gh0strat | f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d

Analysis

max time kernel
123s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2022 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
Size

14.9MB
MD5

90aaaf0c696b05986c771cebc158ce43
SHA1

1d92041cdeff460d682220883b42a41970c45c62
SHA256

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d
SHA512

fce47816a479d020e215841853dc71080344ef00fd76c7b7a38a93c241df6cfb58c7176016c2b98afd06a0b4d1f15cc939dd8ea58357583e1c0fe7c102ce18c0
SSDEEP

393216:TgGJjm1ji73pN93/6fVuN/pkdMX1fA0A0djA+9YvkFw+eNNYl:UYK1m73pv6tYvAJ++vQwLNE

Score

10^/10

gh0strat discovery exploit persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2576-148-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/2576-147-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat
behavioral2/memory/2576-179-0x0000000010000000-0x0000000010046000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Drops file in Drivers directory 2 IoCs

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\drivers\Beep.sys	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Beep.sys	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

Executes dropped EXE 4 IoCs

Processes:

123.exeserver.exe7383GameCenter_v3.28.exe7383GameCenter_v3.28.tmp

pid process

1636 123.exe
2576 server.exe
2892 7383GameCenter_v3.28.exe
1996 7383GameCenter_v3.28.tmp
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2404 icacls.exe
748 takeown.exe
536 icacls.exe
5080 takeown.exe
1752 icacls.exe
2420 takeown.exe

pid	process
1636	123.exe
2576	server.exe
2892	7383GameCenter_v3.28.exe
1996	7383GameCenter_v3.28.tmp

pid	process
2404	icacls.exe
748	takeown.exe
536	icacls.exe
5080	takeown.exe
1752	icacls.exe
2420	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe

Loads dropped DLL 2 IoCs

Processes:

7383GameCenter_v3.28.tmp

pid process

1996 7383GameCenter_v3.28.tmp
1996 7383GameCenter_v3.28.tmp
Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

5080 takeown.exe
1752 icacls.exe
2420 takeown.exe
2404 icacls.exe
748 takeown.exe
536 icacls.exe

pid	process
1996	7383GameCenter_v3.28.tmp
1996	7383GameCenter_v3.28.tmp

pid	process
5080	takeown.exe
1752	icacls.exe
2420	takeown.exe
2404	icacls.exe
748	takeown.exe
536	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

server.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0600BA48 = "C:\\Windows\\0600BA48\\svchsot.exe"	server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	server.exe

Drops file in System32 directory 7 IoCs

Processes:

123.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\123418.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	123.exe
File opened for modification	C:\Windows\SysWOW64\12312CE.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	123.exe
File opened for modification	C:\Windows\SysWOW64\1231A32.tmp	123.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	123.exe
File created	C:\Windows\SysWOW64\sxload.tmp	123.exe

Drops file in Program Files directory 1 IoCs

Processes:

123.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sx7383.tmp 123.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

860 taskkill.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

server.exe123.exe

pid process

2576 server.exe
2576 server.exe
2576 server.exe
2576 server.exe
2576 server.exe
2576 server.exe
2576 server.exe
2576 server.exe
1636 123.exe
1636 123.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sx7383.tmp	123.exe

pid	process
860	taskkill.exe

pid	process
2576	server.exe
2576	server.exe
2576	server.exe
2576	server.exe
2576	server.exe
2576	server.exe
2576	server.exe
2576	server.exe
1636	123.exe
1636	123.exe

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

123.exeserver.exetakeown.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1636	123.exe
Token: SeDebugPrivilege	2576	server.exe
Token: SeTakeOwnershipPrivilege	5080	takeown.exe
Token: SeDebugPrivilege	860	taskkill.exe

Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

123.exe

pid process

1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe
1636 123.exe

pid	process
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe
1636	123.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe123.exeserver.exe7383GameCenter_v3.28.execmd.execmd.exenet.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4828 wrote to memory of 1636	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 4828 wrote to memory of 1636	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 4828 wrote to memory of 1636	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	123.exe
PID 4828 wrote to memory of 2576	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 4828 wrote to memory of 2576	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 4828 wrote to memory of 2576	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	server.exe
PID 1636 wrote to memory of 2432	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 2432	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 2432	1636	123.exe	cmd.exe
PID 4828 wrote to memory of 2892	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 4828 wrote to memory of 2892	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 4828 wrote to memory of 2892	4828	f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe	7383GameCenter_v3.28.exe
PID 2576 wrote to memory of 4560	2576	server.exe	net.exe
PID 2576 wrote to memory of 4560	2576	server.exe	net.exe
PID 2576 wrote to memory of 4560	2576	server.exe	net.exe
PID 2892 wrote to memory of 1996	2892	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2892 wrote to memory of 1996	2892	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2892 wrote to memory of 1996	2892	7383GameCenter_v3.28.exe	7383GameCenter_v3.28.tmp
PID 2432 wrote to memory of 4712	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4712	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4712	2432	cmd.exe	cmd.exe
PID 4712 wrote to memory of 5080	4712	cmd.exe	takeown.exe
PID 4712 wrote to memory of 5080	4712	cmd.exe	takeown.exe
PID 4712 wrote to memory of 5080	4712	cmd.exe	takeown.exe
PID 4560 wrote to memory of 5036	4560	net.exe	net1.exe
PID 4560 wrote to memory of 5036	4560	net.exe	net1.exe
PID 4560 wrote to memory of 5036	4560	net.exe	net1.exe
PID 2432 wrote to memory of 1752	2432	cmd.exe	icacls.exe
PID 2432 wrote to memory of 1752	2432	cmd.exe	icacls.exe
PID 2432 wrote to memory of 1752	2432	cmd.exe	icacls.exe
PID 1636 wrote to memory of 3008	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 3008	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 3008	1636	123.exe	cmd.exe
PID 3008 wrote to memory of 1840	3008	cmd.exe	cmd.exe
PID 3008 wrote to memory of 1840	3008	cmd.exe	cmd.exe
PID 3008 wrote to memory of 1840	3008	cmd.exe	cmd.exe
PID 1840 wrote to memory of 2420	1840	cmd.exe	takeown.exe
PID 1840 wrote to memory of 2420	1840	cmd.exe	takeown.exe
PID 1840 wrote to memory of 2420	1840	cmd.exe	takeown.exe
PID 3008 wrote to memory of 2404	3008	cmd.exe	icacls.exe
PID 3008 wrote to memory of 2404	3008	cmd.exe	icacls.exe
PID 3008 wrote to memory of 2404	3008	cmd.exe	icacls.exe
PID 1636 wrote to memory of 4156	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 4156	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 4156	1636	123.exe	cmd.exe
PID 4156 wrote to memory of 3764	4156	cmd.exe	cmd.exe
PID 4156 wrote to memory of 3764	4156	cmd.exe	cmd.exe
PID 4156 wrote to memory of 3764	4156	cmd.exe	cmd.exe
PID 3764 wrote to memory of 748	3764	cmd.exe	takeown.exe
PID 3764 wrote to memory of 748	3764	cmd.exe	takeown.exe
PID 3764 wrote to memory of 748	3764	cmd.exe	takeown.exe
PID 4156 wrote to memory of 536	4156	cmd.exe	icacls.exe
PID 4156 wrote to memory of 536	4156	cmd.exe	icacls.exe
PID 4156 wrote to memory of 536	4156	cmd.exe	icacls.exe
PID 1636 wrote to memory of 860	1636	123.exe	taskkill.exe
PID 1636 wrote to memory of 860	1636	123.exe	taskkill.exe
PID 1636 wrote to memory of 860	1636	123.exe	taskkill.exe
PID 1636 wrote to memory of 3464	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 3464	1636	123.exe	cmd.exe
PID 1636 wrote to memory of 3464	1636	123.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe
"C:\Users\Admin\AppData\Local\Temp\f1f4b6a80d68988db5bc5a7b31a9512848f8aca9cb2fe72721491345af085f4d.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\123.exe
"C:\Users\Admin\AppData\Local\Temp\123.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1752

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2420

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\System32"
4⤵
- Suspicious use of WriteProcessMemory
PID:3764

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:748

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\System32" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:536

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GamePlaza.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 1.bat
3⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\server.exe
"C:\Users\Admin\AppData\Local\Temp\server.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\net.exe
net start "Task Scheduler"
3⤵
- Suspicious use of WriteProcessMemory
PID:4560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start "Task Scheduler"
4⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
"C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\is-LUCB9.tmp\7383GameCenter_v3.28.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LUCB9.tmp\7383GameCenter_v3.28.tmp" /SL5="$B0058,15155810,67072,C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.bat
Filesize
129B

MD5
0064c9b2cb1e30f44ebdb674be4a12ee

SHA1
2db352a089ab4b0116d866caa0f2a5425c518145

SHA256
867a7329cf241065a29090336e9ddc315cca83cc18182a1daf0890b464302d7b

SHA512
47ca6d25369d52deed3aa6dc91ce94819f43defa7b6d275e540cd5c8be7732a8cdb34301ddc05311471889e32aa9dd4b5a90fe675835cbb57a64bc7bbc5c38b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
Filesize
26KB

MD5
d98d61075c63fd210c7ae68867374f67

SHA1
657e54b5f25306e7191970d7f498c872d8737f40

SHA256
a48e6a66afdea26e5b5a6d0fadf7a1acb921dbc58c08b0001a3ca21b072e8a6d

SHA512
6f2588922c3f4507d29bb6c9b57de540643a23fec94db07476e0eed3aed25e100b821fbee9ea0590575298d417c158b57fcf8402862ecc4f9d61a70ec703f885

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.bat
Filesize
110B

MD5
12e768a105dc0d143a5f5becdd12167a

SHA1
8f82f11fc9b8921b1a80eb23b600d243a8756766

SHA256
0f909a1c0e0cddb3f99f0a7bac66a86797f25635b15fb25faa0bffcc5e702056

SHA512
3ba416aa4d0575fe281b24b1cc7401254ad2c38de37b340a780e8796f34738d48f6a89801596bbfaed009c1fb74255cf0caf49997cf1e679ea6075b02b758c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
Filesize
14.8MB

MD5
e345699fb3c408badd9290b7071ab3be

SHA1
9a38eee55f7ba69371fc60b552e410db33c28584

SHA256
975858a08ba28afcb6a3b8cc7a51c08b0d8cbb042d82078b4e6bfe383c29ad0b

SHA512
db0952d521e2033b657c615b1adc327d97191f305800b31cc359c7a998fc723a5ff284f96b45984ea00062398b921f62597463c36ef179165ef905434ca02ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7383GameCenter_v3.28.exe
Filesize
14.8MB

MD5
e345699fb3c408badd9290b7071ab3be

SHA1
9a38eee55f7ba69371fc60b552e410db33c28584

SHA256
975858a08ba28afcb6a3b8cc7a51c08b0d8cbb042d82078b4e6bfe383c29ad0b

SHA512
db0952d521e2033b657c615b1adc327d97191f305800b31cc359c7a998fc723a5ff284f96b45984ea00062398b921f62597463c36ef179165ef905434ca02ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CUN16.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-CUN16.tmp\_isetup\_isdecmp.dll
Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUCB9.tmp\7383GameCenter_v3.28.tmp
Filesize
701KB

MD5
5ccf127dcef6c689d9de3e8fd68b76fd

SHA1
eef6a9b5f85f97a593bb6587850ec0e604c9fdb9

SHA256
9f41b29a9e70206c71ed62e3c77483ecaef0fb6415a8c8404054ec00e9ffac82

SHA512
b163b3858c80cc41a549ff1a90eddd491b864eddd86dd7daca712520af4f03b4e816bee96793ac5c2298930dd237446941a9bd42eb8565e553cd23997da945d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-LUCB9.tmp\7383GameCenter_v3.28.tmp
Filesize
701KB

MD5
5ccf127dcef6c689d9de3e8fd68b76fd

SHA1
eef6a9b5f85f97a593bb6587850ec0e604c9fdb9

SHA256
9f41b29a9e70206c71ed62e3c77483ecaef0fb6415a8c8404054ec00e9ffac82

SHA512
b163b3858c80cc41a549ff1a90eddd491b864eddd86dd7daca712520af4f03b4e816bee96793ac5c2298930dd237446941a9bd42eb8565e553cd23997da945d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe
Filesize
80KB

MD5
6a6fa84bbc2ee7b1ee5957a66c86904e

SHA1
25e9df4d983ab9a2b1561e500f083ac98ccf966b

SHA256
507e5243da2a8f45f641d0e23556f98601edc14506d1151e5c100d6b9d8a3db3

SHA512
9f6abaf2bf7dc784c57a61f18eac88c77345014e20bc41c54d68f54a5591a7e348e48f1cf452d96e6622bbadc6685d593ab26811b87821f684a62bce3bf6a2c8

Download Submit
C:\Windows\SysWOW64\123418.tmp
Filesize
192KB

MD5
f6d9b897d17f7d7f3437e375aec0479c

SHA1
0fa5161d13e665968fe16a41721d85aa625a55bf

SHA256
b86007da2336816e6ac622e9a8c075b309d0db99d7424dbe88c7a82cfc159a4c

SHA512
7dbaac6ee57088afe22ad4c31bcb6b34119b26eb7cbccb096ee0b6dcaa7e1e84c50841f8b46f389672e7b6c2ab3d6064453aec9d205afdbd23589976b888ca39

Download Submit
C:\Windows\SysWOW64\dllcache\iphlpapi.dll
Filesize
192KB

MD5
aafe4cc189edd5a9808503eede104c85

SHA1
609dce661aff6d63e0a0f7bd8a4db024afeadfff

SHA256
fe52d53b0d9966276f312eb15da23a01db52da5b608086d6c4f3c41aa6209ef5

SHA512
cb464b41a3e85a53042ce13086f63b36b5fc44eeecac7244099cec0ebc7633f3705289ead6efd32d47f7467b8b2cd289f7c8f5c13806eb257a9f5025949d4eea

Download Submit
C:\Windows\SysWOW64\dllcache\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
C:\Windows\SysWOW64\rasadhlp.dll
Filesize
12KB

MD5
867c48a347666c56321d58f619355897

SHA1
7ddb891077ab743a8c921650b804042982793aaf

SHA256
29f1013890cc83362201972140f4bfae09cd09a228ad98e8817bfb80759a9f95

SHA512
6f4500f9f494f2a65f36eef6110d0c3ce4156fb865b9b55e8dd76be6eb24bae5378f97929430cb319a04da35cd229be3536742721ce3ae0aa69d47411bbd3881

Download Submit
memory/536-173-0x0000000000000000-mapping.dmp

Download
memory/748-172-0x0000000000000000-mapping.dmp

Download
memory/860-176-0x0000000000000000-mapping.dmp

Download
memory/1636-132-0x0000000000000000-mapping.dmp

Download
memory/1752-161-0x0000000000000000-mapping.dmp

Download
memory/1840-165-0x0000000000000000-mapping.dmp

Download
memory/1996-159-0x0000000002431000-0x0000000002433000-memory.dmp

Filesize
8KB

Download
memory/1996-151-0x0000000000000000-mapping.dmp

Download
memory/2404-167-0x0000000000000000-mapping.dmp

Download
memory/2420-166-0x0000000000000000-mapping.dmp

Download
memory/2432-138-0x0000000000000000-mapping.dmp

Download
memory/2576-148-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/2576-179-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/2576-135-0x0000000000000000-mapping.dmp

Download
memory/2576-139-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/2576-147-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/2892-140-0x0000000000000000-mapping.dmp

Download
memory/2892-149-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-144-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2892-180-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3008-163-0x0000000000000000-mapping.dmp

Download
memory/3464-177-0x0000000000000000-mapping.dmp

Download
memory/3764-171-0x0000000000000000-mapping.dmp

Download
memory/4156-169-0x0000000000000000-mapping.dmp

Download
memory/4560-150-0x0000000000000000-mapping.dmp

Download
memory/4712-155-0x0000000000000000-mapping.dmp

Download
memory/5036-160-0x0000000000000000-mapping.dmp

Download
memory/5080-156-0x0000000000000000-mapping.dmp

Download