gh0strat | 65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 09:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
Size

924KB
MD5

329d0e70f6a56a68f3b750fe0605dec7
SHA1

8015e570fd8c906868b9ce5da814cb86cd6e5db7
SHA256

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27
SHA512

b87c5a13ae10bbeb000577f0390ff4552cc7afe19f0d78bbed4d00f67a1b02b811adc9f8dd0cfa1b57481a48680c6b1dbf6e2137939b3ec456f66ff9d138ae5d
SSDEEP

12288:B3j2XoumjvYC2P+0E7eu7gEPEnzz9p6rgzeIkb/pmJgdECgBdVa/ALnDzwDMD1G8:BT26zjV2PT10X5uJQUTxMIo+

Score

10^/10

gh0strat evasion rat trojan

Malware Config

Extracted

Family

gh0strat

103.142.8.158

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2796-95-0x0000000002CD0000-0x0000000002CFD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

regedit.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Drops startup file 2 IoCs

Processes:

Ele5.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	Ele5.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	Ele5.exe

Executes dropped EXE 2 IoCs

Processes:

Ele5.exe1L7OAU7.exe

pid process

4700 Ele5.exe
2796 1L7OAU7.exe
Loads dropped DLL 1 IoCs

Processes:

1L7OAU7.exe

pid process

2796 1L7OAU7.exe
Drops file in System32 directory 2 IoCs

Processes:

1L7OAU7.exe

description ioc process

File created C:\Windows\SysWOW64\Uac.reg 1L7OAU7.exe
File opened for modification C:\Windows\SysWOW64\Uac.reg 1L7OAU7.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4700	Ele5.exe
2796	1L7OAU7.exe

pid	process
2796	1L7OAU7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Uac.reg	1L7OAU7.exe
File opened for modification	C:\Windows\SysWOW64\Uac.reg	1L7OAU7.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 32 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 78003100000000005657554d11004d7573696300640009000400efbe874fdb495657564d2e000000fd0500000000010000000000000000003a0000000000f86d0f004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000545754881100557365727300640009000400efbe874f774856574f4d2e000000c70500000000010000000000000000003a0000000000df8ed20055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 54003100000000005657554d1000673730554b4400003e0009000400efbe5657554d5657554d2e000000572e0200000008000000000000000000000000000000f86d0f0067003700300055004b004400000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000005657534d11005075626c69630000660009000400efbe874fdb495657564d2e000000f80500000000010000000000000000003c00000000002a43a3005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Runs .reg file with regedit 1 IoCs

Processes:

regedit.exe

pid process

4256 regedit.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

3728 explorer.exe

pid	process
4256	regedit.exe

pid	process
3728	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

pid	process
4824	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
4824	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe

pid process

4824 65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

explorer.exe

pid process

3728 explorer.exe
3728 explorer.exe

pid	process
3728	explorer.exe
3728	explorer.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exeexplorer.exe1L7OAU7.execmd.exe

description	pid	process	target process
PID 4824 wrote to memory of 1800	4824	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 4824 wrote to memory of 1800	4824	65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe	explorer.exe
PID 3728 wrote to memory of 4700	3728	explorer.exe	Ele5.exe
PID 3728 wrote to memory of 4700	3728	explorer.exe	Ele5.exe
PID 3728 wrote to memory of 2796	3728	explorer.exe	1L7OAU7.exe
PID 3728 wrote to memory of 2796	3728	explorer.exe	1L7OAU7.exe
PID 3728 wrote to memory of 2796	3728	explorer.exe	1L7OAU7.exe
PID 2796 wrote to memory of 4356	2796	1L7OAU7.exe	cmd.exe
PID 2796 wrote to memory of 4356	2796	1L7OAU7.exe	cmd.exe
PID 2796 wrote to memory of 4356	2796	1L7OAU7.exe	cmd.exe
PID 4356 wrote to memory of 4256	4356	cmd.exe	regedit.exe
PID 4356 wrote to memory of 4256	4356	cmd.exe	regedit.exe
PID 4356 wrote to memory of 4256	4356	cmd.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe
"C:\Users\Admin\AppData\Local\Temp\65549c0c44948ed7543c30d24f4d6a54521d51e2f8abfcba0d7a73c80c036e27.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\g70UKD
2⤵
PID:1800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3728

C:\Users\Admin\AppData\Roaming\UTF0I\Ele5.exe
"C:\Users\Admin\AppData\Roaming\UTF0I\Ele5.exe" -n C:\Users\Admin\AppData\Roaming\UTF0I\0YK.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:4700

C:\ProgramData\Q8SEDY\1L7OAU7.exe
"C:\ProgramData\Q8SEDY\1L7OAU7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\SysWOW64\cmd.exe
cmd /C regedit /s Uac.reg
3⤵
- Suspicious use of WriteProcessMemory
PID:4356

C:\Windows\SysWOW64\regedit.exe
regedit /s Uac.reg
4⤵
- UAC bypass
- Runs .reg file with regedit
PID:4256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Q8SEDY\1L7OAU7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\Q8SEDY\1L7OAU7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\Q8SEDY\1L7OAU7.exe

Filesize
498KB

MD5
3a5b4b08e6ae35fd3ff44ccfb6c4b1aa

SHA1
b5b57a9737a2572d7920d67455f370237ea3c793

SHA256
be153ac4db95db7520049a4c1e5182be07d27d2c11088a2d768e931b9a981c7f

SHA512
b7d570f0ada7bf7c6893aae06bdb3b182a12ef941c6ed099f17149407395d677fc31736aa2e326b57607be2335c35c659621592c1ea83e59c373f52ccb6a5d81

Download Submit
C:\ProgramData\Q8SEDY\AVK.dll

Filesize
980KB

MD5
482dd157a1fa275bd8c399dfcd6a24bc

SHA1
8c272eb1a5bb0f89f40e2a4caf9a2634cf8cbcfa

SHA256
649d253d56d1de2598d1f509ed8a0ef3440ff1cbbcda046cc7b838fc4d58a731

SHA512
aaf7ff5b49d3185152904c83fd3ffa90a907497f2931399886340c0381c091b90a848a1a95e9dc9c086930fe7861dcbf710dcecd9422f41d16d40f1a1c056de2

Download Submit
C:\ProgramData\Q8SEDY\avk.dll

Filesize
980KB

MD5
482dd157a1fa275bd8c399dfcd6a24bc

SHA1
8c272eb1a5bb0f89f40e2a4caf9a2634cf8cbcfa

SHA256
649d253d56d1de2598d1f509ed8a0ef3440ff1cbbcda046cc7b838fc4d58a731

SHA512
aaf7ff5b49d3185152904c83fd3ffa90a907497f2931399886340c0381c091b90a848a1a95e9dc9c086930fe7861dcbf710dcecd9422f41d16d40f1a1c056de2

Download Submit
C:\ProgramData\Q8SEDY\info.txt

Filesize
491KB

MD5
d62278c3290143e776c7209b3c2a3104

SHA1
bdec0c7269ad520e074a800e2e079da848e84ce2

SHA256
5b4b5a6dfa6bcce3727cc8f2dcba39ae7d8a6faff7725fa7faf249db26ca8af7

SHA512
9cf8d38c2f27130208f4c29bfa217782fefcd689c47068b816a76b7d1ed68799a55f94bf8c1a74aa3692b8a3eec345874324b50d6fbe42118e697a6f6e31f741

Download Submit
C:\Users\Admin\AppData\Roaming\UTF0I\0YK.zip

Filesize
1KB

MD5
6b284b23a6f922bd0e16952aaa4b84f4

SHA1
a76cefcda9d10fbbaf22ddf6cc4200fa50f75be6

SHA256
6d323e7bb1d634498788e5aa29af4a821b476f557d1222090f9d575b5aa45d06

SHA512
b2622e3f11c2e7a83e1cc8afe3cf7122d93441dc4ca21b6e4c8f3c5f7ee47add8f33e555deecbb09433cc627cbc73f3ac5a93470c9031c1b4d4358a2cb640361

Download Submit
C:\Users\Admin\AppData\Roaming\UTF0I\Ele5.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Admin\AppData\Roaming\UTF0I\Ele5.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Admin\AppData\Roaming\UTF0I\Ele5.exe

Filesize
118KB

MD5
3331650b6a8c7b391e1416679d6f9fe2

SHA1
58fc669e7d25f2771002219dcc53c5d3aa98d0fb

SHA256
f044b74956a628a859e594dedb7617fb5ed6d0d5cedf6e82a4daa45e59bbd1c5

SHA512
8638bc8fb432bca4a84422fc607649c41007e94d4b43dda8dfcc7b532ec85f077055197eedbe4766b360d572db76e7683c69742820bc9a24a7628cad263a9407

Download Submit
C:\Users\Admin\AppData\Roaming\UTF0I\Embarcaderophi.lnk

Filesize
797B

MD5
db9c4875c7c0f4f7946855e58bbd6a53

SHA1
419851c6fa9e270b5ebaf47bdfd1c4608b364954

SHA256
f387904eb991ec353a5404d0133907ecb23ce27010bd8bdf7f0d2c8f7f1b6968

SHA512
52184a58d7db041074c3a7834ba87c216dc9f0f824ad44005b48b125d9bb3c77e1478bd841175094e3bf0e075ef0d9798761e420d14b4053308d56ac19e1b6dc

Download Submit
C:\Users\Public\Music\g70UKD\5WPFzs.lnk

Filesize
1006B

MD5
dcfd64c505a4e954829cdd028b4e6115

SHA1
1cd45fb61424a53588c99d701d0b9cec92aec534

SHA256
1817825565b72d85835bede2eb2e6991f5bee5eb26426c1181aa168a92c423c3

SHA512
948ddbc173ea79fc60f08cd39ec2b6620f1265fa09154d3b3c3f57a9b8787c8d66dd541f5f2da0df6ee4af4aafb3daff4c7f02b96a347cf22fa2a92d1b9c6106

Download Submit
C:\Users\Public\Music\g70UKD\Atnd7X.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\Gxqga3.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\JAtnd6.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\JAtnd6.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\Lrle5Y.lnk

Filesize
1006B

MD5
b3ccc3a90e0b8129f7e7e3f41c67cbfc

SHA1
6653477fd3477e6d5765a98da1701367ba868f6d

SHA256
cb49a26480fe58faacb16c30364f2fbd37ac8d4728353a7f28732db5d59e9738

SHA512
0433cff83bd18be1db962875b64bed6ac0226df1a81f234e59ed55386ea225011f5e36c730fb5fe4bb9128bab565835e5eec6594bd4e283b2a25518e1cd238d5

Download Submit
C:\Users\Public\Music\g70UKD\MGwqj9.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\PJCtmc.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\VCvpf9.lnk

Filesize
1006B

MD5
011c0d49142db33c83f57d331ea0b957

SHA1
94a34c80fa2585887fa7c13224b0264b486f1eef

SHA256
89395b4f38b38d075a9d7ab92461588b8792e7f62639f4346d5d01a284d9ca88

SHA512
05df94cd9de7e589bdb3ccab7104aadf78f4596e0b8194e1fe8d83956ef3b79aae2ef9670a42fc4cf20cdd7a3d6e2e36e5ffa7f3a6e4ebc65c2da60bd290424a

Download Submit
C:\Users\Public\Music\g70UKD\WMFwpj.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\XExohb.lnk

Filesize
1006B

MD5
e34f015f6e553d11fbec04cf51c82fa6

SHA1
e7c74dc05a4ee80880a1a9636abed22801a37d36

SHA256
9639b695a8837d6e399f004e7ad0b42e9f94f9b68750512cc54a03707a8d2243

SHA512
e1e0fa6ee9e7f4c17bebc929947d38ab81b178919b14e4541bc1b374453ad6a7b54538c8a7e8ae90c44b049a9d1b27429aa8f0a7023acfc034dffc87e8fdf28d

Download Submit
C:\Users\Public\Music\g70UKD\_PICsm.url

Filesize
67B

MD5
a84eebfc0638dc9e5f4d66ce244389a5

SHA1
6efbf103923ee820606dd4563b81528e2757a055

SHA256
78a290021129fa1b17a71f562089adb230d5db279bd6db4950a134520aee4c5f

SHA512
c857f7c25c1ad3dbba8c243a07876472b7ef6a5052f140910aa6d490d58edac227754bf6c20b5304b20b6d349ba719a010e23604b12069bc62399f05462b30fa

Download Submit
C:\Users\Public\Music\g70UKD\b2VPFy.lnk

Filesize
1006B

MD5
b0952d7d0f276ef88ba302b77c04e209

SHA1
9ba4baefe66ad0725ec519b9ed01409d778e22ca

SHA256
5e9d26689ba58757b36109eea75e42aea4d8566cc87e862b4a36059d9f0e1af4

SHA512
1b2b94a5657f75b52ab3183564c4a5da5ac1896dc510afce6b0f00d77153a6175fbb59986460c9a770faa66b0331bed9b95591159c390f600a3909f13590b090

Download Submit
C:\Users\Public\Music\g70UKD\gWNGAq.lnk

Filesize
1006B

MD5
f27610a7dc1d138eda1950be2348c636

SHA1
ceb15d0b94a85ee40fae211aa717ce48111ea4da

SHA256
c9b63cbfaee76b7834a197cc4222a5246858f986fe74636116eff7deed292ed5

SHA512
409eb66635eff226c068c9da4c451eb6c87f996a14602ded9cb3ec51f9af2d3a8498f5e012be6b551df36db3c1c49c6dd160192077516e33ed1288b1fc90e48c

Download Submit
C:\Users\Public\Music\g70UKD\xohb1U.lnk

Filesize
1006B

MD5
1409eccd5fbcb01b40df6f11db93a00b

SHA1
be0df62e0213efcc8b9bef418f7ebe5d3416604d

SHA256
e5f69d00c833707cb32a482a035491882ccb266374d8ad80093ae6ab6db6d097

SHA512
f91c13e227f9253ae3c95ff8326994cc15fbe1b1b70cf71dd10fc5833001389feb8c1e90459ec7a0cb73ece9a115747c40ba2045e82facd304d76e6c9f7032dd

Download Submit
C:\Users\Public\bai12.zip

Filesize
1.1MB

MD5
2b03ef6d1cdbeabba85f99f53853cdd1

SHA1
7e0fbb1bb8ea80ab0ff6197089cbafd5189d57e9

SHA256
ac8cfbbb4219607d948591df2f15e0cb5bd20a3e133a9ca84aa10d8622b7a3b8

SHA512
8526cbf25e98e0cb411c4572ee37403fba4a1c4ccff31c5b33be47c6dc4e599a6e350beb414d6f31b2f77b96422ae7b0a0a0668a10edece991f904f10b1e671c

Download Submit
C:\Windows\SysWOW64\Uac.reg

Filesize
245B

MD5
3259410b95978a44d4a95a1d1815cc6d

SHA1
26d3928a81f9d754c7991673c6b856652ce38f98

SHA256
182d0025f616b82d52f824e52ec21f6f75cb3cba3e31b0f27c1f8d1a6d5aa7b5

SHA512
44b7fdec8e4346901cc73927536b9841489b16e1faf4a25e17bb620195b4d0f841c7a5746b4f7a37fc91b7b9606abcb61b662b5732935472064b5eab31ce300b

Download Submit
memory/2796-95-0x0000000002CD0000-0x0000000002CFD000-memory.dmp

Filesize
180KB

Download
memory/4824-5-0x0000000010000000-0x0000000010046000-memory.dmp

Filesize
280KB

Download