gh0strat | 15d485be47d58c6cb7fc0e9820c973557a062236d768626ef104afd58f9ce322

Analysis

max time kernel
109s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4169c92c9103b8d09d41a30805790794.exe
Size

197KB
MD5

4169c92c9103b8d09d41a30805790794
SHA1

a2aa5561dc10b89f79a878627a6fdc17a5039be7
SHA256

15d485be47d58c6cb7fc0e9820c973557a062236d768626ef104afd58f9ce322
SHA512

fac6a571fccdcb98ddcbee296d23ebaa1da433c824c93865e7c5059847295dbbd530cd981192751e018efa0ee039f14816bef0115acea70735bc412c436d1398
SSDEEP

6144:nOVLnWFcgFtsFkVRTl0QdTmNPPYhoUeqP:n8LWFr+kV1KIo+GY

Score

10^/10

gh0strat rat

Malware Config

Signatures

Gh0st RAT payload 21 IoCs

resource	yara_rule
behavioral2/files/0x000d000000023161-2.dat	family_gh0strat
behavioral2/files/0x000d000000023161-3.dat	family_gh0strat
behavioral2/files/0x000d000000023161-4.dat	family_gh0strat
behavioral2/files/0x000d000000023161-5.dat	family_gh0strat
behavioral2/files/0x000d000000023161-6.dat	family_gh0strat
behavioral2/files/0x000d000000023161-7.dat	family_gh0strat
behavioral2/files/0x000d000000023161-8.dat	family_gh0strat
behavioral2/files/0x000d000000023161-9.dat	family_gh0strat
behavioral2/files/0x000d000000023161-10.dat	family_gh0strat
behavioral2/files/0x000d000000023161-11.dat	family_gh0strat
behavioral2/files/0x000d000000023161-12.dat	family_gh0strat
behavioral2/files/0x000d000000023161-13.dat	family_gh0strat
behavioral2/files/0x000d000000023161-14.dat	family_gh0strat
behavioral2/files/0x000d000000023161-15.dat	family_gh0strat
behavioral2/files/0x000d000000023161-16.dat	family_gh0strat
behavioral2/files/0x000d000000023161-17.dat	family_gh0strat
behavioral2/files/0x000d000000023161-18.dat	family_gh0strat
behavioral2/files/0x000d000000023161-19.dat	family_gh0strat
behavioral2/files/0x000d000000023161-20.dat	family_gh0strat
behavioral2/files/0x000d000000023161-21.dat	family_gh0strat
behavioral2/files/0x000d000000023161-22.dat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Loads dropped DLL 12 IoCs

pid	Process
3724	svchost.exe
4816	svchost.exe
1004	svchost.exe
1544	svchost.exe
1092	svchost.exe
4748	svchost.exe
3572	svchost.exe
4324	svchost.exe
4496	svchost.exe
3308	svchost.exe
3876	svchost.exe
3800	svchost.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic	4169c92c9103b8d09d41a30805790794.exe

Program crash 19 IoCs

pid	pid_target	Process	procid_target
3848	3724	WerFault.exe	91
3128	4816	WerFault.exe	100
3360	1004	WerFault.exe	106
4496	1544	WerFault.exe	109
5100	1092	WerFault.exe	112
4032	4748	WerFault.exe	115
2952	3572	WerFault.exe	120
4420	4324	WerFault.exe	123
4452	4496	WerFault.exe	126
4244	3308	WerFault.exe	129
500	3876	WerFault.exe	132
404	3800	WerFault.exe	134
4288	3132	WerFault.exe	141
4324	2768	WerFault.exe	144
1368	1956	WerFault.exe	147
1484	2432	WerFault.exe	150
3004	2724	WerFault.exe	153
2628	352	WerFault.exe	156
3580	4972	WerFault.exe	159

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2176	4169c92c9103b8d09d41a30805790794.exe
2176	4169c92c9103b8d09d41a30805790794.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeBackupPrivilege	2176	4169c92c9103b8d09d41a30805790794.exe
Token: SeRestorePrivilege	2176	4169c92c9103b8d09d41a30805790794.exe

C:\Users\Admin\AppData\Local\Temp\4169c92c9103b8d09d41a30805790794.exe
"C:\Users\Admin\AppData\Local\Temp\4169c92c9103b8d09d41a30805790794.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:3724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 592
  2⤵
  - Program crash
  PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3724 -ip 3724
1⤵
PID:1980

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Loads dropped DLL
PID:4816
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 592
  2⤵
  - Program crash
  PID:3128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4816 -ip 4816
1⤵
PID:1576

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:1004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 592
  2⤵
  - Program crash
  PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1004 -ip 1004
1⤵
PID:2640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:1544
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 592
  2⤵
  - Program crash
  PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1544 -ip 1544
1⤵
PID:2544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ias
1⤵
- Loads dropped DLL
PID:1092
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 592
  2⤵
  - Program crash
  PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1092 -ip 1092
1⤵
PID:4424

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s irmon
1⤵
- Loads dropped DLL
PID:4748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4748 -s 592
  2⤵
  - Program crash
  PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4748 -ip 4748
1⤵
PID:940

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:3572
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 592
  2⤵
  - Program crash
  PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3572 -ip 3572
1⤵
PID:2616

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nla
1⤵
- Loads dropped DLL
PID:4324
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 592
  2⤵
  - Program crash
  PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4324 -ip 4324
1⤵
PID:4036

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:4496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 592
  2⤵
  - Program crash
  PID:4452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4496 -ip 4496
1⤵
PID:3396

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:3308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3308 -s 600
  2⤵
  - Program crash
  PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3308 -ip 3308
1⤵
PID:5100

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s ntmssvc
1⤵
- Loads dropped DLL
PID:3876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 592
  2⤵
  - Program crash
  PID:500

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s nwcworkstation
1⤵
- Loads dropped DLL
PID:3800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 592
  2⤵
  - Program crash
  PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3876 -ip 3876
1⤵
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3800 -ip 3800
1⤵
PID:4316

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
PID:3132
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3132 -s 592
  2⤵
  - Program crash
  PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3132 -ip 3132
1⤵
PID:4984

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
PID:2768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 600
  2⤵
  - Program crash
  PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2768 -ip 2768
1⤵
PID:4420

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s srservice
1⤵
PID:1956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1956 -s 592
  2⤵
  - Program crash
  PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1956 -ip 1956
1⤵
PID:3792

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmi
1⤵
PID:2432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 592
  2⤵
  - Program crash
  PID:1484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2432 -ip 2432
1⤵
PID:4296

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
PID:2724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 592
  2⤵
  - Program crash
  PID:3004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2724 -ip 2724
1⤵
PID:1124

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
PID:352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 600
  2⤵
  - Program crash
  PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 352 -ip 352
1⤵
PID:2772

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s wmdmpmsp
1⤵
PID:4972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 592
  2⤵
  - Program crash
  PID:3580

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s logonhours
1⤵
PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4972 -ip 4972
1⤵
PID:4612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
38KB

MD5
a3e5c71f905c7c096d817f6af49a63f9

SHA1
7d36165c9e8e673e07743d3b05859bc32af768f5

SHA256
155fab38e213d6246cbc9eb1f42bb1430ee7643d0200502fbcaf33c6351f73b9

SHA512
7e6485feb1723881260c0413673914aafb5eab6b18d9316596316006e67751c9a80f770636f42267c703a10a5721db492855d0e97b936351f3819f7778ef06d5

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
52KB

MD5
039322fd2c5f175c2418d36b44ad8123

SHA1
a03ff1871cb1497703a874496e9d27a37a60b855

SHA256
2239ccf7bcac3bbe2ddadd794219754167c045b496ba653dd2d231f0fa3ceb84

SHA512
5e7fbf3060d6fd815fb87fd737c50d0cf52f700f1bea29121e1e3cf323e295fae46182454fe562fe85b329ae1fbe644c6eaa99c25fb119b946542ffc07a6d6c9

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
80KB

MD5
68f91c81f67e037f59fc616642cbeaf0

SHA1
844b8410f6c5a5d928a395d82ad5236bc4c40419

SHA256
422bbfe17c397e85093860902c8d9e8db4b32f87042aa6f29017dbf983a734b4

SHA512
fc24f348da327a88d9a7cf853d64563167c44299b05fe6e71e398fd0bcc96c9a5b63228785b6dd00e28f760f505177bbdb08d74e036f8b0d403e59efef394c80

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
205KB

MD5
e4097083f83958226e2ab61640674605

SHA1
979d45b76f70ceafb391a555ad3ef83cd3fb1a89

SHA256
b06710d7c062fd4aa665297acc5c540bc8c13d98a012d298fe340e137ce5ba4c

SHA512
fa9263bb99fe865ce319e1fb0d34987457c7afcabb24b8b8750a8656c1579880b22f2a273fff27c03bc78bab9955d2fce8e91ca685c2485fbda17dab60ed5ecb

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
541KB

MD5
acdcce236379a4f37398c1896b856192

SHA1
94ccb84630ab090816fda3b54aa6628479859998

SHA256
732bd40a822b52bbb00583815f3005f83b7e5e7001fd17825b37140e28f1a257

SHA512
aa6232fa9c821742d426d0dc3154c65d3b68be5e44dc6621f88f756fc23f4c5c14448c2d161434fa660620870a7d61d79af128f194aa43acff4a1a3ce682bf4d

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
184KB

MD5
1cd96cffd133c81893d72b6dfc9bbe97

SHA1
57dd9c646d921606690e5c729f31ce055676df58

SHA256
2e4101a3929495ed603b418430cfcc99f26c20e10ff95b2350eb51bc7c574d21

SHA512
4d23fecc45876537b55c4f0218d76c2ed68360157d834b1d79f00242bcc95b7bace37672d0eab5172bbf2aaa55a2eac9414d8661140c22b52cedd7aa5d26c036

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
172KB

MD5
665aa2e5a521c63325809b8fad9a8e15

SHA1
2df36cc24ee6c8e84da7ab930dc02531f2c63740

SHA256
7bb9c613292ee55320c6cdcce56bfa68f9e04659fb0b24c26401812615b7cec6

SHA512
753193b5583c9e963e510221ad1dc05fcc4eb667d598b17c6940625202d7fa158927656029659341662bc94e7a684c37e7fb378b0e648868732ca389860cbe09

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
17KB

MD5
5f376076ae441f5e4697f0c6a1298281

SHA1
b073d250cf342c03b6fab3da9306acf7d5495d07

SHA256
c0a616763b50eae62367883d5f40fe2578aaf5d49c454b742c3e4770a505ce49

SHA512
aad4c4dca25bfd9f34f2c612788501a00d02dc23bef09950434454e741f77aff86ed944891046f4c26f6bef74899b01f7655bc174682f4b4fb90e29e968f7146

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
298KB

MD5
65c0d61ed532edc1ae78b6d456ee7de2

SHA1
3cfed6228538f1cff5457cf5a58e45c03f39c01a

SHA256
4a7e7258cec5ed99f8e4a54fa0a7ddecccc324082eba55c7a864c1e4b8ecf7f1

SHA512
543b8f7509f6dbf5aeaf16918e8dbfff7aaee4a95987e2ca2e1ceab93696b95e30cb4397944854ee947117454e3bb297ea5359843e4f34ecd38e4ae1a48d5770

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
38KB

MD5
c2fa47b46da4b3beeb4d5f408ec5f32e

SHA1
9487cd3eecc73b1e2cf498af75a70635b668f696

SHA256
1dc66ce1ed62424f5cbb2861a5f488a42e04ec4f05483364b7f3f25fbd5f08da

SHA512
30e7bdfad8ad0b30aa73d834bd3bb460732662f2deef14909b856be0be1fde6fb2cacc8bd834619baa59a470f1ec63e92ac07f179395b36513b25e65113247f6

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
83KB

MD5
8ba68f6824859be96b4d7397a10a0a0c

SHA1
db86aa8debc30060f2427f61fb4e69f2737224c3

SHA256
91052413813ced0debe3e268f416ada2b090158d3e92ec849ecbe3e0e8acb69d

SHA512
d6894a001e0e856a3f4f87f73ced9bb878ff2edd04087d541de4b7daf314cccaeb9efbb8bcd1e1b94b7e4b0deb279c28000d1241eb52319780cfb174a70f3b92

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
134KB

MD5
9e5fbb367db9b151971e412ec64ac132

SHA1
1414b9d4ffe5fb893db0214b4b01984e341e87f8

SHA256
4aecccd62b47d2b818119c33b563042a76bc31bfd97e39750750fbbd67b008a3

SHA512
cef45d8cdce1165697c3b250d54c1f9651c0f384c4bd21625b8a21ad8f9c54ae919bed47a3faf340f753c4d7caf6a1c792f514b804610fc4823580ce59e9a40b

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
222KB

MD5
38d4d88edc6a445e8bba885095d18c9c

SHA1
ad6f1681eccb5563a6c5ee3ea39d5ee60eb1491b

SHA256
fc0c8fd6d63ab026311ea609e4ca2f8e384a4c973f96a40bcabb2fb6798f6ca7

SHA512
3661c8bb411b882d3ef6a514be229a3d5477ae5b81aa09f14ecb662bcc9070ed91b6c105cf085ecd3cabcf770c7378d2dd80bf50461d0fe3140dbb1b77ac5857

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
70KB

MD5
7e3ba48db8c6282aaa1bdc5353623c8d

SHA1
dda4e068b0e73aad6de3e0ba13fb441995712258

SHA256
33292a3e001ffc53b00e8737f204e863242d1c7fe070b7c1a99d68a751f59dbb

SHA512
1c6a73eb3fb4b102979202f88ead7d338c2f7eed47497551d139089d87418e1f92ad436c1c86d5b8aed56f8ea51aaad6232e0a933310f1b7a7123bfe1bc980af

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
28KB

MD5
83a55f1afd4176b777950758508c0dc0

SHA1
09971e24539f9669e230b9a081b414b1337b2586

SHA256
d3caeed0599328fb0a795654f2d910a0ecd332359ca7bfc044e75ec34c584db4

SHA512
b5618b3e0b4eee4137b6143d6e7e04df8ef55a2316504af4644829156b89420c14277d4914b4e53a8d36b90119e2c8c5beec375847f5509d9c8ade3f40e186e3

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
60KB

MD5
6d51b0d4ee1d373c864ef28c79ff2fa8

SHA1
eb3d05e07d4134ae758230522ba48332884382d1

SHA256
d50cf9f64f5301728f8dd4e25b9cb74f112a7dc1d95d44a6208ec2c1fd7138e2

SHA512
964f249ace09fb81c0b2d06a85f49fe39adf2d2b260e537c7c988d164d4d3b806d286fe686362dd39c6d4b49153825cd31de57fcb9d0841f5ec02cf78f1e44e1

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
1KB

MD5
2f158dc7cd04dc1b1bd5e3c40e53af5d

SHA1
401b1f9f072ced397f063dbfac68bd1140ab1821

SHA256
a08c3ff0c913c573892a672f8d6715a99a2dcff9f8758b1cb65539da265517de

SHA512
c54ae8b128f9ba27c49512f0300645252c828fc4c6697e20e0ebe646fb6aa711c84f02a0733e9579ca0c0a4e02f5132cf8f76ed279979083657f3d468a09bff7

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
202KB

MD5
a3e188d79dbaa0f582cb1f1e1ab95278

SHA1
b9683204505a5b8633d959e9df795a0b737c65c9

SHA256
ce9c3bb0e5e42fe2cf838ea13f6f34656c3586498a782720d2a6772c8d668fec

SHA512
0ebb0f64389859c6b5b873673aedcf3bdff3d695bceb6b0e0ed2d10570e7db82807bd009c199f86699061ecbb2fba23f4f55dd683f02fdd3430fc394bbfd1b0f

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
362KB

MD5
b715da22aec41270294c93226c97c5dd

SHA1
3392458246f1931768297d5c625cbf3f25e363fa

SHA256
40432758f3a2f8461338d589179d6dde7555082a054d805ba9f56fd3f0f3d065

SHA512
15b126b598d1d867506944b5b52e2b3832e1ab4c91ebe66238f0289f40acfc2b1918d9a0c4639351b8f81d4263ea44883dc895fad470db9d9fcbdad8d7ea959d

Download Submit
C:\Program Files (x86)\%SESSIONNAME%\goxsj.pic

Filesize
7.0MB

MD5
c88157a32563f63aeaf5579dc7f407c0

SHA1
2b9129f32087b1bc7e5baf4bd359e95ffc1475e1

SHA256
53f12cb8f43e2335036c78ddadcc5bba1bc6b34f170b4430f650c4b4f6c81c18

SHA512
9fd7e154dd8405bd12cff9d96652ab7a92784ff49890ebe0ddf1c0cab8d1e422fa81a05ef8a14a0c5ebeb52dd46071be896a97f357db53d8235a79f326075430

Download Submit
\??\c:\program files (x86)\%sessionname%\goxsj.pic

Filesize
28KB

MD5
c108a7adac32dbef3ce4760d64ea62a8

SHA1
d4619ce2775728f1520845ab972215fe0d68b960

SHA256
085e94c5c14bfabf557ec40d56f16b3e8319201aac55e24fa96f57d76bb80e0b

SHA512
b48d65e2cb7d1fd897a01e6e47072f22806abd63b31930cc4b3d0664f3d16e8683790fc4a0f41ada74a27d699c70478db38c069a30f7323cf54392c035a8e208

Download Submit