gh0strat | b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Size

3.5MB
MD5

8e1d90f09e0627a3b6225ae5be6ce80d
SHA1

578fd8c25ce5ef60dd5786940e90a44f3ff420cc
SHA256

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e
SHA512

9ae682cf05c361e49778f5fb589c5da00997919ce72ea56a7cf588560557b77e9b93e4ea450ee2dce972c41216a9c51e0b4ba2ffecfde60f00ca579f7939a65d
SSDEEP

98304:A1VVv28GMAMV4nsmtk2aSrJpmPhekGZvQYocMRMh6:ytGLLpt6

Score

10^/10

gh0strat aspackv2 persistence rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\240595921.bat	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GLk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svchist\Parameters\ServiceDll = "C:\\Windows\\system32\\240595921.bat"	GLk.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeSynaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 6 IoCs

Processes:

GLk.exeHD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeSynaptics.exe._cache_Synaptics.exesvchist.exe

pid	process
1448	GLk.exe
1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2748	Synaptics.exe
64	._cache_Synaptics.exe
20624	svchist.exe

Loads dropped DLL 5 IoCs

Processes:

GLk.exesvchost.exeSynaptics.exesvchist.exe

pid process

1448 GLk.exe
440 svchost.exe
2748 Synaptics.exe
2748 Synaptics.exe
20624 svchist.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

Drops file in System32 directory 26 IoCs

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exeGLk.exesvchost.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WINABC.HLP	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\system32\WINABC.HLP	._cache_Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.OVL	._cache_Synaptics.exe
File created	C:\Windows\system32\WINABC.CNT	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\system32\WINABC.CNT	._cache_Synaptics.exe
File created	C:\Windows\system32\WINABC.OVL	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.CWD	._cache_Synaptics.exe
File created	C:\Windows\system32\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.HLP	._cache_Synaptics.exe
File opened for modification	C:\Windows\SysWOW64\ini.ini	GLk.exe
File opened for modification	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File created	C:\Windows\SysWOW64\WINABC.CWD	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\system32\WINABC.HLP	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.CNT	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINABC.IME	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.IME	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\240595921.bat	GLk.exe
File created	C:\Windows\SysWOW64\svchist.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\WINABC.CNT	._cache_Synaptics.exe
File opened for modification	C:\WINDOWS\SysWOW64\WINABC.IME	._cache_Synaptics.exe
File opened for modification	C:\Windows\system32\WINABC.OVL	._cache_Synaptics.exe
File created	C:\Windows\system32\WINABC.CWD	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File created	C:\Windows\SysWOW64\WINABC.OVL	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
File opened for modification	C:\Windows\system32\WINABC.CWD	._cache_Synaptics.exe
File opened for modification	C:\Windows\system32\WINABC.IME	._cache_Synaptics.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exe

pid	process
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe

Modifies registry class 2 IoCs

Processes:

HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeSynaptics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

pid	process
3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe._cache_Synaptics.exe

pid	process
3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
4084	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
64	._cache_Synaptics.exe
64	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeHD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exeSynaptics.exesvchost.exe

description	pid	process	target process
PID 3224 wrote to memory of 1448	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 3224 wrote to memory of 1448	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 3224 wrote to memory of 1448	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	GLk.exe
PID 3224 wrote to memory of 1464	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 3224 wrote to memory of 1464	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 3224 wrote to memory of 1464	3224	b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 1464 wrote to memory of 4084	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 1464 wrote to memory of 4084	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 1464 wrote to memory of 4084	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
PID 1464 wrote to memory of 2748	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 1464 wrote to memory of 2748	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 1464 wrote to memory of 2748	1464	HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe	Synaptics.exe
PID 2748 wrote to memory of 64	2748	Synaptics.exe	._cache_Synaptics.exe
PID 2748 wrote to memory of 64	2748	Synaptics.exe	._cache_Synaptics.exe
PID 2748 wrote to memory of 64	2748	Synaptics.exe	._cache_Synaptics.exe
PID 440 wrote to memory of 20624	440	svchost.exe	svchist.exe
PID 440 wrote to memory of 20624	440	svchost.exe	svchist.exe
PID 440 wrote to memory of 20624	440	svchost.exe	svchist.exe

C:\Users\Admin\AppData\Local\Temp\b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
"C:\Users\Admin\AppData\Local\Temp\b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3224

C:\Users\Admin\AppData\Local\Temp\GLk.exe
C:\Users\Admin\AppData\Local\Temp\\GLk.exe
2⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1448

C:\Users\Admin\AppData\Local\Temp\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
C:\Users\Admin\AppData\Local\Temp\\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464

C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:4084

C:\ProgramData\Synaptics\Synaptics.exe
"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2748

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:64

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
PID:1632

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "svchist"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\svchist.exe
C:\Windows\system32\svchist.exe "c:\windows\system32\240595921.bat",MainThread
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:20624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Filesize
1.6MB

MD5
2b3251d0bebf9f9def96ef04b4069322

SHA1
44d9979dd657ac7038f98cb68e4a68f95190d1d8

SHA256
cdd6df5224a715af8fbcd8fa573ac7957c2632c6eccf1cc2278a08eba450360e

SHA512
f382c2de2c43187c417fbb20238d82fc893592c55c9c1a7883905f5274399457e7d50d491ce07b446bf2b4aa2dacabd39cf15f833fc9d8cc675963c2b3b9dd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLk.exe
Filesize
337KB

MD5
b8e58a96761799f4ad0548dba39d650c

SHA1
c00032d40cfbe4ccfd3ce3e4c8defb2a2ef9fc1f

SHA256
334e8e7c65b087985766d652f70b710bdba6aea55a2fa17b97ba2961e8eee9df

SHA512
1cd94994ed3f6594e37e6cd1d266ff96bb37c5e99d9ce6fd4637ed615ee8c6496b54a025fdccced6fca200f8f2da8011177c67c943676b30bfb0655393765fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_X.dat
Filesize
1.2MB

MD5
6bc158e1e67fa0f6930651506d553118

SHA1
64418a0c8751adcf869bad8c5ba7314ba9d1e8b6

SHA256
3d97e9c9f64f303878cfa188d5dcf47ce75b5de30e94b02ccffa83ebb4f6908c

SHA512
6338408f2658eb9df8897c94de2a2ac73ed8fa8c3e6484d8d06b17cb24fdf262490db741df8ec7705eb5871663b63257909431fb7224da8a9324216019e96970

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD_b2b932bd02b0f2511db8b5c3b5759dc901ed4ca6446948170ad573fe7df58e9e.exe
Filesize
2.3MB

MD5
5e5b275c606e3c1f6aba6ef699721459

SHA1
36a5222fc094e4b5132c389632d3253fd01f1130

SHA256
0df9cda418c04e4bbbf8efb50fa2be7b02ae72408559b1dfe0efe8c9d08c4b72

SHA512
4be9825d6a7a40e9bb0c7e275b15005c87f4bc54a8c08ad17c73cd2141d505329d2500dface014879f0af0213088aecf73fddf4cd24829b43fe8a809b2838835

Download Submit
C:\Users\Admin\Desktop\MoveStart.exe
Filesize
2.3MB

MD5
8f2942ce1f9c43bb6a24f3b33314331e

SHA1
33163441259c8e9952d121b12f84bd8536cb7f21

SHA256
4bad7215f93256edec2029c3af000fb2461a461a22dddc21ba357dd49d405dea

SHA512
c98c4d09523502692f579f6c7685e7179bd00e25896e4617b1a3d0000febec1f4827e3ad935eac03b6d522cd193577da263f9537c6ab00fa9f8edc7c366ae861

Download Submit
C:\Users\Admin\Desktop\MoveStart.exe
Filesize
3.5MB

MD5
18bbca0158da93a099d8482ab38514b2

SHA1
588d6557bb7c63b7ad6340904dbe970f716dc1a8

SHA256
1c386dcf7684da0a2deb45ad659dff73d74472321acb89a708e80881d17f775b

SHA512
9ca1cd37480c0ee61e319c44b5666471955537fe0a5c1932f045bd85cba0e7e277fedff4b6d64cd7180962b0981ad7bca1b3a3fa14f885bdc65e42e4a34c6779

Download Submit
C:\Windows\SysWOW64\240595921.bat
Filesize
51KB

MD5
f46ddfd4cbcd2928b8c7e63987eefae9

SHA1
381fe18f20fa7b91d68a04c06853621f9d710248

SHA256
c1f507c1534f54270750a1c0cc9309343da9699bb450d13bca2278155fcd02bb

SHA512
de2ab922354047dc2b96decd2d310c6926170821164b3fb027295e5715c082e3c31fd0153988a4b1070a9550b004c078046fde2e1f8ebe53ea52c57e431c026c

Download Submit
C:\Windows\SysWOW64\WINABC.CNT
Filesize
1KB

MD5
6dda1f4625d8d54da52938bc14723347

SHA1
634b03f556b05c7863b64e8bf9964de9ffaa3cd3

SHA256
4ea278e7d4ff35fa9023196f18432ab1451be0d45156ab098e3884a523c0b15b

SHA512
e522c307ef6be163bd8b49ca02e6fe181b340d5f1262acb8e4ce9e7da20d6f88deaa75bbb552e2c239d7c7b366cf4d0757494bd34e231a0467799b3c8edd2970

Download Submit
C:\Windows\SysWOW64\WINABC.CWD
Filesize
279KB

MD5
bbfc567b238c2a1a49e76f3183be2e5f

SHA1
d46f9bcfdcf2be0f2b75e3e591852c07c0f966a8

SHA256
dfc43d699cfd0b7afb3432b77b93bb46fdcb60a9fb519f23f34d72f533a7e947

SHA512
c045dfd061b9ca7b93a209eae2f03c2485dd275ac3cca93c18df5cf292989d57b7b7a62f7abf898c5aa979ac0d6726a139866e4350a811e37e74d25ddb4d05ab

Download Submit
C:\Windows\SysWOW64\WINABC.HLP
Filesize
338KB

MD5
37fb0e0c62ecdf058f6d368cdb70c1ea

SHA1
77b25681c22e0399bb0d7f8c21927966b5a80c96

SHA256
8864f200c309a9fafd3bc3878be7a8581e3379225bfbccba121c986b07338fd6

SHA512
f31f52fac14ee0fef21cbb90df63cd27cef1f8c9fa48ff3faa013c5bc57fc5a2ccada48b9895b0cd2e9da8e66f36b0d69da80d948b1ffbf2f2f8502c15a9eae0

Download Submit
C:\Windows\SysWOW64\WINABC.IME
Filesize
96KB

MD5
34b248ee78201f3f72a648527e2bf945

SHA1
c5e2e01a69981d7084b23959b397f716641eaeb8

SHA256
36589d83c62074584a27c19759d86b4576450141afca34c1f5cb19016c6e7042

SHA512
acf3b6b15b254e9070efbbe66d1293659fb3feb58b9a7fb5ddd9a784e4d43d869cf1e1a40359c580331fd3a0f1254159ede106258af155fe4ba3495712408e74

Download Submit
C:\Windows\SysWOW64\WINABC.OVL
Filesize
75KB

MD5
56e55a412a19397e8e3709fc343ad787

SHA1
138e1707a795fe1e46cb14bf4861902e743e28ef

SHA256
79b3e83313f757245436d8b6d13ac717955c554c46af486167ce3b662e92cd8b

SHA512
16b997bb44324bdb5e5d859acfdf8e8bfa1ce6bd0f3f8dd294e24f4913c1de3d3e0e7224597cabf3e59edd3ee77dc268aa79f117abc8ce7ff892eabbf3c29c2b

Download Submit
C:\Windows\SysWOW64\svchist.exe
Filesize
60KB

MD5
889b99c52a60dd49227c5e485a016679

SHA1
8fa889e456aa646a4d0a4349977430ce5fa5e2d7

SHA256
6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910

SHA512
08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

Download Submit
memory/64-26343-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-172-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-19158-0x0000000076210000-0x000000007628A000-memory.dmp

Filesize
488KB

Download
memory/64-173-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-26372-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-26344-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-174-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/64-13275-0x0000000077340000-0x0000000077555000-memory.dmp

Filesize
2.1MB

Download
memory/64-17149-0x0000000075BA0000-0x0000000075D40000-memory.dmp

Filesize
1.6MB

Download
memory/1464-18-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/1464-125-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2748-26374-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2748-26408-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/2748-26415-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4084-6068-0x0000000076210000-0x000000007628A000-memory.dmp

Filesize
488KB

Download
memory/4084-71-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-70-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-26373-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-13253-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-64-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-13254-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4084-4059-0x0000000075BA0000-0x0000000075D40000-memory.dmp

Filesize
1.6MB

Download
memory/4084-185-0x0000000077340000-0x0000000077555000-memory.dmp

Filesize
2.1MB

Download