPTC=V4ywzaElxJBxWVbXjQ7agAb8xbq1ZiqvUq2a4E9bYWc
    Response
    HTTP/2.0 204
    cache-control: no-cache, must-revalidate
    pragma: no-cache
    expires: Fri, 01 Jan 1990 00:00:00 GMT
    strict-transport-security: max-age=31536000; includeSubDomains; preload
    access-control-allow-origin: *
    x-cache: CONFIG_NOCACHE
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 7D8D9DE290EC4DBE97F78B4EC5F9440B Ref B: LON601060107034 Ref C: 2024-10-09T07:38:39Z
    date: Wed, 09 Oct 2024 07:38:38 GMT
  • flag-us
    DNS
    10.28.171.150.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    10.28.171.150.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    69.209.201.84.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    69.209.201.84.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    57.169.31.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    57.169.31.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    www.qqhe.com
    irsetup.exe
    Remote address:
    8.8.8.8:53
    Request
    www.qqhe.com
    IN A
    Response
  • flag-us
    DNS
    www.18481.com
    lasse.exe
    Remote address:
    8.8.8.8:53
    Request
    www.18481.com
    IN A
    Response
    www.18481.com
    IN A
    104.160.169.207
  • flag-us
    GET
    http://www.18481.com/static.php?type=autoinstall&version=100
    lasse.exe
    Remote address:
    104.160.169.207:80
    Request
    GET /static.php?type=autoinstall&version=100 HTTP/1.1
    Host:www.18481.com
    Accept:*/*
    User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
    Connection:Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Date: Wed, 09 Oct 2024 07:38:40 GMT
    Content-Length: 1502
  • flag-us
    GET
    http://www.18481.com/static.php?type=autoinstall&version=100
    lasse.exe
    Remote address:
    104.160.169.207:80
    Request
    GET /static.php?type=autoinstall&version=100 HTTP/1.1
    Host:www.18481.com
    Accept:*/*
    User-Agent:Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)
    Connection:Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Type: text/html; charset=utf-8
    Date: Wed, 09 Oct 2024 07:38:40 GMT
    Content-Length: 1502
  • flag-us
    DNS
    207.169.160.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    207.169.160.104.in-addr.arpa
    IN PTR
    Response
    207.169.160.104.in-addr.arpa
    IN PTR
    customer sharktechnet
  • flag-us
    DNS
    my.qqhe.com
    DragonBox.exe
    Remote address:
    8.8.8.8:53
    Request
    my.qqhe.com
    IN A
    Response
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    13.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.227.111.52.in-addr.arpa
    IN PTR
    Response
  • 150.171.28.10:443
    https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=
    tls, http2
    2.0kB
    9.3kB
    22
    18

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

    HTTP Response

    204

    HTTP Request

    GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b3dcd8463220415884702a701d2c25aa&localId=w:47999119-06B9-CF8D-8780-3C81959A9B6E&deviceId=6755476188931877&anid=

    HTTP Response

    204
  • 104.160.169.207:80
    http://www.18481.com/static.php?type=autoinstall&version=100
    http
    lasse.exe
    448 B
    1.8kB
    6
    5

    HTTP Request

    GET http://www.18481.com/static.php?type=autoinstall&version=100

    HTTP Response

    200
  • 104.160.169.207:80
    http://www.18481.com/static.php?type=autoinstall&version=100
    http
    lasse.exe
    448 B
    1.8kB
    6
    5

    HTTP Request

    GET http://www.18481.com/static.php?type=autoinstall&version=100

    HTTP Response

    200
  • 10.127.0.126:80
    lasse.exe
  • 8.8.8.8:53
    g.bing.com
    dns
    56 B
    148 B
    1
    1

    DNS Request

    g.bing.com

    DNS Response

    150.171.28.10
    150.171.27.10

  • 8.8.8.8:53
    10.28.171.150.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    10.28.171.150.in-addr.arpa

  • 8.8.8.8:53
    69.209.201.84.in-addr.arpa
    dns
    72 B
    132 B
    1
    1

    DNS Request

    69.209.201.84.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    57.169.31.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    57.169.31.20.in-addr.arpa

  • 8.8.8.8:53
    www.qqhe.com
    dns
    irsetup.exe
    58 B
    108 B
    1
    1

    DNS Request

    www.qqhe.com

  • 8.8.8.8:53
    www.18481.com
    dns
    lasse.exe
    59 B
    75 B
    1
    1

    DNS Request

    www.18481.com

    DNS Response

    104.160.169.207

  • 8.8.8.8:53
    207.169.160.104.in-addr.arpa
    dns
    74 B
    110 B
    1
    1

    DNS Request

    207.169.160.104.in-addr.arpa

  • 8.8.8.8:53
    my.qqhe.com
    dns
    DragonBox.exe
    57 B
    107 B
    1
    1

    DNS Request

    my.qqhe.com

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    13.227.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    13.227.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\DragonBox\DragonBox.exe

    Filesize

    1.5MB

    MD5

    cbb2db2566dde5e2b9c6a636471ffa23

    SHA1

    38704738c646a9afa729cefd31ca0c8f28a9f54c

    SHA256

    4358b654751d9a43cc53543c297c1d862fcd0f94140dcfc1193a87857c1faf8e

    SHA512

    572cc9b09678904e604c6e9fad0dc21565596660cad2fdb79c644f50a012d44244caeea369e2f850fb784d0c0b33bef7938adcabb9568ab5775da941074f4b64

  • C:\Program Files (x86)\DragonBox\SkinPlusPlus.dll

    Filesize

    1.3MB

    MD5

    73edb6d203e0230b2ab4e4da57dd6bee

    SHA1

    4a71903b57abd639425394340d1a6067da760f0a

    SHA256

    a469eb021d4f0e5536d265bba0bf27dc82c5eb12ec3a70375331dab97163f544

    SHA512

    2b5552971fe90de9088f87913ce3ba82269eb929dbedb583d50b305211a5cb74cb42ebbfd60c935587de1deb8c38334361b2f6b5d750a9dcad73798e840cf1d5

  • C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

    Filesize

    4KB

    MD5

    974b742d2559b60a336498ebf762b628

    SHA1

    3bf564d3e55e5fd5665a87d16ff920b3ef977105

    SHA256

    1d6edc23d178fb381a93594a75588133dcce37bc742a08ae9df86e34d60f169f

    SHA512

    64b93384e1ac7433f1452c79d4c2687cf367824e7f44933a042821d5214f5de7d7561ff8c7ccf13b2533454f62206e2c095ceec0e6bb2bb789f430f1e0c982a3

  • C:\Program Files (x86)\DragonBox\Uninstall\uninstall.xml

    Filesize

    4KB

    MD5

    93bb2f7b51110cbccf20f37888d4a73f

    SHA1

    bc4da28a09f2e3b203e4ee1000a15028a0b2250a

    SHA256

    5c489fa8fd7dce7ec21141b33b177951a05cb56afff5a439e599f91120f87d4a

    SHA512

    4fdc350d9f9084ed367012555e9dec27245bbadda81673008715fa9b1a92b8cd4d3572e805f04ffc4831df402c9e62b066961965cf8c484da0a6087e43f2db1f

  • C:\Program Files (x86)\DragonBox\gametypebak.json

    Filesize

    21KB

    MD5

    242aec89243b0957523287ae5d18b9b8

    SHA1

    9d54d2b8bf3d52d927fd89b172621d496b5f83e6

    SHA256

    e9b77b8fb317ac44289644e195f8510061ed6c724458a8203e13d33d4882b249

    SHA512

    a32cc60ee1c0c1e3ce8b4133bf314ab7be7ee3ca56ee37c51d7c562d35cf80bb1ebe4f74d6dc3656fbe36a0b2020e6c72cc7be6cd6e618a51c7fa55e38b7da68

  • C:\Program Files (x86)\DragonBox\setting.ini

    Filesize

    77B

    MD5

    042bc14b5ec4a59244ac348812dc2e8a

    SHA1

    7adb7489f0971dfedf5fd7928bde722245c1f3f9

    SHA256

    20519e50b789d627420ea36122c1759b5c12d47714b6af9e672221aeec424648

    SHA512

    4bf01a575480257873900a2d251aed31d7b2cd1344eed9accd73c3984cc0929369ca27192bb27592fa07369523e707667ebb0c9a2cf9a41bd686a56038524099

  • C:\Program Files (x86)\DragonBox\setting.ini

    Filesize

    77B

    MD5

    0c8197485fc42ac984d0984cb90e641c

    SHA1

    e3c7f68aa23561c89b2156e1e5efd07f04e0cd22

    SHA256

    3d1ec5d5c3728a7424f112664bdedbe640c864372c65f6f595e0766653c7913d

    SHA512

    15fceab8ba983dbceb6d7202cbd35b7b7464d35a8dec65f3f70c13fc7119a4cb42ddaa813a5737f7e4f903f87b8f0a562451169d0c8ee9836f62aac11dca2dc5

  • C:\Program Files (x86)\DragonBox\version.ini

    Filesize

    53B

    MD5

    1b38736d6e54c9b3b78807bbca68f348

    SHA1

    0cc44962449b1f54e1d2f606584ce513dc088cf6

    SHA256

    013612c2be8a8d41bee8b17db9aa51291f52f5dcd405ceb0b15f37eb5c16b774

    SHA512

    32830fb79214bf523088f6cb29ff2652dc48920297b0ca216ab2ac9ba7ae2826ce6c70ac495202f6985f9a6acab22b7078f48739e22a6c7deeb3a47115326b6b

  • C:\ProgramData\Megic\lasse.exe

    Filesize

    248KB

    MD5

    ecf79310b8a51b2a472689619d42a42c

    SHA1

    36e328fccda8f2f3d926e472d968072a9c732c0f

    SHA256

    6acfdd085ed2f92c013f0bdac5456f2190b5101b1499d7489055083dd334a396

    SHA512

    321a73b6f2f362fdbccbbac80411dd2bf4721b1b5c640e986fb3114ca3ada75702fac697db8fa1c066ad4145cc44b8d226ff93575b9cbe24ad505cd7f8187321

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

    Filesize

    11KB

    MD5

    d1b051718019662c277bab1e4103c9ad

    SHA1

    ede02518fbeaf10d23ee3a6d1f609132da95d5d7

    SHA256

    727b9b7061ce4222ffa60b71ec559ff84a8998b6d5d6a3c77073167e56da17b2

    SHA512

    a9ad33225eb9baaf95e6c00890a8eb92e12665113b343dda933609e526b276e92408d94f58edd0ddb64159abfc8ebb10b24bef18ac7bac73791837ea8b6fe7f8

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    566KB

    MD5

    3fe7c92dba5c9240b4ab0d6a87e6166a

    SHA1

    7980d7dffc073515b621834246dda33ab00c308d

    SHA256

    a7818c1e0dad1cbba4d17809688887adeeafe940a3cb53a6aeabdfcd196f7258

    SHA512

    bd2c87b2d02b80b90f744a101bbb9294b1d90650a338be725028e6649e46a759fa72032e80ffe911ae82b005b4d2394960e7b73ce7ad8fe3a70e8a47d2a7c98d

  • C:\Users\Admin\AppData\Local\Temp\jiedian.exe

    Filesize

    2.9MB

    MD5

    1641766934172d4ef320103147ba77f3

    SHA1

    8562b7fb3cad46e555bcfacfc14ad2924971955e

    SHA256

    dc9b2fac8c2e6caed9a9864f04bd55ddf3acb000d5b93645f1e0218f1921c75c

    SHA512

    ccd3c3e572c7dc2bfe929ed8e49afaef366d87f056a5eb894ccca3d428f44dba7e018fcd3e8307f8b81db38ba6c376c498b9d773fcbae930d8f5a97b27a671cd

  • memory/1876-17-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

  • memory/1876-135-0x0000000000400000-0x0000000000581000-memory.dmp

    Filesize

    1.5MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.