gh0strat | 65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27

Analysis

max time kernel
147s
max time network
155s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22-10-2023 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
Size

924KB
MD5

329d0e70f6a56a68f3b750fe0605dec7
SHA1

8015e570fd8c906868b9ce5da814cb86cd6e5db7
SHA256

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27
SHA512

b87c5a13ae10bbeb000577f0390ff4552cc7afe19f0d78bbed4d00f67a1b02b811adc9f8dd0cfa1b57481a48680c6b1dbf6e2137939b3ec456f66ff9d138ae5d
SSDEEP

12288:B3j2XoumjvYC2P+0E7eu7gEPEnzz9p6rgzeIkb/pmJgdECgBdVa/ALnDzwDMD1G8:BT26zjV2PT10X5uJQUTxMIo+

Score

10^/10

gh0strat evasion rat trojan

Malware Config

Extracted

Family

gh0strat

103.142.8.158

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2776-111-0x0000000000300000-0x000000000032D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Drops startup file 2 IoCs

Processes:

TNDw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	TNDw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	TNDw.exe

Executes dropped EXE 3 IoCs

Processes:

TNDw.exeVGXJ4M7.exe

pid process

3008 TNDw.exe
1260
2776 VGXJ4M7.exe

pid	process
3008	TNDw.exe
1260
2776	VGXJ4M7.exe

Loads dropped DLL 14 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exeexplorer.exeVGXJ4M7.exe

pid	process
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
2812	explorer.exe
2812	explorer.exe
2812	explorer.exe
1260
1260
2776	VGXJ4M7.exe

Drops file in System32 directory 2 IoCs

Processes:

VGXJ4M7.exe

description ioc process

File created C:\Windows\SysWOW64\Uac.reg VGXJ4M7.exe
File opened for modification C:\Windows\SysWOW64\Uac.reg VGXJ4M7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\Uac.reg	VGXJ4M7.exe
File opened for modification	C:\Windows\SysWOW64\Uac.reg	VGXJ4M7.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 30 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 78003100000000005657564d11005075626c69630000620008000400efbeee3a851a5657564d2a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7400310000000000545774a71100557365727300600008000400efbeee3a851a545774a72a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 74003100000000005657584d11004d7573696300600008000400efbeee3a851a5657584d2a000000820200000000010000000000000000003600000000004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000005657584d10007a706939325700003a0008000400efbe5657584d5657584d2a000000a04b01000000080000000000000000000000000000007a0070006900390032005700000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-274829-3448035668-3231875956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

1684 regedit.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

pid process

2236 65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

pid process

2236 65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

pid	process
1684	regedit.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exeexplorer.exeVGXJ4M7.execmd.exe

description	pid	process	target process
PID 2236 wrote to memory of 2712	2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 2236 wrote to memory of 2712	2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 2236 wrote to memory of 2712	2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 2236 wrote to memory of 2712	2236	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 2812 wrote to memory of 3008	2812	explorer.exe	TNDw.exe
PID 2812 wrote to memory of 3008	2812	explorer.exe	TNDw.exe
PID 2812 wrote to memory of 3008	2812	explorer.exe	TNDw.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2812 wrote to memory of 2776	2812	explorer.exe	VGXJ4M7.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 2776 wrote to memory of 472	2776	VGXJ4M7.exe	cmd.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe
PID 472 wrote to memory of 1684	472	cmd.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
"C:\Users\Admin\AppData\Local\Temp\65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\zpi92W
2⤵
PID:2712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812

C:\Users\Admin\AppData\Roaming\7OARD\TNDw.exe
"C:\Users\Admin\AppData\Roaming\7OARD\TNDw.exe" -n C:\Users\Admin\AppData\Roaming\7OARD\5M8.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:3008

C:\ProgramData\6R9UCW\VGXJ4M7.exe
"C:\ProgramData\6R9UCW\VGXJ4M7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\SysWOW64\cmd.exe
cmd /C regedit /s Uac.reg
3⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\SysWOW64\regedit.exe
regedit /s Uac.reg
4⤵
- UAC bypass
- Runs .reg file with regedit
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\6R9UCW\AVK.dll

Filesize
980KB

MD5
482dd157a1fa275bd8c399dfcd6a24bc

SHA1
8c272eb1a5bb0f89f40e2a4caf9a2634cf8cbcfa

SHA256
649d253d56d1de2598d1f509ed8a0ef3440ff1cbbcda046cc7b838fc4d58a731

SHA512
aaf7ff5b49d3185152904c83fd3ffa90a907497f2931399886340c0381c091b90a848a1a95e9dc9c086930fe7861dcbf710dcecd9422f41d16d40f1a1c056de2

Download Submit
C:\ProgramData\6R9UCW\VGXJ4M7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\6R9UCW\VGXJ4M7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\6R9UCW\VGXJ4M7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\6R9UCW\info.txt

Filesize
491KB

MD5
d62278c3290143e776c7209b3c2a3104

SHA1
bdec0c7269ad520e074a800e2e079da848e84ce2

SHA256
5b4b5a6dfa6bcce3727cc8f2dcba39ae7d8a6faff7725fa7faf249db26ca8af7

SHA512
9cf8d38c2f27130208f4c29bfa217782fefcd689c47068b816a76b7d1ed68799a55f94bf8c1a74aa3692b8a3eec345874324b50d6fbe42118e697a6f6e31f741

Download Submit
C:\Users\Admin\AppData\Roaming\7OARD\5M8.zip

Filesize
1KB

MD5
57484b0f4ba93eb6c7fea88194138ee3

SHA1
b48e76ac6c493b70625920d2536a5cb7dc50dbd5

SHA256
a70beb3afd96ece75b011d0abe01811389c362e90a6f377e0c22729371951aaf

SHA512
c80309fec2c9473df2c1499ca7a8f94dab91bf954304da89404d044fa46a0c4e1c6df04af53789ac92d97c1c8d1c5d08c4dfa54d86c214b0534203243a4a13d0

Download Submit
C:\Users\Admin\AppData\Roaming\7OARD\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk

Filesize
756B

MD5
ee1fd71a71792f030b8e7ba884567fe7

SHA1
6bd44a3c8441bf0a06d64582f1895a40b35450aa

SHA256
15881020f13ed6ce92911431df39d531f10402e5e1b01692fe59e1ba09b72f04

SHA512
e0d6767a99fb4aae512bc361e6356afaf8fd7f3639013ddcbbd2a62e0d085cd7f9e2ad2656dc08942f0b75c20ef6f3dde2133dd9e0e524e22c6de51b265295e6

Download Submit
C:\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Public\Music\zpi92W\0UNDxn.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\6XQKAt.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\93TNGw.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\Iyslc5.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\Iyslc5.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\LBuoe8.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\LFvpi8.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\OHyrlb.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\SIBslf.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\UKEuoh.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\UKEuoh.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\VOEyoi.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\XRHArk.url

Filesize
67B

MD5
39038a86ef2165477e4c9473a7abbfcf

SHA1
f5c941153654ecdc0c2cec9fcfe24611d6c41602

SHA256
159afd44ef336cd9e2e7c42f7cc0d6d95f40cf813e186179877a100e4acddacd

SHA512
0f40192c9e1c4ba94d5c10c422348f4aeb8dd7e4a854ea6dd6da49ebc9c683bb1e7f90480ade7513b75606f5fb77e301f12080cbba3c3a5d6be6fffb8be692fc

Download Submit
C:\Users\Public\Music\zpi92W\pf9_TM.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\rha1UO.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\Music\zpi92W\smc5WP.lnk

Filesize
923B

MD5
c09d90875abe82e7e50ec6743a1dac60

SHA1
025d7176c1062c4535fbc82efc4ceac420bfc5f3

SHA256
b63827c707ecb008962a5a8bcfbc3fae4302c064552569144b09feee7e7df732

SHA512
bd82fe3fc1477e19548fdd91b2189dbd3327e2563bfd2e1066ae3cf21e1308e480ba436fb26b05b85207f86c15c64e3d7cb92eaff77cf50228250b33bec34548

Download Submit
C:\Users\Public\bai12.zip

Filesize
1.1MB

MD5
2b03ef6d1cdbeabba85f99f53853cdd1

SHA1
7e0fbb1bb8ea80ab0ff6197089cbafd5189d57e9

SHA256
ac8cfbbb4219607d948591df2f15e0cb5bd20a3e133a9ca84aa10d8622b7a3b8

SHA512
8526cbf25e98e0cb411c4572ee37403fba4a1c4ccff31c5b33be47c6dc4e599a6e350beb414d6f31b2f77b96422ae7b0a0a0668a10edece991f904f10b1e671c

Download Submit
C:\Windows\SysWOW64\Uac.reg

Filesize
245B

MD5
3259410b95978a44d4a95a1d1815cc6d

SHA1
26d3928a81f9d754c7991673c6b856652ce38f98

SHA256
182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5

SHA512
44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b

Download Submit
\ProgramData\6R9UCW\VGXJ4M7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
\ProgramData\6R9UCW\avk.dll

Filesize
980KB

MD5
482dd157a1fa275bd8c399dfcd6a24bc

SHA1
8c272eb1a5bb0f89f40e2a4caf9a2634cf8cbcfa

SHA256
649d253d56d1de2598d1f509ed8a0ef3440ff1cbbcda046cc7b838fc4d58a731

SHA512
aaf7ff5b49d3185152904c83fd3ffa90a907497f2931399886340c0381c091b90a848a1a95e9dc9c086930fe7861dcbf710dcecd9422f41d16d40f1a1c056de2

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
\Users\Admin\AppData\Roaming\7OARD\TNDw.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
memory/2236-5-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download
memory/2776-111-0x0000000000300000-0x000000000032D000-memory.dmp

Filesize
180KB

Download
memory/2812-103-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2812-39-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/2812-38-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download