gh0strat | 696ca83e5c5eb35a2485c607b01add0cc050b8920b48aadb9163450547fe1bc5

Analysis

max time kernel
149s
max time network
157s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
31-10-2023 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sdffgevy.exe
Size

488KB
MD5

13377617ad84d99f894db1495e699192
SHA1

b1e03eb8aefa1aff7ccc713cded0026829cc3a2c
SHA256

696ca83e5c5eb35a2485c607b01add0cc050b8920b48aadb9163450547fe1bc5
SHA512

fc32d77d21da3d9045de3375d2469bd98968cc24946248e995ae6d1eb82c724b02ee3b34141ee3b53782e6a440542b1b95de35f3a1672da22fd475694348bfaf
SSDEEP

6144:gMrKvJ4ixnC0+HUcm2l97nDpJ5qpoDiZeA9SckRCA/TKJp6Fs/Yopa4TiRkdZp7P:z5ixnC07cN7nDv5qDU8A/k6FKY89lNx

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/3212-115-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-116-0x0000000003470000-0x00000000035AB000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-117-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-127-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-139-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-142-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit
behavioral2/memory/3212-146-0x00000000035B0000-0x0000000003758000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3212-115-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat
behavioral2/memory/3212-116-0x0000000003470000-0x00000000035AB000-memory.dmp	family_gh0strat
behavioral2/memory/3212-117-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat
behavioral2/memory/3212-127-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat
behavioral2/memory/3212-139-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat
behavioral2/memory/3212-142-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat
behavioral2/memory/3212-146-0x00000000035B0000-0x0000000003758000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops startup file 2 IoCs

Processes:

gWQJ.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	gWQJ.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	gWQJ.exe

Executes dropped EXE 2 IoCs

Processes:

gWQJ.exeOK4K4Ky.exe

pid process

2652 gWQJ.exe
3212 OK4K4Ky.exe
Loads dropped DLL 1 IoCs

Processes:

OK4K4Ky.exe

pid process

3212 OK4K4Ky.exe

pid	process
2652	gWQJ.exe
3212	OK4K4Ky.exe

pid	process
3212	OK4K4Ky.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OK4K4Ky.exe

description	ioc	process
File opened (read-only)	\??\S:	OK4K4Ky.exe
File opened (read-only)	\??\K:	OK4K4Ky.exe
File opened (read-only)	\??\P:	OK4K4Ky.exe
File opened (read-only)	\??\Q:	OK4K4Ky.exe
File opened (read-only)	\??\T:	OK4K4Ky.exe
File opened (read-only)	\??\U:	OK4K4Ky.exe
File opened (read-only)	\??\W:	OK4K4Ky.exe
File opened (read-only)	\??\B:	OK4K4Ky.exe
File opened (read-only)	\??\G:	OK4K4Ky.exe
File opened (read-only)	\??\I:	OK4K4Ky.exe
File opened (read-only)	\??\N:	OK4K4Ky.exe
File opened (read-only)	\??\O:	OK4K4Ky.exe
File opened (read-only)	\??\X:	OK4K4Ky.exe
File opened (read-only)	\??\Y:	OK4K4Ky.exe
File opened (read-only)	\??\E:	OK4K4Ky.exe
File opened (read-only)	\??\H:	OK4K4Ky.exe
File opened (read-only)	\??\M:	OK4K4Ky.exe
File opened (read-only)	\??\R:	OK4K4Ky.exe
File opened (read-only)	\??\V:	OK4K4Ky.exe
File opened (read-only)	\??\Z:	OK4K4Ky.exe
File opened (read-only)	\??\J:	OK4K4Ky.exe
File opened (read-only)	\??\L:	OK4K4Ky.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OK4K4Ky.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OK4K4Ky.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OK4K4Ky.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 32 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 7800310000000000595776621100557365727300640009000400efbe724a0b5d595776622e000000320500000000010000000000000000003a0000000000523b110155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 7c003100000000005f573c7911005075626c69630000660009000400efbe724a6fa85f573c792e000000630500000000010000000000000000003c00000000009a111c015000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 78003100000000005f573d7911004d7573696300640009000400efbe724a6fa85f573d792e000000680500000000010000000000000000003a0000000000f6638f004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 54003100000000005f573d791000534c43766c6600003e0009000400efbe5f573d795f573d792e000000c6ab0100000008000000000000000000000000000000f6638f0053004c00430076006c006600000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

1648 explorer.exe

pid	process
1648	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sdffgevy.exeOK4K4Ky.exe

pid	process
2488	sdffgevy.exe
2488	sdffgevy.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe
3212	OK4K4Ky.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OK4K4Ky.exe

description pid process

Token: 33 3212 OK4K4Ky.exe
Token: SeIncBasePriorityPrivilege 3212 OK4K4Ky.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sdffgevy.exe

pid process

2488 sdffgevy.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

explorer.exeOK4K4Ky.exe

pid process

1648 explorer.exe
1648 explorer.exe
3212 OK4K4Ky.exe

description	pid	process
Token: 33	3212	OK4K4Ky.exe
Token: SeIncBasePriorityPrivilege	3212	OK4K4Ky.exe

pid	process
1648	explorer.exe
1648	explorer.exe
3212	OK4K4Ky.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

sdffgevy.exeexplorer.exe

description	pid	process	target process
PID 2488 wrote to memory of 3152	2488	sdffgevy.exe	explorer.exe
PID 2488 wrote to memory of 3152	2488	sdffgevy.exe	explorer.exe
PID 1648 wrote to memory of 2652	1648	explorer.exe	gWQJ.exe
PID 1648 wrote to memory of 2652	1648	explorer.exe	gWQJ.exe
PID 1648 wrote to memory of 2652	1648	explorer.exe	gWQJ.exe
PID 1648 wrote to memory of 3212	1648	explorer.exe	OK4K4Ky.exe
PID 1648 wrote to memory of 3212	1648	explorer.exe	OK4K4Ky.exe
PID 1648 wrote to memory of 3212	1648	explorer.exe	OK4K4Ky.exe

C:\Users\Admin\AppData\Local\Temp\sdffgevy.exe
"C:\Users\Admin\AppData\Local\Temp\sdffgevy.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2488

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\SLCvlf
2⤵
PID:3152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648

C:\Users\Admin\AppData\Roaming\5O5O4\gWQJ.exe
"C:\Users\Admin\AppData\Roaming\5O5O4\gWQJ.exe" -n C:\Users\Admin\AppData\Roaming\5O5O4\SS8.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:2652

C:\ProgramData\_J_I2I\OK4K4Ky.exe
"C:\ProgramData\_J_I2I\OK4K4Ky.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SHELL.TXT

Filesize
1.2MB

MD5
a70e878d33aedb2062dd6dd99e340ff3

SHA1
a46b786c73f1751c998f00a4c41c0ea75f5e88e5

SHA256
a822a24f5987587a129a46e15dd905b2d09e605116689197e9222ea811a4e962

SHA512
78e196bd3dcbbcc43eedfb3c2cc2532537090c8b755eeeeafeb2a555f8035c14feedcddcfe991ad4c01f99889ca3dcd7e43652a1bf9a36e93400bedd363e6530

Download Submit
C:\ProgramData\SHELL.ini

Filesize
92B

MD5
1213b2902b1c8b54868828c5a532811c

SHA1
ffe38a207b31fac5797c86e43ca3ed5667e96d0e

SHA256
67c9bbef4f0e63c67f09b7519f3178a820a0fcfdda5b84998dd8078c3fbd9d08

SHA512
3ffa49c5f45c0f2baedc5cd9c326b289b6dd608aea036235040e2f35479d62dfab6a7ecc7d66e1deac67834babee4b7272e7b7e7a0a9a4dff35fb76804c9f193

Download Submit
C:\ProgramData\SHELL.ini

Filesize
102B

MD5
2e3c18cf89e3995c1caad22622a8633a

SHA1
1f5b89c2368f2e3974fe951fa087a3a2cd36146d

SHA256
0f371f46af350a287c34e785aec5b3d0a52d97e0aeabf548e612b6c3f51f5e79

SHA512
e349cd0e0908c7f6ca61402aebe674a34342add6dfd4a7ca03d708746d0d2039bb08aec03f3029a2180cf03ab8cdacfc3ea9bbe42dcfa6f0a70ae12a92b0575c

Download Submit
C:\ProgramData\_J_I2I\OK4K4Ky.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\_J_I2I\OK4K4Ky.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\_J_I2I\OK4K4Ky.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\_J_I2I\info.txt

Filesize
119KB

MD5
e47ce3af60628f795b86b3c3aff8b88f

SHA1
88051cfdd8fbd780888aba557a35cba97635694e

SHA256
40e00f085b691bbf8adbef2adb0ec55d5c6dee808605be4e4fd8ccad65f59c4b

SHA512
7ba0870dd4817e24f13a513a3ebd1196b0994f4a54574ac44b8791c52c9cd98260c96ab8368d04889472f4cb0bf08e2affe81f9593f80af43f57762d5f4cf1db

Download Submit
C:\ProgramData\_J_I2I\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
714f6f7e298e50f2cfc90b1ff9d5ef40

SHA1
13524bb65b2c9dcccaa7bbefd9e93f0dd5cc06b3

SHA256
1c0b085fe2c9a475a8acdb5b042863cac309afbcc60ab0fb2385372fffe0120b

SHA512
084742703d73cf7ddc8cb4fa3cbf6bee52aebc042c86a727806a0aac958d37e6999be21bd9347246711ea848966a8c2eec5672ebcbca6b6aa53f88593bbcff4a

Download Submit
C:\Users\Admin\AppData\Roaming\5O5O4\Embarcaderophi.lnk

Filesize
797B

MD5
1386620c327d529bee02880fdff989f9

SHA1
84b18c70729a7e3ab05761700fc1ccaaf9822cb9

SHA256
3149095cedff315191a3aa25dba589e4edb1cc7c9fdb891181d353caddf32290

SHA512
6ba4cd686e136e63a2107af119be128eb6f4be33c5c2571e2ee4ed099826b102ba57a99fbfe443895820fba137dfa8e7aba315151a186326acf3bbd293066e86

Download Submit
C:\Users\Admin\AppData\Roaming\5O5O4\SS8.zip

Filesize
1KB

MD5
3fb083901b2bb66d5791016e4e354b21

SHA1
cf2621f58ca18ade05a56653d6df7329b7683c7a

SHA256
4efb9a47f9649e0f9c7680cfacef541b5c813cc92053fb974c5e6ede97fe5646

SHA512
25329aa4955d849b08e5f90bb9a7cd5eef4ae1e86575db3b3722029473c63ffbe88eb99e7f5676d298c6718d9b2dd2049b14cf2e05098506b49b13d15d1ebce2

Download Submit
C:\Users\Admin\AppData\Roaming\5O5O4\gWQJ.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\5O5O4\gWQJ.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\5O5O4\gWQJ.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Public\IYI1I1

Filesize
2.8MB

MD5
a4545f9052e0f25d388fd08d1f8dc918

SHA1
14427a5dee047507d72cd4654ccc60db88fc4aae

SHA256
37e849c75b1904a47549335a3b72d458c9e28617f18502bdd4860365442f5f86

SHA512
102f3ff5784c9b0e65ba708962da79e04a77007d16e00fc67d3496b56c83fca83af65a70cba8bba84e4953659b133e51d484f9b0255205cdb080070c665599a8

Download Submit
C:\Users\Public\Music\SLCvlf\2JCsmf.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\Brle4Y.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\Mwmg6_.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\OHBr71.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\Pvc5VP.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\UKEunh.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\WQJqga.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\WQJqga.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\XNHAqk.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\d6WQGA.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\oi82SL.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\rlb5YO.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\uoh81V.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\uoh81V.url

Filesize
67B

MD5
d2281912693b613e1f1ede12a7982c51

SHA1
cceeb5b53c09a9fa7cc55c43c3af55fc4e04002c

SHA256
dd401c31ba374f3a41bbae969e7fb3670236f5d7607a5e8baa0210fc3334bc21

SHA512
1b37693d5d4b86d943abf9831fc9d933e1ca8d67f626961e018185fe10283549cc3183fa611396761c97a7882f9809e250ce1448f2788476baa2549d2314ac07

Download Submit
C:\Users\Public\Music\SLCvlf\xqka3U.lnk

Filesize
1006B

MD5
d3c4290376b93c016999dac0a330e937

SHA1
0c27060d12ee4918b9d69bc8fa04c91d5ff17797

SHA256
7136ea8e803c71e1f7de4cb0fec9db78d92a26b601b198dc4093817ec03a8879

SHA512
42843c92a166a0f3cf1fff5ea9ed260f47f3b63979e001c87df92d2a30fc5308787060cc4dc4d21fb7291c3009bdbab5f6c2b25d26b0727df7a51c321f2a2944

Download Submit
C:\Users\Public\Music\SLCvlf\yi82VL.lnk

Filesize
1006B

MD5
ca1b405336a2a3928f81a72d2222e4b5

SHA1
87b51ae4700f025f9c7dfddb5dc360a6353021a7

SHA256
3199cae7855312b97b22e315f56d712d2aec5a5b22f475122bd4488736be5b84

SHA512
3bdc71014645c32c8d08720b743bfc760fd372027ae691d981b9a09977a2ccc4d3df739fcf97af45cf179ed2f5eec67e30ee15b0ff5ccce305c4821c7aabade6

Download Submit
\ProgramData\_J_I2I\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
memory/2488-1-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download
memory/2488-10-0x00000000032B0000-0x00000000032F6000-memory.dmp

Filesize
280KB

Download
memory/3212-116-0x0000000003470000-0x00000000035AB000-memory.dmp

Filesize
1.2MB

Download
memory/3212-104-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/3212-117-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-115-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-127-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-138-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/3212-139-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-142-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-146-0x00000000035B0000-0x0000000003758000-memory.dmp

Filesize
1.7MB

Download
memory/3212-105-0x0000000002AB0000-0x0000000002ABA000-memory.dmp

Filesize
40KB

Download