Overview

overview

10

Static

static

1

YoudaodcDictSetup.msi

windows7-x64

10

YoudaodcDictSetup.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    YoudaodcDictSetup.msi

  • Size

    135.7MB

  • MD5

    7e5adcf2244984856e70b27294e3a12f

  • SHA1

    6535cf60d45ec745fc54204f876367e376c2f762

  • SHA256

    39ae2756ab3ab2d86533344ddf0fc1e7fc14b8d271bb9321bbbf38909013173c

  • SHA512

    81fdfb95f28860670c059d40d9f4562028d0b5d9052dad5fc1788f12ab97fe033a1507b4c0abf359fdc0fc9858c55dc4fe80761d17012ca3693bed1e139a280c

  • SSDEEP

    3145728:bdYKj8WH3zFrbOc+ZWh4kWjoNFoaApVQ9CBkNNWxwXJ5Yq:uCjhbOJWhi4FoMy0NWxwXJ5Yq

Score
10/10
gh0stratpurplefoxcredential_accessdiscoverypersistenceprivilege_escalationratrootkitstealertrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Uses browser remote debugging 2 TTPs 10 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 8 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Suspicious use of NtSetInformationThreadHideFromDebugger 37 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 35 IoCs
  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\YoudaodcDictSetup.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2296
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B1BAADF82274815749D95499577D0051
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2840
    • C:\Windows\Installer\MSI8AE6.tmp
      "C:\Windows\Installer\MSI8AE6.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1888
    • C:\Windows\Installer\MSI8B27.tmp
      "C:\Windows\Installer\MSI8B27.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2588
  • C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe
    "C:\Users\Admin\AppData\Local\Temp\YoudaoDict_fanyiweb_navigation.exe"
    1⤵
    • Adds Run key to start application
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe" "nsiinstall" "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\install.ini" "0"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:12684
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe" rundicttask * "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe" "0"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:13308
      • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe
        "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies system certificate store
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:10220
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=gpu-process --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --no-sandbox --disable-logging --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADhAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --mojo-platform-channel-handle=4828 /prefetch:2
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5780
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --service-sandbox-type=utility --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --mojo-platform-channel-handle=5176 /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3972
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --mojo-platform-channel-handle=5216 /prefetch:8
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4044
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=5464 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4100
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=5488 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5584
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=5836 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Executes dropped EXE
          PID:4088
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=gpu-process --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --no-sandbox --disable-logging --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --gpu-preferences=UAAAAAAAAADhAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --mojo-platform-channel-handle=4992 /prefetch:2
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5424
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=6900 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Executes dropped EXE
          PID:9188
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4116 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Executes dropped EXE
          PID:9260
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoWSH.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoWSH.exe" 10220
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:10356
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoEDIT.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoEDIT.exe" 10220
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:10400
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=6696 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1244
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=6748 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:10316
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=6688 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:10456
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3920 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:896
        • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictHelper.exe" --type=renderer --locales-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --log-severity=disable --resources-dir-path="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0" --user-agent="Mozilla/5.0 (Windows NT 6.1.7601; WOW64) Chrome/97.0.4692.99 youdaodict/11.0.0 (jsbridge/1.0;windowspc) YDUIStyle/Light" --uncaught-exception-stack-size=3 --user-data-dir="C:\Users\Admin\AppData\Local\CEF\User Data" --no-sandbox --autoplay-policy=no-user-gesture-required --disable-accelerated-video-decode --disable-databases --disable-file-system --disable-logging --log-file="C:\Users\Admin\AppData\Local\Youdao\Dict\Application\debug.log" --remote-debugging-port=65123 --touch-events --js-flags=--jitless --field-trial-handle=4820,3814580886822085028,18056755494809812755,131072 --disable-features=CalculateNativeWinOcclusion,WinUseBrowserSpellChecker --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6880 /prefetch:1
          4⤵
          • Uses browser remote debugging
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1364
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe" "exports" "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\dict.7z" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\install_11.0.0.0"
      2⤵
      • Executes dropped EXE
      PID:3196
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe" "move" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\install_11.0.0.0\YodaoDict.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YodaoDict.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2672
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe" "move" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\install_11.0.0.0\YoudaoDict.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2336
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe" "move" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\install_11.0.0.0\11.0.0.0" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5032
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe" "move" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\install_11.0.0.0\Stable" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\Stable"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2344
    • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictInstaller.exe" install "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\install.ini" "full" 0
      2⤵
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:2488
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord32.dll" /s
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:4340
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\System32\regsvr32.exe" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll" /s
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4412
        • C:\Windows\system32\regsvr32.exe
          "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll" /s
          4⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:5368
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c echo y| cacls "C:\ProgramData\Youdao\DeskDict\pluginconfig.ini" /c /g everyone:f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:12332
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /S /D /c" echo y"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5620
        • C:\Windows\SysWOW64\cacls.exe
          cacls "C:\ProgramData\Youdao\DeskDict\pluginconfig.ini" /c /g everyone:f
          4⤵
          • System Location Discovery: System Language Discovery
          PID:5712
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe" "rundictnow" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:7336
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe" "cleanup" "C:\Users\Admin\AppData\Local\Youdao\Dict\Application"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:7392
    • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictIcon.exe
      "C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictIcon.exe"
      2⤵
      • Executes dropped EXE
      PID:7488
    • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictInstaller.exe
      "C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YoudaoDictInstaller.exe" instreport
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:7568
  • C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2216
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\SOFTUP~1.EXE > nul
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\PING.EXE
        ping -n 2 127.0.0.1
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:12536
  • C:\Windows\SysWOW64\Phxph.exe
    C:\Windows\SysWOW64\Phxph.exe -auto
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\SysWOW64\Phxph.exe
      C:\Windows\SysWOW64\Phxph.exe -acsi
      2⤵
      • Enumerates connected drives
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Installer Packages

1
T1546.016

Modify Authentication Process

1
T1556

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Installer Packages

1
T1546.016

Defense Evasion

Modify Authentication Process

1
T1556

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Modify Authentication Process

1
T1556

Steal Web Session Cookie

1
T1539

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

4
T1012

Remote System Discovery

1
T1018

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f768412.rbs
    Filesize

    420KB

    MD5

    62da2c61cd2aa7be32c0c8e5866a71cd

    SHA1

    d6a663a87b82139e38297a8ab9dfe6bea820344b

    SHA256

    2240fe26072e841263802376a27915ac24223f4c7daf3cb88ad6afb9ccb7cbbe

    SHA512

    a8f28d1444e62c1054905da2c65f638a5db1847af2998ede251b149c387383e6cd2a46238add5bb50b92e2114bd79b5e176a2d5b94edde2da18e7d5f4d20272e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\SoftUpdate.exe
    Filesize

    27.4MB

    MD5

    eb99f68eaef877b3e72ccfa20a2eda81

    SHA1

    2285c61edc9f4e455f7f0fcf2b426e5bf9b9308b

    SHA256

    3988edac7c8c9a9136f08a0ecddc280a0d59efccd9f77349ddf8bab006d9f14f

    SHA512

    5467bf319c960b29960d4ef1f8fbee29f06e41a9856380f815eff1d41befe26320808d3dbd5fc1f338b0d1e0405a5876c80c08561efda9ed4da68e274230f518

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallHelper.exe
    Filesize

    159KB

    MD5

    46b8bb15eb648d13e1ee94a312a62239

    SHA1

    a574e4abdcd45de416f344fbab9bded623c9f70b

    SHA256

    9c31ba8c1c4cdba30a3523f057cc065747bb4adf8c45f4890c17a84c8ee56202

    SHA512

    f0dd49684504e3b47f2484b8e62a53f471bd3ddf9e564af1a784e3f3c5d2eadab5ceeefef1d317e6b49af0846209eaab02163e95fcdd769153b53251199b11ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictIcon.exe
    Filesize

    166KB

    MD5

    c440aefcecd3aab2e447ea598d11511d

    SHA1

    56eb3ab70b22f273c53ef1eaf90c8c4b3dfd6d0c

    SHA256

    40291be999b50eca41c1875bb127345e5d8b4ee2a3118b4f6111ebe7aa979f5c

    SHA512

    4506fbb73df6b177bb99353ff8af49a7fd3427ebddc9ecb2eb09c4447f2033eaf0261629241488a098ab6edaf9befe0f16db67f7ff49e5ae7c61c7c0ff4d2e43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\bg_license.bmp
    Filesize

    929KB

    MD5

    a9a03b7725e82588f03987210435d784

    SHA1

    053ceba5031bf1e0b3a499f2834db870763d9642

    SHA256

    695e8830131762042be0656d2a56dafb267a676a85d623f4cc3786ea93e31bea

    SHA512

    876fc236146b7430ec0d1542b8a7654bf812708d97fc6395a34eb2431ba20b450edfea4ec654bfec1c1cef877f76c3c18eedcff6324d543080bf7c006d86e5da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\btn_agree.bmp
    Filesize

    38KB

    MD5

    dab018047c171165c18329d5c59b617e

    SHA1

    88848ac4aceb7358f13d225de6d4fd0a5696517a

    SHA256

    1cf0d9e908c3134ffce859483504420578ee8ccda399c20ecc035d1e4da93734

    SHA512

    1f6c50885290a3b983b7b8ac4bfec546d74acf2c50bfd0d245164a5ee149fa28a2871d545286108345c055c4f86f2b115509fcf74a6b60bc3f814c1c1635162d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\btn_close.bmp
    Filesize

    5KB

    MD5

    80132508240b59c2da6a337f68f128ad

    SHA1

    ef11aaa3213646d845fec4a79bb6a4dad81bf1d2

    SHA256

    2d13ebcee5b20d6a09ff7d45d9ef5881da83d4f40758af123d107689b4eba22a

    SHA512

    14e9a25825ccf1a81dcc1bcdfc765ceb95236d7410b6eae923bca9b109279edce2b300f9e5a969db3efc06703247eb5db24fbbc5637fbfd955a76c50d466b4db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\btn_disagree.bmp
    Filesize

    38KB

    MD5

    5f7b90c87ea0517771862fae5f11ce94

    SHA1

    fc9f195e888d960139278c04a0e78996c6442d5b

    SHA256

    f906101e512c3119e71b6949d68ac01c8fdb5ef06f4c73eaef9a3f0bd6021ce2

    SHA512

    dc08461f1e823d898f5ba42c9d1a131f599adbcb0af28c5de950a01ec74015d3da933e675986b71dde09cc74e00689ebe5f5f6cff857d335322f18d3f385edf0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\checkbox.bmp
    Filesize

    3KB

    MD5

    ba36791f13ebaee4de572ab7fd6afa87

    SHA1

    c901e4f36d8cc7dddf042f20dd37751ef733d50f

    SHA256

    5bddbcebffb39f0d6d9b55be16f72036a8e98d19f03e947f41b958d622f0f202

    SHA512

    fea284d726e36f77896e0b1a1d822066742f3320d9f16d5858cff2582f91fc72978c7fd10b22d7de5e7736fc8f3e407b393e4727ae601ceb08bf41c18c88b4b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\checkbox_null.bmp
    Filesize

    3KB

    MD5

    5754c67775c3f4f50a4780b3bca026b1

    SHA1

    3e95c72c13d6175ef275280fe270d678acee46e9

    SHA256

    2a5d67757f61ca00227e9b482a7b15365ba836c11f5b7d723b650e6d4108e739

    SHA512

    df6744556a24d4f6b907fc6126035adca4d3ce8aba52b26112e59b24ebfc5c4e079ee8ed74df3f28fc62cc3e207041cf8fb6b6a84ec58125122c214924e0a97f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\install.ini
    Filesize

    221B

    MD5

    b242bfa4333319e17e889e0e5d3e35d3

    SHA1

    201d1fc77b6756b1a9c89fe07d437bbbf41b68dd

    SHA256

    3cc9d2fb26990f88792cc991fa5376bb8f5569dadc43ece5f74fb4a5baa82267

    SHA512

    f4db2cc95a82afcaa7c24f74682e2f0a6aac3e4e4db6c0f41cc656ab911c5ebc139d0f31c4c18c8b49144d46a5bfd080edb7700f0387e4a9e30c3f3df6bc0e19

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\slide6.bmp
    Filesize

    908KB

    MD5

    3d3ec6392cf9a8b408569a3dd4cd3ce8

    SHA1

    95ff4346eb20d9239c37e6538bb8df8542d3300a

    SHA256

    818f2cdb763f5af1884485cffef51f192bc895132a4fdff5009935e8348f8371

    SHA512

    e017cfd88c50c496ac86084a43a80eb3f1ec61c6397a67da2978cbb1867a4b30f563f1b4f319d00742b84df486e841804b82949e3131c7d77b7f63975dece505

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\config.ini
    Filesize

    2KB

    MD5

    1546a9559c0b2dddde29606e6f955ca9

    SHA1

    e6340162ecf2a93fae1829bd8f732bf278eb43b0

    SHA256

    aee7cd509c0d83fb96bef962f7d35059cd0ecfe4e85733021c9e283437c145d4

    SHA512

    21572ec01fe4ba9df4dd6915c3ae8dfd9761152ab78044a9c987c6b47edafdf40bdfdd4ee3323e69feebc31c0454a2654f439ced6649736a04c99abf5a538038

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\config.ini
    Filesize

    2KB

    MD5

    99a6f19de4ac60f47a035aa8503e8322

    SHA1

    d5525174319a76f192cc6069093409d3357e6cd3

    SHA256

    a35e4d8b6d0be506cb621f5dc062f73a7b53a0a9c93481bf67750080c298dee3

    SHA512

    90eb2d5b92f5836b18517b81696112a30baaaa25ac1b1911db7afb6ac94287021280a3fbce03a9e2bc2e6cd10324c3fb39bced0c8fa83c19a9401c2f634e3433

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000001
    Filesize

    16KB

    MD5

    6d8414c332d17c09f1ca8c8b89c8b206

    SHA1

    33fa5302216bcf7ce4e2a2966eaee458ed961449

    SHA256

    69fe7b1906856a22305aee9612f602bbb9a91cbce4e4e93db2c992fb6f0013fe

    SHA512

    2ee4cade9d5572438f0a52e42f3280fae2f0c5578a98121e3344a10a79e8149864093d2b9f1422b7853d316cf17a8d7baedbbc23dc3bd6fb653e1da00b61a1f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000003
    Filesize

    37KB

    MD5

    cb1a18132ccf5c92e07f9ec15fb11491

    SHA1

    109de3c0ae93d8228941231556a59dc2f9583a6a

    SHA256

    fb4afb711fd0acfce2fae8d366c1b4639ebdfc934968f63857f6a7f650ac98e2

    SHA512

    c56d5000a9257059f4c187a92f570c8a3e998a70d59e63495000f79e73b2b90b4bcffe0b618d64d5bbb24efb006b5919491f3e265c4db77f57e8f3b88eb14a64

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000005
    Filesize

    29KB

    MD5

    475dcb21f50b418b6731ac7f62eda7d5

    SHA1

    f9df543e8fc2b8c0976c2752f913df6cb5d9a35b

    SHA256

    d07c4432cc643b6760310123c42272e2ee8a3ed5fe14a9cc5fef2bd14ba7619b

    SHA512

    3dd7d41e00fe33436d705b3c01626f093aa2ab120c82cb010d616da4790bb86c1bf09eecebe7d80614f2d12442048a9d7af83baaa495967212dc642fcec132d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000008
    Filesize

    25KB

    MD5

    d352ee572d10fe57439f33ba8b7b86c1

    SHA1

    2a02a7f13394d55d1985837405d6492ee6a4bd1e

    SHA256

    a7bfc470672a4724dfd79e3a30352de19778040a1e7063734094c14da1ad024e

    SHA512

    72cbccab42723766da03afb2847e2ed5fbc80f0337d445a58aa981947ba358b80e11e42295d8ec3240118e2008164b031451827f9cb8d4510a28c78c086d3bf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_00000a
    Filesize

    34KB

    MD5

    84f2dade1a389bb47d0b12f71dca6842

    SHA1

    f98bf0fbf26c7fd72f4732c4fa13afce942f6b45

    SHA256

    794a1109ea9f648d9394799a1c3c646794765e0bf7504ffc8d1d571663b8dd76

    SHA512

    ac1201997dcd62441ba0d685addc931f82b24328a794ddce6c20ae3030d7ec394bdd22e5f370f7ed4faed7147e1881c184dfdf4ee642b87686995e2ce3217670

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_00000e
    Filesize

    87KB

    MD5

    82b0b535df1c7cb9238c1ef78458cb52

    SHA1

    e3890a6c21693e79ef2331b794e2186d3579b065

    SHA256

    247403e5b1dec75abf1b36a1656dbda03bba0370a03cddbbec221a213acc1e93

    SHA512

    6ab181dadc39050430c62aced8fdf05e1c0b89d5dba69ef6c5af01a5bd0af04443aaabd094da59ea6ce95fbb1d67095932d0ccc444a953d60c81eadd6b1213a2

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_00000f
    Filesize

    56KB

    MD5

    66ac57d7ed72f2717e4baa6c936657f0

    SHA1

    967d17004b8e1ba7d7bdb3f9b9b8dca3e50ba053

    SHA256

    754fa33745034f4b8462f1d8e4325d3c3e289fb6493868699333aa200b8c8b1c

    SHA512

    c1fd105546f15e3ed0310dd37e742e9c8909559ea13efc86e235aab6cfecb759bcddadad75c978c8ccdb3fb498f18b6c43824eaf1eeb0e3c6ab577c050d89ec2

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000010
    Filesize

    42KB

    MD5

    9add68a0b8943604d36e1636c529bdda

    SHA1

    60f95326b8afcfae9ff2b869d9e49d38455c5c45

    SHA256

    a7d3d8d61d1ea6e829c21eb736af5205ceaed833e14efd6cbfee9f8addae6136

    SHA512

    37a024bf9293f2775892e80ba6d162e3a3519955a43d31eb76a45a92e20c0a0aa90840901938cdd87b30108f47dc4609c1972b46b0c6d0a1133c5cc9c822869a

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000011
    Filesize

    58KB

    MD5

    061473a4d0fb0a84f6b6e26472784eae

    SHA1

    9a44fabcfd340e562c38b740d1aae992a91af834

    SHA256

    ffca034ea8f45da16beb60e5e3dfdd748dae7ff27c5d7eaf2e54d711be749ec8

    SHA512

    712e481f70176db128f5ba325ed670c6a981ce853337f897929df94a7f087aca0c128e8d3081ccb9acdc48992beea73592b9c6ba71cabce72ace9170b9d5efba

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Cache\Cache_Data\f_000012
    Filesize

    66KB

    MD5

    5a12fa60915b49634095c1995b1369d6

    SHA1

    49191b566e4f77ff8922fcb2b244e933682c7c1a

    SHA256

    dbac8b7a08b79f715ea8b6d0eacf0be82419ca09a3053bbfe911fb1aedcb96d0

    SHA512

    4320b0ce3d318191d0855d51f40c7fa536fcc6f4ca497f4175c17310402e8e8f75fe1f0d649fdec7e81617304b5463879739e2dc7808a6d25189a68c5922633f

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Local Storage\leveldb\CURRENT
    Filesize

    16B

    MD5

    46295cac801e5d4857d09837238a6394

    SHA1

    44e0fa1b517dbf802b18faf0785eeea6ac51594b

    SHA256

    0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

    SHA512

    8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

    Download Submit

  • C:\Users\Admin\AppData\Local\Yodao\DeskDict\dict.cache\Session Storage\MANIFEST-000001
    Filesize

    41B

    MD5

    5af87dfd673ba2115e2fcf5cfdb727ab

    SHA1

    d5b5bbf396dc291274584ef71f444f420b6056f1

    SHA256

    f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

    SHA512

    de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

    Download Submit

  • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\YodaoDict.api
    Filesize

    176KB

    MD5

    260d438b13406700bbcdabdba2c2d43c

    SHA1

    7c413b4c8f96beac86895a35bc285de6f3576f07

    SHA256

    4edd999c04f77ba491dbcd97d2771f7453d99507e546d99c05397f33afa9ff34

    SHA512

    a8187d3d29b80116fb26332ad682d4246320586132733a0a3d60d17658ddf69e6a3199dd6b94025d9753ded74a8f283af95386857b4f598142a9208efee05b18

    Download Submit

  • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\default_config.ini
    Filesize

    36B

    MD5

    6b41123acbcaca39a961a2844a6aa40c

    SHA1

    60c598de13a6138fe505c16e54a16223c644b72d

    SHA256

    542b73e9213cb4976de9c17c23d4f75840cf65219414778ded73f62b4329329c

    SHA512

    1bf794c058c17ceb12ccb6424d179fde9b58915c335bd7a918e1360ac716e369e48dd7ce47cd6223a140546bceb5e0fd6f1936b0be09b37bc41fabce023a991f

    Download Submit

  • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\11.0.0.0\fullversions.xml
    Filesize

    4KB

    MD5

    2533b9f1453c02286062fa6b72da545f

    SHA1

    c9936f4b2450de5463237eec72b2832b97477a24

    SHA256

    c8f9e959187751b361808b36d1624ac16da90b71c805aecc153e366b40bf4702

    SHA512

    c1c12c81bd8d3f19bcfe57fc1922b684df871a17a1015fe4dcfa8a14b2f4c2ff4e55b08561c620545a3b76ef6f4a2ebbfd7d82efde9844f580272f1e53261b43

    Download Submit

  • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\stable\YoudaoGetWord64.dll
    Filesize

    786KB

    MD5

    20a22005575ecd9c954956b6642af643

    SHA1

    f9a5e6ec4e44f2888c13ec50387a90dc9a1cbe05

    SHA256

    2e3566d146d88e36fcd9fccf89227abfe43940e753d6ebbf2cbcea6d9ec06119

    SHA512

    03c57371e42c7eb99337a4f0c4325724f06d1723ab6c419e49948ad3feca4447f468c15e6da21c6789a5fda516716ec5da61a1cf799380b91398e0f3ec018e09

    Download Submit

  • C:\Users\Admin\AppData\Local\Youdao\Dict\Application\vendor.dat
    Filesize

    19B

    MD5

    fa7fff2a5187083ed7975fb5a4a2a80e

    SHA1

    d01c17b18b892b4ecbe218be1b4f4060a27c5e5d

    SHA256

    4e19a48142ece32eba1d7e1fe85b278382054ded0f4d8db3340974ce9000623b

    SHA512

    5868682a79ec30a2675f3b7883aa934825316183130e53d8bfd3d08860f27d7c7bd2f47182f0d4f9da1349f3941e910e340eece5bdecc249c9a24394a34c4c35

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\11.0.0.0\skins\icons\operation-43.png.part
    Filesize

    187KB

    MD5

    abc6aa698f5e2b1eda9e1567abdb4132

    SHA1

    6300d090d5edf8257fe469b1128663b3df9b8ffa

    SHA256

    239a1b19a3ac0ab9a387061f572fd92b23e2c3d1c5a88cb5a4a636d8b9c72c38

    SHA512

    15b31a22e62d3ce32bbe57591a6ace26e8504661fe6f76a71f0c90987ce8d4248c2382fcc610bbd1cfcb2022af80c454b8a7de82bca7c9a204f9eced0885d4c7

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\11.0.0.0\skins\icons\operation-dark-43.png.part
    Filesize

    193KB

    MD5

    e29ce15614c11d5ea6863edf4cdb9614

    SHA1

    00b42792a6824a93433661edf281337626fcd393

    SHA256

    4a2b4c5469a0e58f20827ca39f196514df1a920679f188b043b20eab992c7beb

    SHA512

    893d5bc14662cc9e155c234b52b9c1217d8a2f988fa678ea8e2b5fa808010743183c4a8b036fe2e7255858515644961b13ca44be5dc3887441eca9f0fefd46ec

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\css\1534.css
    Filesize

    314KB

    MD5

    529f762bf13a39110f56e60afb41f348

    SHA1

    6d7aa1d82bf22020f83a66ea94f2f638d04d605d

    SHA256

    ea0cf412e358cd32c182b559e57b2899877d414e2fd4a29bdd033e596e08017a

    SHA512

    cf9b0b798bf37453b84a1e8deb8f62fe7f80a1ea8172b304885f299a69fc2a3f7b2d956e329151a73f8bfc758dc42060e90554a98a816c1c7a8966299812cd06

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\css\wordbookAdd.css
    Filesize

    584B

    MD5

    3f7da09311b9632df92173623aaa6145

    SHA1

    b02c155b2f70671599965448d64a6f6479dbf0ef

    SHA256

    1105b229c1437d45db30e0bbcc8736fed14ddfdfe957d05f590e0530a7d0925b

    SHA512

    d477e6849946eb88544eefbd7913566b2675fbf00d7fff134049a1376de3d88d65316245d43680f639c00470da44d84bcaa3c611d59e2598c321f48d5dc053fe

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\js\3760.js.LICENSE.txt
    Filesize

    493B

    MD5

    5c08af88d23addb3f3b34367dc2da82b

    SHA1

    54c30d9bd811f8d06694cf156997d3beb728b9d3

    SHA256

    de87e73c7035f73f09da8e771c08794f56e7d0a16b0b44dbcbeafe83d0390e35

    SHA512

    a85dd7e7ba12f78d27ff9de792c71de07f57abdcf647aa7fbca5f27020554fb76286f0fdc5f42d570057a14828ffd186d4dc167ab1abfe909dce868f2ccab3a5

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\js\5541.js.LICENSE.txt
    Filesize

    614B

    MD5

    088232cd8447769b12116adda5b934f9

    SHA1

    764b61e6d7604568f2adc7e8297b6e810ca5e214

    SHA256

    836aa26e61f5628b45a2ff1544d1260eecc6365a97c507a8a416a85eb42ed930

    SHA512

    d4bf4f8d74352c922f919aa76efecfabec32e4f1a9a192c77a8b622b3e85a547c5796d1f801b2f49aeef7bb48433e9d5ffe91ada83a6f13401e11c88b043495e

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\js\9367.js.LICENSE.txt
    Filesize

    120B

    MD5

    3df54bba2137ec524f3fb39f2c61461a

    SHA1

    0c22a43aa3197066cef88cc7d507b4c7de33fcc1

    SHA256

    47282a6fa1469e2d7bc8936d167c17ebf0fd800941104dd15097945208ccb501

    SHA512

    e7462c492ff1eebe0a2843a70b64bcfd196f22163e87fc0774b1904553aa66524b511bab0d43d6a580863982ebd74162879431ac8e401a97e378c3a2d3fbf283

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\resultui\html\ydDict\setting_setting_settingTabDesktop.html
    Filesize

    8KB

    MD5

    1fd34ebaa156122cc5c049d225c8c6df

    SHA1

    2a5977e73920d3f5ac3a224cafc0895529d06df5

    SHA256

    e75930c5ba3216d68b3fa6f0e9c4c5330a491fa90fd8045d1329bfb40a588b51

    SHA512

    35233d168f8feb803f101b15d5249dc58970ce94a3e736df646caae4af229c7116f4b8c501ad65aba80c4ab80f45772e4a341b831f2fb3857ba93353beb2e581

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\skins\icons\operation-33.png
    Filesize

    407KB

    MD5

    3b9d6a3624c30b6557f9a1d182365272

    SHA1

    129cbf6808e331b78a404753a6c0964d845ebe11

    SHA256

    a19a46e40d4e9d010d642ab7114dd2b98a6323e96f16235ecdfa355a483de111

    SHA512

    8c4c62290c6d3f8b7f97715a013106198130b44f972248aff5c3f7f8068900a7501e3bea287c8a7c10f3cc8ed30881dd1a5486a9d10d67e08b9778140152bf6a

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\skins\icons\operation-dark-33.png
    Filesize

    398KB

    MD5

    c8174d6fae20f603ee626daa7c02b705

    SHA1

    deaf0001a09f7e450ff1fa222b2212842dd8ecbc

    SHA256

    739a38445c77c69b4adb1210298e6f728c12aa6a14d83b12c4f56202113261b7

    SHA512

    645ab926ed9d0e6acf26aad6f6a51d1ff6be3b6e48be0e1bb0bce71b1e0fa1d24899270d6c3aa2dee0087594733ab9166af3723048024a64672ad26551d3b096

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\11.0.0.0\skins\icons\vip-fare-13.gif
    Filesize

    14KB

    MD5

    800393e5bdb3eabbacb50abd1ab40ad8

    SHA1

    cacc4363b51ae68e9b18e97476d1375672e7ac95

    SHA256

    c0e03760c5254e0158f7403d246556d25855be21494d7080c4996e1430ddd9de

    SHA512

    7fef7b86e420ef3b86b8112600a2a1f1ba14d6560c533c680eb8ef8ab2f3d06c51c59617fdccbb027de852129f416b354f40e7a428623cc1d2e1d2609f186db3

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\YodaoDict.exe
    Filesize

    264KB

    MD5

    1ba3fb12a645126afbc97bc14794be94

    SHA1

    228541e977679bc07ddf3049279e97c4d43ff271

    SHA256

    d8c076cb7179b6c0d12ac8c7cf27903ba731041641c8e0c26551e70ea7b0a91e

    SHA512

    95ba6fd0ce668bf87f707bfc072a73f5e9bc83d6cd64ef06c96b4e686fe10f8fd76331ea30a1193f59443cf559c89c1dd3b4b0f67054f92615f98a07eea81643

    Download Submit

  • C:\Users\Admin\AppData\Local\youdao\dict\Application\install_11.0.0.0\YoudaoDict.exe
    Filesize

    11.6MB

    MD5

    6ba22d4a58be34bb7990a6868d0e9d01

    SHA1

    4a09022464e70ed79d5a955ab75c1e9b57495c55

    SHA256

    93dce2783224befaa11e889e97d9e3893a47d77719c5bb419f1fb56e04eee067

    SHA512

    61ac40c2a8634488f6a7bfb244352c1e6fb763e54c61a4596fb70bb0393e05afd9ae7c4122a623067e598bd11f16da9f9bb07777247e0feb4b38ace1edd68415

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\yodaodictproxyuser
    Filesize

    2B

    MD5

    18ba379108cd7ccc2fa0fd754ad45a25

    SHA1

    ba1039e8cdae53e44ac3e6185b0871f3d031a476

    SHA256

    eec4121f2a07b61aba16414812aa9afc39ab0a136360a5ace2240dc19b0464eb

    SHA512

    ecc6818993ec8b0e5d679125845e03e5e28ac6a23b0143ff095ecfc9ef6d7b409bc7111a922a2768f02d0ae1c2c040fc8ca4a0bd152a65e305473e51ce1c296f

    Download Submit

  • C:\Windows\Installer\MSI84F8.tmp
    Filesize

    587KB

    MD5

    c7fbd5ee98e32a77edf1156db3fca622

    SHA1

    3e534fc55882e9fb940c9ae81e6f8a92a07125a0

    SHA256

    e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

    SHA512

    8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

    Download Submit

  • C:\Windows\Installer\MSI8AE6.tmp
    Filesize

    419KB

    MD5

    cac0eaeb267d81cf3fa968ee23a6af9d

    SHA1

    cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

    SHA256

    f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

    SHA512

    8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\LockedList.dll
    Filesize

    95KB

    MD5

    5a94bf8916a11b5fe94aca44886c9393

    SHA1

    820d9c5e3365e323d6f43d3cce26fd9d2ea48b93

    SHA256

    0b1e46044b580121f30bedb2b5412d3170c6afaa7800d702ee71f7666904236d

    SHA512

    79cba3dcb249d88a6a6cfb4efcb65cc42a240af4edb14bcc7546d9c701a7b642362f9fe0488691a8906607ecc76f7b5ee5a4282fa057053b258eea143ac90c20

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\OP_Logging.dll
    Filesize

    45KB

    MD5

    a72c2dca77dcc121d8a8fe8806d1f1d8

    SHA1

    680308d6ae3d53913205f3dd2245cbf7125ab3de

    SHA256

    4a802d435fb605a78e74e5a481bf047e1017942537d0a5e526266316c1e85af4

    SHA512

    14911c94d8b19a848b95d4fb0cd9f23a701b7b4396d2bc1a2a44b8ba1eadf8ba27579ef1c3caf2cfe588d609f542df021445085fa72a6f2202c5d3c405923ec5

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\OP_ProgressBar.dll
    Filesize

    35KB

    MD5

    95ecdbdf41e9450e68895cd8a51ac3b5

    SHA1

    21a80e466f1bc0d7190d8c9c12f9d90476a9c2b3

    SHA256

    75b9c807487764b4196eee5310ed096f74dfe585ed8318e0dff0ace2ae054e26

    SHA512

    26a8b8fc05b9ca59ff32bf151f7860c609e8b8efc4aabc12801286378cd05022cceb9fbfb2cd814230eedeb1db0753da5368fb9f91b0d3b17187f520880cf884

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\OP_WndProc.dll
    Filesize

    48KB

    MD5

    765cf74fc709fb3450fa71aac44e7f53

    SHA1

    b423271b4faac68f88fef15fa4697cf0149bad85

    SHA256

    cc46ab0bf6b19a2601cd002b06769ad08baf4ed0b14e8728973f8af96bdee57e

    SHA512

    0c347d9a2960a17f8ec9b78ede972bf3cf6567fd079a6aa5a6ac262ac227bfd36acc53a7a127fd7f387dec9f4509f4f3f754b10853a213e993ea1573e74ed7e6

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\SkinBtn.dll
    Filesize

    4KB

    MD5

    29818862640ac659ce520c9c64e63e9e

    SHA1

    485e1e6cc552fa4f05fb767043b1e7c9eb80be64

    SHA256

    e96afa894a995a6097a405df76155a7a39962ff6cae7a59d89a25e5a34ab9eeb

    SHA512

    ebb94eb21e060fb90ec9c86787eada42c7c9e1e7628ea4b16d3c7b414f554a94d5e4f4abe0e4ee30fddf4f904fd3002770a9b967fbd0feeca353e21079777057

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\System.dll
    Filesize

    11KB

    MD5

    bf712f32249029466fa86756f5546950

    SHA1

    75ac4dc4808ac148ddd78f6b89a51afbd4091c2e

    SHA256

    7851cb12fa4131f1fee5de390d650ef65cac561279f1cfe70ad16cc9780210af

    SHA512

    13f69959b28416e0b8811c962a49309dca3f048a165457051a28a3eb51377dcaf99a15e86d7eee8f867a9e25ecf8c44da370ac8f530eeae7b5252eaba64b96f4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\YoudaoDictInstaller.exe
    Filesize

    3.1MB

    MD5

    b726278e92fc8e38bd4593aa2780e60c

    SHA1

    511a4df30ef1ca9767e2dc78f36bc905c0f3854b

    SHA256

    0e7ddd89e21bca4ff3734eb0594f4aa04023823dd480d91f2886deed41bc0ab7

    SHA512

    a3892f0b7248390163ef4b660c9cc6d8a082fcca276b4aaefe3b79846684d577cf83d9e711af826930d7c584e1264c073da4873b9f49d4a423267bd0128c9615

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    4ccc4a742d4423f2f0ed744fd9c81f63

    SHA1

    704f00a1acc327fd879cf75fc90d0b8f927c36bc

    SHA256

    416133dd86c0dff6b0fcaf1f46dfe97fdc85b37f90effb2d369164a8f7e13ae6

    SHA512

    790c5eb1f8b297e45054c855b66dfc18e9f3f1b1870559014dbefa3b9d5b6d33a993a9e089202e70f51a55d859b74e8605c6f633386fd9189b6f78941bf1bfdb

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsy8D34.tmp\nsisSlideshow.dll
    Filesize

    7KB

    MD5

    05555b779901f6b604ad890224a7a663

    SHA1

    4e98bc415745c95aae75dfda79c78295bd3cef2c

    SHA256

    f8d353598129877a8aeb45821dbb9845fa5b347ad51c46c640f92a418dd3f174

    SHA512

    757296383f15884cb4747c9a16432598bdaa0925cbb4b06f1664138aba1aebdc49e594ad4353fce1bde620077a5851b754fa871b07f29cab40f05e208997f641

    Download Submit

  • \Users\Admin\AppData\Local\youdao\dict\Application\Stable\YoudaoGetWord32.dll
    Filesize

    600KB

    MD5

    9a7dca1cc700dd1e41fd82c32909617d

    SHA1

    bdf98fe4e0546cdc87735b799a44bde044410590

    SHA256

    03dfa72e8f1b4a4714bf0043e685c71f9d279ed00606601ff0f6bbbea4fc85dc

    SHA512

    d36d50e1b37338c6af68fb9e9f912f4a9983d0454265968d7ae1e269372344113686f1a9189a2ff7917cc95f66d974fc0095f9182367ece7875ad80ce81217d9

    Download Submit

  • memory/1888-36-0x0000000000130000-0x0000000000132000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2216-892-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-857-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-862-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-866-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-868-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-870-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-872-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-874-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-876-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-880-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-882-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-884-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-886-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-890-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-858-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-894-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-896-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-860-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-898-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-900-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-904-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-906-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-908-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-910-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-912-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-916-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-914-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-902-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-888-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-878-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-864-0x0000000004210000-0x0000000004321000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2216-775-0x0000000002610000-0x000000000416B000-memory.dmp

    Filesize

    27.4MB

    Download

  • memory/2216-45-0x0000000000400000-0x0000000001F5B000-memory.dmp

    Filesize

    27.4MB

    Download

  • memory/2216-46-0x0000000075270000-0x00000000752B7000-memory.dmp

    Filesize

    284KB

    Download

  • memory/2216-17544-0x0000000000400000-0x0000000001F5B000-memory.dmp

    Filesize

    27.4MB

    Download