gh0strat | f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d

Analysis

max time kernel
140s
max time network
52s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
Size

14.9MB
MD5

90aaaf0c696b05986c771cebc158ce43
SHA1

1d92041cdeff460d682220883b42a41970c45c62
SHA256

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d
SHA512

fce47816a479d020e215841853dc71080344ef00fd76c7b7a38a93c241df6cfb58c7176016c2b98afd06a0b4d1f15cc939dd8ea58357583e1c0fe7c102ce18c0
SSDEEP

393216:TgGJjm1ji73pN93/6fVuN/pkdMX1fA0A0djA+9YvkFw+eNNYl:UYK1m73pv6tYvAJ++vQwLNE

Score

10^/10

gh0strat discovery exploit persistence rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1220-79-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral1/memory/1220-87-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

Executes dropped EXE 4 IoCs

Processes:

123.exeserver.exe7383GameCenter_v3.28.exe7383GameCenter_v3.28.tmp

pid process

956 123.exe
1220 server.exe
2040 7383GameCenter_v3.28.exe
1992 7383GameCenter_v3.28.tmp
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

940 takeown.exe
1868 icacls.exe
828 takeown.exe
1964 icacls.exe
320 takeown.exe
760 icacls.exe

pid	process
956	123.exe
1220	server.exe
2040	7383GameCenter_v3.28.exe
1992	7383GameCenter_v3.28.tmp

pid	process
940	takeown.exe
1868	icacls.exe
828	takeown.exe
1964	icacls.exe
320	takeown.exe
760	icacls.exe

Loads dropped DLL 9 IoCs

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe7383GameCenter_v3.28.exe7383GameCenter_v3.28.tmp

pid	process
1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
2040	7383GameCenter_v3.28.exe
1992	7383GameCenter_v3.28.tmp
1992	7383GameCenter_v3.28.tmp
1992	7383GameCenter_v3.28.tmp

Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

828 takeown.exe
1964 icacls.exe
320 takeown.exe
760 icacls.exe
940 takeown.exe
1868 icacls.exe

pid	process
828	takeown.exe
1964	icacls.exe
320	takeown.exe
760	icacls.exe
940	takeown.exe
1868	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0600BA48 = "C:\\Windows\\0600BA48\\svchsot.exe"	server.exe

Drops file in System32 directory 10 IoCs

Processes:

123.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\1233BBD.tmp	123.exe
File opened for modification	C:\Windows\syswow64\1233BBD.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	123.exe
File created	C:\Windows\SysWOW64\sxload.tmp	123.exe
File opened for modification	C:\Windows\SysWOW64\123789B.tmp	123.exe
File opened for modification	C:\Windows\SysWOW64\1237EE3.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	123.exe
File opened for modification	C:\Windows\syswow64\123789B.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	123.exe
File opened for modification	C:\Windows\syswow64\1237EE3.tmp	123.exe

Drops file in Program Files directory 1 IoCs

Processes:

123.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx7383.tmp 123.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1948 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

server.exe123.exe

pid process

1220 server.exe
1220 server.exe
1220 server.exe
1220 server.exe
956 123.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

464
464

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx7383.tmp	123.exe

pid	process
1948	taskkill.exe

pid	process
1220	server.exe
1220	server.exe
1220	server.exe
1220	server.exe
956	123.exe

pid	process
464
464

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

123.exeserver.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	956	123.exe
Token: SeDebugPrivilege	1220	server.exe
Token: SeTakeOwnershipPrivilege	828	takeown.exe
Token: SeTakeOwnershipPrivilege	320	takeown.exe
Token: SeTakeOwnershipPrivilege	940	takeown.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

123.exe

pid process

956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe
956 123.exe

pid	process
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe
956	123.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe7383GameCenter_v3.28.exe123.execmd.execmd.exeserver.exenet.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1028 wrote to memory of 956	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 1028 wrote to memory of 956	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 1028 wrote to memory of 956	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 1028 wrote to memory of 956	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 1028 wrote to memory of 1220	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 1028 wrote to memory of 1220	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 1028 wrote to memory of 1220	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 1028 wrote to memory of 1220	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 1028 wrote to memory of 2040	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 1028 wrote to memory of 2040	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 1028 wrote to memory of 2040	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 1028 wrote to memory of 2040	1028	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2040 wrote to memory of 1992	2040	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 956 wrote to memory of 1212	956	123.exe	cmd.exe
PID 956 wrote to memory of 1212	956	123.exe	cmd.exe
PID 956 wrote to memory of 1212	956	123.exe	cmd.exe
PID 956 wrote to memory of 1212	956	123.exe	cmd.exe
PID 1212 wrote to memory of 1808	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1808	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1808	1212	cmd.exe	cmd.exe
PID 1212 wrote to memory of 1808	1212	cmd.exe	cmd.exe
PID 1808 wrote to memory of 828	1808	cmd.exe	takeown.exe
PID 1808 wrote to memory of 828	1808	cmd.exe	takeown.exe
PID 1808 wrote to memory of 828	1808	cmd.exe	takeown.exe
PID 1808 wrote to memory of 828	1808	cmd.exe	takeown.exe
PID 1220 wrote to memory of 1340	1220	server.exe	net.exe
PID 1220 wrote to memory of 1340	1220	server.exe	net.exe
PID 1220 wrote to memory of 1340	1220	server.exe	net.exe
PID 1220 wrote to memory of 1340	1220	server.exe	net.exe
PID 1212 wrote to memory of 1964	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1964	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1964	1212	cmd.exe	icacls.exe
PID 1212 wrote to memory of 1964	1212	cmd.exe	icacls.exe
PID 1340 wrote to memory of 1580	1340	net.exe	net1.exe
PID 1340 wrote to memory of 1580	1340	net.exe	net1.exe
PID 1340 wrote to memory of 1580	1340	net.exe	net1.exe
PID 1340 wrote to memory of 1580	1340	net.exe	net1.exe
PID 956 wrote to memory of 1404	956	123.exe	cmd.exe
PID 956 wrote to memory of 1404	956	123.exe	cmd.exe
PID 956 wrote to memory of 1404	956	123.exe	cmd.exe
PID 956 wrote to memory of 1404	956	123.exe	cmd.exe
PID 1404 wrote to memory of 1936	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1936	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1936	1404	cmd.exe	cmd.exe
PID 1404 wrote to memory of 1936	1404	cmd.exe	cmd.exe
PID 1936 wrote to memory of 320	1936	cmd.exe	takeown.exe
PID 1936 wrote to memory of 320	1936	cmd.exe	takeown.exe
PID 1936 wrote to memory of 320	1936	cmd.exe	takeown.exe
PID 1936 wrote to memory of 320	1936	cmd.exe	takeown.exe
PID 956 wrote to memory of 592	956	123.exe	cmd.exe
PID 956 wrote to memory of 592	956	123.exe	cmd.exe
PID 956 wrote to memory of 592	956	123.exe	cmd.exe
PID 956 wrote to memory of 592	956	123.exe	cmd.exe
PID 1404 wrote to memory of 760	1404	cmd.exe	icacls.exe
PID 1404 wrote to memory of 760	1404	cmd.exe	icacls.exe
PID 1404 wrote to memory of 760	1404	cmd.exe	icacls.exe
PID 1404 wrote to memory of 760	1404	cmd.exe	icacls.exe
PID 592 wrote to memory of 1700	592	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
"C:\Users\Admin\AppData\Local\Temp\f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:828

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1964

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:760

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
PID:1700

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1868

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
3⤵
- Kills process with taskkill
PID:1948

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
"C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\is-NL5K5.tmp\7383GameCenter_v3.28.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NL5K5.tmp\7383GameCenter_v3.28.tmp" /SL5="$90122,15155810,67072,C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
Filesize
14.8MB

MD5
e345699fb3c408badd9290b7071ab3be

SHA1
9a38eee55f7ba69371fc60b552e410db33c28584

SHA256
975858a08ba28afcb6a3b8cc7a51c08b0d8cbb042d82078b4e6bfe383c29ad0b

SHA512
db0952d521e2033b657c615b1adc327d97191f305800b31cc359c7a998fc723a5ff284f96b45984ea00062398b921f62597463c36ef179165ef905434ca02ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
Filesize
14.8MB

MD5
e345699fb3c408badd9290b7071ab3be

SHA1
9a38eee55f7ba69371fc60b552e410db33c28584

SHA256
975858a08ba28afcb6a3b8cc7a51c08b0d8cbb042d82078b4e6bfe383c29ad0b

SHA512
db0952d521e2033b657c615b1adc327d97191f305800b31cc359c7a998fc723a5ff284f96b45984ea00062398b921f62597463c36ef179165ef905434ca02ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NL5K5.tmp\7383GameCenter_v3.28.tmp
Filesize
701KB

MD5
5ccf127dcef6c689d9de3e8fd68b76fd

SHA1
eef6a9b5f85f97a593bb6587850ec0e604c9fdb9

SHA256
9f41b29a9e70206c71ed62e3c77483ecaef0fb6415a8c8404054ec00e9ffac82

SHA512
b163b3858c80cc41a549ff1a90eddd491b864eddd86dd7daca712520af4f03b4e816bee96793ac5c2298930dd237446941a9bd42eb8565e553cd23997da945d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
C:\Windows\SysWOW64\1233BBD.tmp
Filesize
16KB

MD5
f4fd07b1c136fd35c933925462e3ed18

SHA1
b97f3cd2e9e2a29289e39397c265cdd980c8eb9f

SHA256
1b013c3f92da5413da29e68e255126c0c562e88b83cc3f2c8c47ff7b8baefc2c

SHA512
51e8ee9f23fac41d6c7bdad3e7f8ebda2c7b58de5056c7cbd9666796f06a4e0ea3fbad40626e3ba6b0ddbc77dccf28c24b5519677ac80b427189146ed177ab81

Download Submit
C:\Windows\SysWOW64\123789B.tmp
Filesize
101KB

MD5
f913b20dc0e5fa059512c86b18bfc079

SHA1
610f717ae3bc6fecfb04324a2c8dc01999156808

SHA256
6e040e9019e31789c1fd1e4431e82cc00a6b4daec29e298225373dee2a809d18

SHA512
0a85ce85b690f067351aab39aa567bb8853d8929142a1e93f4eeb7c6de74e32ff590598a2e3df174a500465dc029afb1956e76ace405b2c7d945763a8db94c8c

Download Submit
C:\Windows\SysWOW64\1237EE3.tmp
Filesize
11KB

MD5
931ba9e14fcbe21b5c8277659aa0f60a

SHA1
e14165f4d0c64ff347e86d1bbc1d0142d58f50e2

SHA256
cab7ea6cb10da50db2d603fdc4fe5bea698ad9e032781ac4b9f9e73311c5775c

SHA512
ce973f13efa94808b031d4def0514efd9684ee035a2b628d9299ac01d6ff60e6624d0a7f5f5d46a8c63720de129d6202edc8fc7918926fb88f1dc915fc1bc275

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
101KB

MD5
a90dc9abd65db1a8902f361103029952

SHA1
63e1e92df2f25c024565c3343233844b92d69469

SHA256
26798758976ce53251ac342b966be0363ae1794bd965c452f5debc33e18969f0

SHA512
462e5870ad942403d09941bc1e43f3db9103faf93ac972d9ff8f5fc46161a0adb1203b539760c2f122840f7ce931f5d59506fe7d5b28ef872db629cbf5768ccd

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
11KB

MD5
ed6ee83d61ebc683c2cd8e899ea6febe

SHA1
96c5ecd773981da65cc234a3d7f83f141bb6edb9

SHA256
f82592908d038c44d9f2e5c5b7bc663a2d370fc565f40420e1138a9e55f0e7eb

SHA512
7c6edb67fff4b64d935dd75d516a7fb5597fdba02b424103b8c0ea9f4c9f689e7436821d2cb65ded65d9bf5505cac91cc77ad8f8466b02823a347073ffd23f9e

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
Filesize
14.8MB

MD5
e345699fb3c408badd9290b7071ab3be

SHA1
9a38eee55f7ba69371fc60b552e410db33c28584

SHA256
975858a08ba28afcb6a3b8cc7a51c08b0d8cbb042d82078b4e6bfe383c29ad0b

SHA512
db0952d521e2033b657c615b1adc327d97191f305800b31cc359c7a998fc723a5ff284f96b45984ea00062398b921f62597463c36ef179165ef905434ca02ea4

Download Submit
\Users\Admin\AppData\Local\Temp\is-93D8N.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
\Users\Admin\AppData\Local\Temp\is-93D8N.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-93D8N.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NL5K5.tmp\7383GameCenter_v3.28.tmp
Filesize
701KB

MD5
5ccf127dcef6c689d9de3e8fd68b76fd

SHA1
eef6a9b5f85f97a593bb6587850ec0e604c9fdb9

SHA256
9f41b29a9e70206c71ed62e3c77483ecaef0fb6415a8c8404054ec00e9ffac82

SHA512
b163b3858c80cc41a549ff1a90eddd491b864eddd86dd7daca712520af4f03b4e816bee96793ac5c2298930dd237446941a9bd42eb8565e553cd23997da945d3

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
memory/320-99-0x0000000000000000-mapping.dmp

Download
memory/592-101-0x0000000000000000-mapping.dmp

Download
memory/760-102-0x0000000000000000-mapping.dmp

Download
memory/828-88-0x0000000000000000-mapping.dmp

Download
memory/940-109-0x0000000000000000-mapping.dmp

Download
memory/956-57-0x0000000000000000-mapping.dmp

Download
memory/956-93-0x0000000073FC1000-0x0000000073FC3000-memory.dmp

Filesize
8KB

Download
memory/956-94-0x0000000073E11000-0x0000000073E13000-memory.dmp

Filesize
8KB

Download
memory/1028-54-0x0000000075021000-0x0000000075023000-memory.dmp

Filesize
8KB

Download
memory/1212-78-0x0000000000000000-mapping.dmp

Download
memory/1220-62-0x0000000000000000-mapping.dmp

Download
memory/1220-79-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1220-76-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1220-87-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/1340-90-0x0000000000000000-mapping.dmp

Download
memory/1404-95-0x0000000000000000-mapping.dmp

Download
memory/1580-92-0x0000000000000000-mapping.dmp

Download
memory/1700-106-0x0000000000000000-mapping.dmp

Download
memory/1808-86-0x0000000000000000-mapping.dmp

Download
memory/1868-112-0x0000000000000000-mapping.dmp

Download
memory/1936-98-0x0000000000000000-mapping.dmp

Download
memory/1964-91-0x0000000000000000-mapping.dmp

Download
memory/1992-73-0x0000000000000000-mapping.dmp

Download
memory/2040-69-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2040-66-0x0000000000000000-mapping.dmp

Download
memory/2040-84-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download