gh0strat | 448a9d8451178d090723b249ba1b3514539b14bfb14a7b2141dd492f296d1f53

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
01-11-2023 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

y.exe
Size

516KB
MD5

672c56bcaeedb4f630cda204ed5ef32d
SHA1

df8868926293efb2e13339a020a0eefee128d9d7
SHA256

448a9d8451178d090723b249ba1b3514539b14bfb14a7b2141dd492f296d1f53
SHA512

38f69f8199a664edb278aeb63d33a50d19fa843e1331ba3870f3038cd2620cd41979c02287dfe154031c1d5ea32be70d9f775ae2e2f8c4f8e7fbef36154b21a4
SSDEEP

6144:J0aJ41z7pmJyseEgKgPObyIozhRjcerTn:J0aqz79QmI4T

Score

10^/10

gh0strat purplefox rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 7 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1996-122-0x0000000003110000-0x000000000324B000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-123-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-124-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-132-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-146-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-148-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1996-150-0x0000000003410000-0x00000000035B8000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1996-122-0x0000000003110000-0x000000000324B000-memory.dmp	family_gh0strat
behavioral1/memory/1996-123-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat
behavioral1/memory/1996-124-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat
behavioral1/memory/1996-132-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat
behavioral1/memory/1996-146-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat
behavioral1/memory/1996-148-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat
behavioral1/memory/1996-150-0x0000000003410000-0x00000000035B8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Drops startup file 2 IoCs

Processes:

1VOE.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	1VOE.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk	1VOE.exe

Executes dropped EXE 2 IoCs

Processes:

1VOE.exeWFWF_Fy.exe

pid process

796 1VOE.exe
1996 WFWF_Fy.exe
Loads dropped DLL 9 IoCs

Processes:

y.exeWFWF_Fy.exe

pid process

2876 y.exe
2876 y.exe
2876 y.exe
2876 y.exe
2876 y.exe
2876 y.exe
2876 y.exe
2876 y.exe
1996 WFWF_Fy.exe

pid	process
796	1VOE.exe
1996	WFWF_Fy.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WFWF_Fy.exe

description	ioc	process
File opened (read-only)	\??\G:	WFWF_Fy.exe
File opened (read-only)	\??\H:	WFWF_Fy.exe
File opened (read-only)	\??\O:	WFWF_Fy.exe
File opened (read-only)	\??\U:	WFWF_Fy.exe
File opened (read-only)	\??\V:	WFWF_Fy.exe
File opened (read-only)	\??\E:	WFWF_Fy.exe
File opened (read-only)	\??\J:	WFWF_Fy.exe
File opened (read-only)	\??\K:	WFWF_Fy.exe
File opened (read-only)	\??\P:	WFWF_Fy.exe
File opened (read-only)	\??\W:	WFWF_Fy.exe
File opened (read-only)	\??\B:	WFWF_Fy.exe
File opened (read-only)	\??\L:	WFWF_Fy.exe
File opened (read-only)	\??\M:	WFWF_Fy.exe
File opened (read-only)	\??\Y:	WFWF_Fy.exe
File opened (read-only)	\??\Z:	WFWF_Fy.exe
File opened (read-only)	\??\I:	WFWF_Fy.exe
File opened (read-only)	\??\N:	WFWF_Fy.exe
File opened (read-only)	\??\Q:	WFWF_Fy.exe
File opened (read-only)	\??\R:	WFWF_Fy.exe
File opened (read-only)	\??\S:	WFWF_Fy.exe
File opened (read-only)	\??\T:	WFWF_Fy.exe
File opened (read-only)	\??\X:	WFWF_Fy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WFWF_Fy.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	WFWF_Fy.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WFWF_Fy.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 30 IoCs

Processes:

explorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 78003100000000006157132011005075626c69630000620008000400efbeee3a851a615713202a0000007c0200000000010000000000000000003800000000005000750062006c0069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003600000016000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 74003100000000006157152011004d7573696300600008000400efbeee3a851a615715202a000000820200000000010000000000000000003600000000004d007500730069006300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380030003300000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 740031000000000057570e911100557365727300600008000400efbeee3a851a57570e912a000000e601000000000100000000000000000036000000000055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Music"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000006157152010004778716b613400003a0008000400efbe61571520615715202a000000726301000000080000000000000000000000000000004700780071006b0061003400000016000000	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

y.exeWFWF_Fy.exe

pid	process
2876	y.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe
1996	WFWF_Fy.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WFWF_Fy.exe

description pid process

Token: 33 1996 WFWF_Fy.exe
Token: SeIncBasePriorityPrivilege 1996 WFWF_Fy.exe

description	pid	process
Token: 33	1996	WFWF_Fy.exe
Token: SeIncBasePriorityPrivilege	1996	WFWF_Fy.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

y.exeexplorer.exe

description	pid	process	target process
PID 2876 wrote to memory of 2520	2876	y.exe	explorer.exe
PID 2876 wrote to memory of 2520	2876	y.exe	explorer.exe
PID 2876 wrote to memory of 2520	2876	y.exe	explorer.exe
PID 2876 wrote to memory of 2520	2876	y.exe	explorer.exe
PID 2608 wrote to memory of 796	2608	explorer.exe	1VOE.exe
PID 2608 wrote to memory of 796	2608	explorer.exe	1VOE.exe
PID 2608 wrote to memory of 796	2608	explorer.exe	1VOE.exe
PID 2608 wrote to memory of 796	2608	explorer.exe	1VOE.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe
PID 2608 wrote to memory of 1996	2608	explorer.exe	WFWF_Fy.exe

C:\Users\Admin\AppData\Local\Temp\y.exe
"C:\Users\Admin\AppData\Local\Temp\y.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\explorer.exe
C:\Windows\explorer.exe C:\Users\Public\Music\Gxqka4
2⤵
PID:2520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608

C:\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe
"C:\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe" -n C:\Users\Admin\AppData\Roaming\0J0J_\IYH.zip -d C:\Users\Admin\AppData\Roaming
2⤵
- Drops startup file
- Executes dropped EXE
PID:796

C:\ProgramData\5P5P5O\WFWF_Fy.exe
"C:\ProgramData\5P5P5O\WFWF_Fy.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\5P5P5O\WFWF_Fy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\5P5P5O\WFWF_Fy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\5P5P5O\WFWF_Fy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
C:\ProgramData\5P5P5O\info.txt

Filesize
119KB

MD5
e47ce3af60628f795b86b3c3aff8b88f

SHA1
88051cfdd8fbd780888aba557a35cba97635694e

SHA256
40e00f085b691bbf8adbef2adb0ec55d5c6dee808605be4e4fd8ccad65f59c4b

SHA512
7ba0870dd4817e24f13a513a3ebd1196b0994f4a54574ac44b8791c52c9cd98260c96ab8368d04889472f4cb0bf08e2affe81f9593f80af43f57762d5f4cf1db

Download Submit
C:\ProgramData\5P5P5O\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
C:\ProgramData\SHELL.TXT

Filesize
1.2MB

MD5
a70e878d33aedb2062dd6dd99e340ff3

SHA1
a46b786c73f1751c998f00a4c41c0ea75f5e88e5

SHA256
a822a24f5987587a129a46e15dd905b2d09e605116689197e9222ea811a4e962

SHA512
78e196bd3dcbbcc43eedfb3c2cc2532537090c8b755eeeeafeb2a555f8035c14feedcddcfe991ad4c01f99889ca3dcd7e43652a1bf9a36e93400bedd363e6530

Download Submit
C:\ProgramData\SHELL.ini

Filesize
102B

MD5
2e3c18cf89e3995c1caad22622a8633a

SHA1
1f5b89c2368f2e3974fe951fa087a3a2cd36146d

SHA256
0f371f46af350a287c34e785aec5b3d0a52d97e0aeabf548e612b6c3f51f5e79

SHA512
e349cd0e0908c7f6ca61402aebe674a34342add6dfd4a7ca03d708746d0d2039bb08aec03f3029a2180cf03ab8cdacfc3ea9bbe42dcfa6f0a70ae12a92b0575c

Download Submit
C:\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
C:\Users\Admin\AppData\Roaming\0J0J_\IYH.zip

Filesize
1KB

MD5
1c402f917280442c4f6425168490472c

SHA1
5acd64031947b44a8da5b95ea706f929adbee318

SHA256
c3e803b49103bc474726b143d39d09e88a94fc5aa79145348d977e27cef5f760

SHA512
23563a109619708a547c5006f415a2b1aba3c91f20ecca8934dbfcf9c72eab5c59b50c4ef1dc250b24d13bf418b50242620c9281b48c0383ccccacf761c02db3

Download Submit
C:\Users\Admin\AppData\Roaming\0J0J_\Microsoft\Windows\Start Menu\Programs\startup\Embarcaderophi.lnk

Filesize
756B

MD5
1a63bb3575512a28da5fe1bf79dc56c4

SHA1
f660e90459df419486644cc78893e942d5fcbf8a

SHA256
431e40c3bdf11a833e4a02cd6c327ae4afaece2fa9ba71b90fab4ebd370bf4cc

SHA512
fa9ce136346249e561cff3657f4647938b17e13492e66c85f4d7b683fcc84b2bc4bf36c5d474f36e74589653c67d10fc929209c4cc028d13d240d387befeca25

Download Submit
C:\Users\Public\Music\Gxqka4\2WMFwp.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\4YRHBr.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\5_SICs.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\Dwqg90.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\Dxqha0.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\Eyoib1.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\TMCwpg.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\TNDxqg.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\_PJztm.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\_PJztm.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\b2VPFy.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\e8YSLB.url

Filesize
67B

MD5
b4e7fb525847c6f4497229142c6453d0

SHA1
7e1ddef82c92dbc9eaee7dd60751343e54df7970

SHA256
e93d57ee6244f19f9b5cfd4f0f588b9f4cb05ad27989ae2eccdfee1293252d17

SHA512
2ef22946d6c5b34d1a01b31bf4079c3a33bf49d233ba50312a6ebb5d6b097a7ef4db920ba895b1310299f33dbe31a75fef19c5273de9f0dbfc6bf3ddade89691

Download Submit
C:\Users\Public\Music\Gxqka4\ke4XRH.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\ke4XRH.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\pg93TM.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\Music\Gxqka4\qha1UO.lnk

Filesize
923B

MD5
51212e292425673fe2bd5bdf06ef017b

SHA1
77ba6d2e98d48706f8d9bcdd4dd311c6cbd7a999

SHA256
854a67b0daae6dea5d5319be790e905e8820e2e92fdc6028b7e0812576d940c8

SHA512
a60395959f34cc4cd840cf9a1ada255a50d283374938ac96cd2c10564f05f57676060bdbc454ebdac2f07e46d1e6cb582084c138688a4c1ced05ff7073e64d5b

Download Submit
C:\Users\Public\O5O4O7

Filesize
2.8MB

MD5
a4545f9052e0f25d388fd08d1f8dc918

SHA1
14427a5dee047507d72cd4654ccc60db88fc4aae

SHA256
37e849c75b1904a47549335a3b72d458c9e28617f18502bdd4860365442f5f86

SHA512
102f3ff5784c9b0e65ba708962da79e04a77007d16e00fc67d3496b56c83fca83af65a70cba8bba84e4953659b133e51d484f9b0255205cdb080070c665599a8

Download Submit
\ProgramData\5P5P5O\WFWF_Fy.exe

Filesize
2.2MB

MD5
afd1c09b13ac9d85781c6e4fe07457c7

SHA1
bb559602478c9b2e96da8eaa77f0536577aca1df

SHA256
9a50ab40120b76695c78d45c64a97f7179033a2a05f5a2e97db36c2a81021806

SHA512
1f48829faef6f22836e8946fb610c73b4134f0efa6c5ce0ece6c19606506c6d7fc4db4852b06b38183b1ad58c7775ffba5f0c69f93ce57532d29bff1d88226c4

Download Submit
\ProgramData\5P5P5O\qqffoBase.dll

Filesize
484KB

MD5
9f06ceef05be654f331d8771c74b25f0

SHA1
656829c09c9b3341afc371932e53271e76f09c23

SHA256
6417309e97acc09cbd18f919cd7b767584649ad2867abf613a47cf502da81507

SHA512
ca68a814ca42f8d7ffe35e78bbaa40d3d3d49cbc3c46832719d2b4d6566d8eee031f568fbdbc0d872fd5b84bea4f21ba4633baff3513b919789790b3516af5b3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
\Users\Admin\AppData\Roaming\0J0J_\1VOE.exe

Filesize
152KB

MD5
6ffd7c733dde81f2b6b8782e690b044d

SHA1
19163bb2a519b23757061333da30c734cee7e32e

SHA256
cafde9e7d48e330f8edb552e2c026d11a318b8c9ee49bbd1a3dc9af1436e2fbc

SHA512
d9a42c9b1953a607f5c65e93bcd9d263ce5bf37f5bad57517848d0e6d7ea601f3378c48b143920fde8cab8626d5abfd97c2500f21bb981441aa0ab555dd1fda3

Download Submit
memory/1996-124-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/1996-145-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/1996-150-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/1996-148-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/1996-111-0x0000000000400000-0x0000000000CD0000-memory.dmp

Filesize
8.8MB

Download
memory/1996-146-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/1996-112-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/1996-132-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/1996-122-0x0000000003110000-0x000000000324B000-memory.dmp

Filesize
1.2MB

Download
memory/1996-123-0x0000000003410000-0x00000000035B8000-memory.dmp

Filesize
1.7MB

Download
memory/2608-105-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2608-46-0x0000000003740000-0x0000000003750000-memory.dmp

Filesize
64KB

Download
memory/2608-45-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2876-83-0x0000000001E50000-0x0000000001E60000-memory.dmp

Filesize
64KB

Download
memory/2876-11-0x0000000002940000-0x0000000002986000-memory.dmp

Filesize
280KB

Download
memory/2876-30-0x0000000001E50000-0x0000000001E60000-memory.dmp

Filesize
64KB

Download
memory/2876-2-0x0000000010000000-0x00000000100C1000-memory.dmp

Filesize
772KB

Download