gh0strat | 1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
Size

236KB
MD5

3d80e6a989ea622e375699511f4d5dee
SHA1

964cd3555cb021285fc003f1476b2025097a56e5
SHA256

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403
SHA512

012c2eec7c84c6a0a90a02a2307a5a560e19502f10e73af1ffc82903282fdf0eb25d1b2959662095c9857ac778b214f8a8e54319160598e3c6ec49d26bcff98a
SSDEEP

6144:dQqjB8lD9jRWWPSRf5lRuGMJnuDoVg5cXa54CtrINR0A:WlFR3Yf5l2uMVg5cXl6rBA

Score

10^/10

gh0strat discovery exploit rat

Malware Config

Signatures

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/840-75-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat
behavioral1/memory/840-78-0x0000000010000000-0x0000000010121000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Executes dropped EXE 2 IoCs

Processes:

server.execcc.exe

pid process

840 server.exe
1680 ccc.exe
Possible privilege escalation attempt 6 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2024 icacls.exe
1436 takeown.exe
1428 icacls.exe
1300 takeown.exe
1512 icacls.exe
1492 takeown.exe

pid	process
840	server.exe
1680	ccc.exe

pid	process
2024	icacls.exe
1436	takeown.exe
1428	icacls.exe
1300	takeown.exe
1512	icacls.exe
1492	takeown.exe

Loads dropped DLL 10 IoCs

Processes:

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exeserver.execcc.exe

pid	process
1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
840	server.exe
840	server.exe
840	server.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe

Modifies file permissions 1 TTPs 6 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2024 icacls.exe
1436 takeown.exe
1428 icacls.exe
1300 takeown.exe
1512 icacls.exe
1492 takeown.exe

pid	process
2024	icacls.exe
1436	takeown.exe
1428	icacls.exe
1300	takeown.exe
1512	icacls.exe
1492	takeown.exe

Drops file in System32 directory 10 IoCs

Processes:

ccc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\dllcache\iphlpapi.dll	ccc.exe
File opened for modification	C:\Windows\SysWOW64\1234157.tmp	ccc.exe
File opened for modification	C:\Windows\syswow64\1234157.tmp	ccc.exe
File created	C:\Windows\SysWOW64\dllcache\rasadhlp.dll	ccc.exe
File created	C:\Windows\SysWOW64\sxload.tmp	ccc.exe
File opened for modification	C:\Windows\SysWOW64\1233036.tmp	ccc.exe
File opened for modification	C:\Windows\syswow64\1233036.tmp	ccc.exe
File opened for modification	C:\Windows\SysWOW64\1234FD9.tmp	ccc.exe
File opened for modification	C:\Windows\syswow64\1234FD9.tmp	ccc.exe
File created	C:\Windows\SysWOW64\dllcache\midimap.dll	ccc.exe

Drops file in Program Files directory 1 IoCs

Processes:

ccc.exe

description ioc process

File created C:\Program Files (x86)\Common Files\sxcw.tmp ccc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

916 taskkill.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

server.execcc.exe

pid process

840 server.exe
1680 ccc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ccc.exetaskkill.exe

description pid process

Token: SeDebugPrivilege 1680 ccc.exe
Token: SeDebugPrivilege 916 taskkill.exe
Suspicious use of FindShellTrayWindow 12 IoCs

Processes:

ccc.exe

pid process

1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe
1680 ccc.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\sxcw.tmp	ccc.exe

pid	process
916	taskkill.exe

pid	process
840	server.exe
1680	ccc.exe

description	pid	process
Token: SeDebugPrivilege	1680	ccc.exe
Token: SeDebugPrivilege	916	taskkill.exe

pid	process
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe
1680	ccc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.execcc.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 840	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	server.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1204 wrote to memory of 1680	1204	1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe	ccc.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1336	1680	ccc.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1336 wrote to memory of 1096	1336	cmd.exe	cmd.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1096 wrote to memory of 1300	1096	cmd.exe	takeown.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1336 wrote to memory of 1512	1336	cmd.exe	icacls.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1680 wrote to memory of 1676	1680	ccc.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 1676 wrote to memory of 2008	1676	cmd.exe	cmd.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 2008 wrote to memory of 1492	2008	cmd.exe	takeown.exe
PID 1676 wrote to memory of 2024	1676	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe
"C:\Users\Admin\AppData\Local\Temp\1bfa758fb9a4014462ee0182cb1e7c8866e03f9cbb40cec857fe3ef4e1cf0403.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\temp\server.exe
"C:\Windows\temp\server.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:840

C:\Windows\temp\ccc.exe
"C:\Windows\temp\ccc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:1096

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1300

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1512

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1492

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c 2.bat
3⤵
PID:876

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c takeown /f "C:\Windows\syswow64"
4⤵
PID:436

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\syswow64"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1436

C:\Windows\SysWOW64\icacls.exe
icacls "C:\Windows\syswow64" /grant administrators:F
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1428

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "GTSaloon.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Windows\SysWOW64\cmd.exe
cmd /c 1.bat
3⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
C:\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
C:\Windows\temp\1.bat
Filesize
95B

MD5
49d854d9f0a8f920313b0b1137da5b5d

SHA1
c2b4cb3aba3e281906927faf339c87d1522f7176

SHA256
962c9148fd979db955f10b81d8aa6229faa0c83c842110046dc2d2e959e6fcc5

SHA512
438df8dc587604f84955be19175776ca5d3f194451b13d39cfff7e769b203506e0d2cde484597c3b206998563b9de96f328df3d2bdcff11f2e689dce4b14f375

Download Submit
C:\Windows\temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\temp\2.bat
Filesize
110B

MD5
521e37256443e6b3f2281f217476bf79

SHA1
81f0e2b65605f070782cbe241569c6b9a25bb9dc

SHA256
79ae97b29c3a714fa32b14c282716f1378ad8de73d6a6d954fdd7e1270bc411f

SHA512
23096a5eee45c7f2b278cf9385a0ea91b86c01332a096e56f1c8de336ca0bba77e0b1dbb6f2197b5c6a91c2ca093df356026c6452e4a022db79a6b555cb39025

Download Submit
C:\Windows\temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
C:\Windows\temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
\Windows\Temp\ccc.exe
Filesize
27KB

MD5
c0b6cb079880d48b6bf3175d8200195b

SHA1
562cd4d74300bd1450ea29dda5cb3316c1e1cb68

SHA256
43c5556171da1e5cc65f26c6b78a40138326544d4b04b63d174eafd6897c6577

SHA512
8dfd5dab36d859f39d14e780a7374bc28acca560e861038131ce3b15fed9b421549667c14ac59adf451fe0e439a9d1d5911e0ed6b7d0be0f078cf94df4ce7816

Download Submit
\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
\Windows\Temp\server.exe
Filesize
192KB

MD5
77b189f73c6c8442ca6730d269f0ec31

SHA1
22164cd7a1222a93c9a6f1b10adf7503c7525ffe

SHA256
df466438dfbd7cb4f5e4b3c1dd754bfe1f3c72e750977c44508810252984a557

SHA512
f1cde9f37eeee0207cd492f4cc5ff6bf2c396179ec2f33683090fb40ee9d3abe6c9f5abccf0298c9b06cbd306c4223d86a1824af31b60464ef2e2e66a3e5f3f7

Download Submit
memory/436-105-0x0000000000000000-mapping.dmp

Download
memory/688-116-0x0000000000000000-mapping.dmp

Download
memory/840-78-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/840-75-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/840-73-0x0000000010000000-0x0000000010121000-memory.dmp

Filesize
1.1MB

Download
memory/840-57-0x0000000000000000-mapping.dmp

Download
memory/876-102-0x0000000000000000-mapping.dmp

Download
memory/916-114-0x0000000000000000-mapping.dmp

Download
memory/1096-82-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1300-84-0x0000000000000000-mapping.dmp

Download
memory/1336-79-0x0000000000000000-mapping.dmp

Download
memory/1428-109-0x0000000000000000-mapping.dmp

Download
memory/1436-107-0x0000000000000000-mapping.dmp

Download
memory/1492-95-0x0000000000000000-mapping.dmp

Download
memory/1512-86-0x0000000000000000-mapping.dmp

Download
memory/1676-90-0x0000000000000000-mapping.dmp

Download
memory/1680-89-0x0000000073AB1000-0x0000000073AB3000-memory.dmp

Filesize
8KB

Download
memory/1680-88-0x0000000073C61000-0x0000000073C63000-memory.dmp

Filesize
8KB

Download
memory/1680-62-0x0000000000000000-mapping.dmp

Download
memory/2008-93-0x0000000000000000-mapping.dmp

Download
memory/2024-97-0x0000000000000000-mapping.dmp

Download