gh0strat | 696ca83e5c5eb35a2485c607b01add0cc050b8920b48aadb9163450547fe1bc5

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sdffgevy.exe
Size

488KB
MD5

13377617ad84d99f894db1495e699192
SHA1

b1e03eb8aefa1aff7ccc713cded0026829cc3a2c
SHA256

696ca83e5c5eb35a2485c607b01add0cc050b8920b48aadb9163450547fe1bc5
SHA512

fc32d77d21da3d9045de3375d2469bd98968cc24946248e995ae6d1eb82c724b02ee3b34141ee3b53782e6a440542b1b95de35f3a1672da22fd475694348bfaf
SSDEEP

6144:gMrKvJ4ixnC0+HUcm2l97nDpJ5qpoDiZeA9SckRCA/TKJp6Fs/Yopa4TiRkdZp7P:z5ixnC07cN7nDv5qDU8A/k6FKY89lNx

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1388-121-0x0000000003210000-0x000000000334B000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-124-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-126-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-134-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-145-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-148-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1388-150-0x0000000003350000-0x00000000034F8000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1388-121-0x0000000003210000-0x000000000334B000-memory.dmp	family_gh0strat
behavioral1/memory/1388-124-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat
behavioral1/memory/1388-126-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat
behavioral1/memory/1388-134-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat
behavioral1/memory/1388-145-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat
behavioral1/memory/1388-148-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat
behavioral1/memory/1388-150-0x0000000003350000-0x00000000034F8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops startup file 2 IoCs

Processes:

WQGz.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	WQGz.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	WQGz.exe

Executes dropped EXE 2 IoCs

Processes:

WQGz.exeUAUATDy.exe

pid process

1760 WQGz.exe
1388 UAUATDy.exe

pid	process
1760	WQGz.exe
1388	UAUATDy.exe

Loads dropped DLL 9 IoCs

Processes:

sdffgevy.exeUAUATDy.exe

pid	process
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
2616	sdffgevy.exe
1388	UAUATDy.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

UAUATDy.exe

description	ioc	process
File opened (read-only)	\??\P:	UAUATDy.exe
File opened (read-only)	\??\M:	UAUATDy.exe
File opened (read-only)	\??\O:	UAUATDy.exe
File opened (read-only)	\??\Q:	UAUATDy.exe
File opened (read-only)	\??\B:	UAUATDy.exe
File opened (read-only)	\??\H:	UAUATDy.exe
File opened (read-only)	\??\K:	UAUATDy.exe
File opened (read-only)	\??\L:	UAUATDy.exe
File opened (read-only)	\??\R:	UAUATDy.exe
File opened (read-only)	\??\S:	UAUATDy.exe
File opened (read-only)	\??\U:	UAUATDy.exe
File opened (read-only)	\??\X:	UAUATDy.exe
File opened (read-only)	\??\E:	UAUATDy.exe
File opened (read-only)	\??\G:	UAUATDy.exe
File opened (read-only)	\??\I:	UAUATDy.exe
File opened (read-only)	\??\V:	UAUATDy.exe
File opened (read-only)	\??\W:	UAUATDy.exe
File opened (read-only)	\??\Y:	UAUATDy.exe
File opened (read-only)	\??\Z:	UAUATDy.exe
File opened (read-only)	\??\J:	UAUATDy.exe
File opened (read-only)	\??\N:	UAUATDy.exe
File opened (read-only)	\??\T:	UAUATDy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UAUATDy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	UAUATDy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	UAUATDy.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 30 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 74003100000000005757348c1100557365727300600008000400efbeee3a851a5757348c2a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 78003100000000005f57347911005075626c69630000620008000400efbeee3a851a5f5734792a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 74003100000000005f57357911004d7573696300600008000400efbeee3a851a5f5735792a000000820200000000010000000000000000003600000000004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000005f573579100043736c63355f00003a0008000400efbe5f5735795f5735792a0000001b6c0100000008000000000000000000000000000000430073006c00630035005f00000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

sdffgevy.exeUAUATDy.exe

pid	process
2616	sdffgevy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe
1388	UAUATDy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

UAUATDy.exe

description pid process

Token: 33 1388 UAUATDy.exe
Token: SeIncBasePriorityPrivilege 1388 UAUATDy.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sdffgevy.exe

pid process

2616 sdffgevy.exe

description	pid	process
Token: 33	1388	UAUATDy.exe
Token: SeIncBasePriorityPrivilege	1388	UAUATDy.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

sdffgevy.exeexplorer.exe

description	pid	process	target process
PID 2616 wrote to memory of 2548	2616	sdffgevy.exe	explorer.exe
PID 2616 wrote to memory of 2548	2616	sdffgevy.exe	explorer.exe
PID 2616 wrote to memory of 2548	2616	sdffgevy.exe	explorer.exe
PID 2616 wrote to memory of 2548	2616	sdffgevy.exe	explorer.exe
PID 2612 wrote to memory of 1760	2612	explorer.exe	WQGz.exe
PID 2612 wrote to memory of 1760	2612	explorer.exe	WQGz.exe
PID 2612 wrote to memory of 1760	2612	explorer.exe	WQGz.exe
PID 2612 wrote to memory of 1760	2612	explorer.exe	WQGz.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe
PID 2612 wrote to memory of 1388	2612	explorer.exe	UAUATDy.exe

C:\Users\Admin\AppData\Local\Temp\sdffgevy.exe
"C:\Users\Admin\AppData\Local\Temp\sdffgevy.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\Cslc5_
2⤵
PID:2548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe
"C:\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe" -n C:\Users\Admin\AppData\Roaming\BUBUA\6P9.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:1760

C:\ProgramData\XH0H0H\UAUATDy.exe
"C:\ProgramData\XH0H0H\UAUATDy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SHELL.TXT

Filesize
1.2MB

MD5
a70e878d33aedb2062dd6dd99e340ff3

SHA1
a46b786c73f1751c998f00a4c41c0ea75f5e88e5

SHA256
a822a24f5987587a129a46e15dd905b2d09e605116689197e9222ea811a4e962

SHA512
78e196bd3dcbbcc43eedfb3c2cc2532537090c8b755eeeeafeb2a555f8035c14feedcddcfe991ad4c01f99889ca3dcd7e43652a1bf9a36e93400bedd363e6530

Download Submit
C:\ProgramData\SHELL.ini

Filesize
92B

MD5
1213b2902b1c8b54868828c5a532811c

SHA1
ffe38a207b31fac5797c86e43ca3ed5667e96d0e

SHA256
67c9bbef4f0e63c67f09b7519f3178a820a0fcfdda5b84998dd8078c3fbd9d08

SHA512
3ffa49c5f45c0f2baedc5cd9c326b289b6dd608aea036235040e2f35479d62dfab6a7ecc7d66e1deac67834babee4b7272e7b7e7a0a9a4dff35fb76804c9f193

Download Submit
C:\ProgramData\SHELL.ini

Filesize
102B

MD5
2e3c18cf89e3995c1caad22622a8633a

SHA1
1f5b89c2368f2e3974fe951fa087a3a2cd36146d

SHA256
0f371f46af350a287c34e785aec5b3d0a52d97e0aeabf548e612b6c3f51f5e79

SHA512
e349cd0e0908c7f6ca61402aebe674a34342add6dfd4a7ca03d708746d0d2039bb08aec03f3029a2180cf03ab8cdacfc3ea9bbe42dcfa6f0a70ae12a92b0575c

Download Submit
C:\ProgramData\XH0H0H\UAUATDy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\XH0H0H\UAUATDy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\XH0H0H\UAUATDy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\XH0H0H\info.txt

Filesize
119KB

MD5
e47ce3af60628f795b86b3c3aff8b88f

SHA1
88051cfdd8fbd780888aba557a35cba97635694e

SHA256
40e00f085b691bbf8adbef2adb0ec55d5c6dee808605be4e4fd8ccad65f59c4b

SHA512
7ba0870dd4817e24f13a513a3ebd1196b0994f4a54574ac44b8791c52c9cd98260c96ab8368d04889472f4cb0bf08e2affe81f9593f80af43f57762d5f4cf1db

Download Submit
C:\ProgramData\XH0H0H\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
C:\Users\Admin\AppData\Roaming\BUBUA\6P9.zip

Filesize
1KB

MD5
9a5c50fbc5f57373ce073a0db76865b9

SHA1
90e8bde4d52a25d529ee29ab8be2e0cf28f807f2

SHA256
ec777e8b3b02cd704f0a8d50e166a5fc637200c9a09bfce928b7600256a2d67a

SHA512
6e108e5f7824f3838f362987ca58d1497ae5be55caf6b3f63bd326b2f899d1cc5df9dd6cd31a01cc3fe28fe817d0b772e6b1cd019fd9ecaeee2c37ecb5c6f347

Download Submit
C:\Users\Admin\AppData\Roaming\BUBUA\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk

Filesize
756B

MD5
bb32da1ecd7e9d3c3a371f0453278538

SHA1
9f4b147bf071c63c7379363a47953b8ce00e1308

SHA256
0487681cbf523164c9bfe3c8bc70a1e219809d266f625463e94f5b590abea26c

SHA512
4a1fdfe66eddb84449bd83c2890e51479963f32362ec914f3f6cbed018a14f0de9562ee9d82f0b0967a3f39056d8fce2dbb004c635a34e3af9787142f5cb8592

Download Submit
C:\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Public\G0G0G_

Filesize
2.8MB

MD5
a4545f9052e0f25d388fd08d1f8dc918

SHA1
14427a5dee047507d72cd4654ccc60db88fc4aae

SHA256
37e849c75b1904a47549335a3b72d458c9e28617f18502bdd4860365442f5f86

SHA512
102f3ff5784c9b0e65ba708962da79e04a77007d16e00fc67d3496b56c83fca83af65a70cba8bba84e4953659b133e51d484f9b0255205cdb080070c665599a8

Download Submit
C:\Users\Public\Music\Cslc5_\1SLBvo.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\4UOExr.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\4UOExr.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\70RKAu.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\Cwmf6_.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\Fzsic2.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\Fzsic2.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\GztNHx.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\LCvpf8.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\MDwqg9.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\PJztmc.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\VLEyoi.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\YRHBul.url

Filesize
67B

MD5
37c8c2923f34ab4a9fd3d1b98f629d4b

SHA1
f632e023d82902e50be0fcc30a42bf6d37516fa8

SHA256
30bb16dccd2eb0b132413f8970c5a867bdce00ce57aaab7d0b0aa23b09521079

SHA512
12f9b866304930f86dbf5fc0b4a00561b97b684818504e0b794020904031252aaf186c2716de45eba1a1dce526bb997d5e40a7e79c002b8ccd393cd86e958c9f

Download Submit
C:\Users\Public\Music\Cslc5_\e81RLB.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\oh71UL.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
C:\Users\Public\Music\Cslc5_\zpj92W.lnk

Filesize
923B

MD5
a7c3fde80ddbea88d1d7ff4a0139c86a

SHA1
41e7c8f9994ca508bfd0559933145c48f3ef6f35

SHA256
e368aabb22ca79eb75bc9c74cc0d0929ded2e59fcada928e9868915cde2c551c

SHA512
1e9ae3a2f1d2c473a562e88322ad6b30edc92d3ccc57d615c470b156d55956f3ea70b900a3e6e8bc6828561e7643e42de0efc9710d390ea71f14232718d5eede

Download Submit
\ProgramData\XH0H0H\UAUATDy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
\ProgramData\XH0H0H\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\BUBUA\WQGz.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
memory/1388-134-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/1388-145-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/1388-150-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/1388-148-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/1388-111-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download
memory/1388-146-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/1388-109-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/1388-126-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/1388-121-0x0000000003210000-0x000000000334B000-memory.dmp

Filesize
1.2MB

Download
memory/1388-124-0x0000000003350000-0x00000000034F8000-memory.dmp

Filesize
1.7MB

Download
memory/2612-45-0x00000000039C0000-0x00000000039D0000-memory.dmp

Filesize
64KB

Download
memory/2612-44-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2612-104-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2616-29-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2616-82-0x00000000023E0000-0x00000000023F0000-memory.dmp

Filesize
64KB

Download
memory/2616-10-0x0000000003600000-0x0000000003646000-memory.dmp

Filesize
280KB

Download
memory/2616-1-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download