511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27

Analysis

max time kernel
99s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe
Size

3.3MB
MD5

cc8b4ddbe1bc0e61fc54859bbd8c9152
SHA1

4e0ca1731872ca83b27a80947bb903a556e76a9f
SHA256

511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27
SHA512

5ae90dc1e3d886afdcc936b3b171c4af89e44adf9a8cd24885ea9fcb64b31c38b8efac92f3638e0d4d63591277994aad94c451d1baa90fcbe74019daaf65ff0e
SSDEEP

49152:DoRQsW6zg2yxIGSE9nV/elHQnCluG7AuE4IYupfSzTW2yu+4ufduZbyU:7sW6dHE5MlHOiBE4MpfSTW2y54u4Zb

Score

8^/10

discovery persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 9 IoCs

pid	Process
1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
1020	rundll32.exe
908	rundll32.exe
908	rundll32.exe
908	rundll32.exe
908	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\goopad\goopad.dll	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\3c09c42b = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\bbf88800 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\c6c5dd44 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\f0bf0bde = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\f2c53c49 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\iiid = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\060df2cd = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\414bc593 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\72758a5d = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\f1f24e29 = "Vl/l/C/////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\f6ad6fa6 = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\00000000\3efeb33e = 00000000	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\00000000\493c7345 = 6900300031002b0030003600620030006f003000310044003000360049003000700078003000530030003600490030007000780031004f003000300025002500000070006c00310065003000360062003000690030003100540030003700380030006a0078003100420030003600450030006e0055003100680030003200490030006e006c0031002b00300037007800300000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\0e93c3f3 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\27ddcf6f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\7367429f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\a2e3b941 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\c5705860 = "Vx////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\e46c271e = "///%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\00000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\e8f9dcc7 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\340d3099 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\fe94ce1e = "V/////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\0c230bcb = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\2e22d94e = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\48bd1aff = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\587b5709 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\d94388d2 = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\37b7a6d8 = "UlAr/XJ/c//k////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\6185d035 = "Vx/2/Cx/V//l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\65114b36 = "VP/l////"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\c24899a6 = "VP/g/CV/Vl/2/Cx////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\c99a5f5c = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\d1abcdb6 = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\1c311243 = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\51d2f2ea = "GlAk/X6/b/Ay/XP////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\8b9e4cbc = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\a1dcff5b = "V/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\00000000\a47da861 = 6f00300031004f0030003700780030006d00300030004b003000320045003000610055003100650030003700300030006d00300031002b0030003600340030006d006c0031006500300036004900300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100650030003700300030006d003000310065003000370038003000700078003000530030003600450030006d006c00310042003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b00300032004500300061005500310057003000360074003000690030003100410030003700380030007000780031002b0030003200490030006e00550031004d00300036006d003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005900300036006800300071006c0031004d0030003600340030006d006c0031004a0030003700620030007100780031004100300036007400300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600340030007100550031004f0030003600450030006d006c0031004a00300036006d0030006e00550031005400300036007800300061006c003100670030003600450030006e0078003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100410030003600340030007100550031004f0030003600450030006d006c0031004a00300036006d0030006e00550031005400300036007800300061006c00310054003000370038003000700055003000540030003700740030006e006c003100440030003600490030006d00550031004f0030003600340030006e00300031005900300032004500300000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100570030003600450030006f0030003100530030003700620030006e0078003100440030003700780030006f00300031004e0030003600590030006a0078003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b003000320045003000610055003100570030003600450030006f0030003100530030003700620030006e0078003100440030003700780030006f00300031004e0030003600590030006a0078003000530030003600450030006d006c00310042003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005a0030003600340030006a00300031004400300036004f0030006900780031004e0030003700740030006f00550031004e0030003600590030006a0078003000530030003600620030006e00550031005a003000320045003000690078003100530030003600680030006e006c0031004e00300037007800300071007800310059003000360055003000610055003000250000006f00300031004f0030003700780030006d00300030004b0030003200450030006100550031005a0030003600340030006a00300031004400300036004f0030006900780031005a0030003600340030006e0030003100590030003200490030006e006c0031002b003000370078003000610055003100500030003600490030006f007800310053003000370062003000690030003100650030003600550030006e00300030005400300030002500250000000000	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\0dc3ee96 = "/P////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\1520c6f1 = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\2d71d5ab = "V/////%%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\38583bc3 = "Ml/2/CF/M//g/CZ////%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\7f69fa1f = "///%"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\eae10f9d\a0743acc = "N/////%%"	rundll32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_863788fa\00000000\370856c7 = 00000000	rundll32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe
1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe
1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1252 wrote to memory of 1020	1252	511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe	28
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31
PID 1632 wrote to memory of 908	1632	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe
"C:\Users\Admin\AppData\Local\Temp\511a539eac0d06afcc72b0b55cc2f20c38d22cec03f3631c49ecb181e6866c27.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\goopad\goopad.dll",serv -install
  2⤵
  - Loads dropped DLL
  PID:1020

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\goopad\goopad.dll",serv
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\Program Files (x86)\goopad\goopad.dll",serv
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Program Files (x86)\goopad\goopad.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
\Users\Admin\AppData\Local\Temp\tf24876d0e.dll

Filesize
1.9MB

MD5
c84f0e73e77093db963be62633064bcc

SHA1
36d768969071e65d21c43f5128fe782ed94453ea

SHA256
22d10228b923a5ad55ea9099d0fd809cf9b1adc5a1c8db8b6c43ba0885a001d6

SHA512
cfeb40a8d1a8e2f8d6efffa0e9c20abb03bc05f0ebe926b984605fce6e63c8ff6a0bb87c9299c4152dd36c8409583c20f8ea628b4f3f9bdfa55c3f0bca1e4fd2

Download Submit
memory/908-84-0x000000007EC50000-0x000000007EFA8000-memory.dmp

Filesize
3.3MB

Download
memory/1020-73-0x000000007EC50000-0x000000007EFA8000-memory.dmp

Filesize
3.3MB

Download
memory/1252-54-0x000000007ECA0000-0x000000007EFA9000-memory.dmp

Filesize
3.0MB

Download
memory/1252-61-0x000000007E7F0000-0x000000007EB48000-memory.dmp

Filesize
3.3MB

Download
memory/1252-59-0x0000000076381000-0x0000000076383000-memory.dmp

Filesize
8KB

Download