gh0strat | 03a109a2f0aa33b78c4b37cb9c7696d76739de81d88e7192f3b88c07a01c74db

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
Size

1.8MB
MD5

bbfbed6628ef8c7aee1dc3575e807000
SHA1

e77c0e1a22c82781795e2fd2209774d3137f1617
SHA256

03a109a2f0aa33b78c4b37cb9c7696d76739de81d88e7192f3b88c07a01c74db
SHA512

17a7ae660f584c5db0646de802dfd68f71eac4c08402531e81e104ce21466d75d5bbd1a52120842490bb6bffc529ecd3c58c7ce09056099a8837e62badcf1310
SSDEEP

49152:rWIGAqQ6x8sqK6cKv+Am/jYOU4H7x+jWttcES:rBHWx8TajYOFwj/

Score

10^/10

gh0strat bootkit discovery persistence rat upx

Malware Config

Signatures

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/files/0x000700000002270e-64.dat	family_gh0strat
behavioral2/memory/2672-66-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat
behavioral2/memory/512-67-0x0000000000400000-0x0000000000430000-memory.dmp	family_gh0strat
behavioral2/memory/2672-86-0x0000000010000000-0x0000000010028000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\parameters\servicedll = "C:\\PROGRA~3\\APPLIC~1\\Storm\\update\\nmnpy.dll"	svchost.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fastuserswitchingcompatibility\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k netsvcs"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234d6-46.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
512	ls.exe

Loads dropped DLL 12 IoCs

pid	Process
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
2672	svchost.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1908-0-0x0000000000400000-0x00000000005ED000-memory.dmp	upx
behavioral2/memory/1908-1-0x0000000000400000-0x00000000005ED000-memory.dmp	upx
behavioral2/files/0x00070000000234d6-46.dat	upx
behavioral2/memory/1908-56-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx
behavioral2/memory/1908-55-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx
behavioral2/memory/1908-53-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx
behavioral2/memory/1908-51-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx
behavioral2/memory/1908-50-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx
behavioral2/memory/1908-68-0x0000000000400000-0x00000000005ED000-memory.dmp	upx
behavioral2/memory/1908-69-0x0000000002C50000-0x0000000002C8D000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\superec0d9yw.sys	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\d2f5ca0e.del	ls.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~3\APPLIC~1\Storm\update\nmnpy.dll	ls.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\WINDOWS\ls.exe	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ls.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
512	ls.exe
512	ls.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeBackupPrivilege	512	ls.exe
Token: SeRestorePrivilege	512	ls.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeSecurityPrivilege	2672	svchost.exe

Suspicious use of SetWindowsHookEx 59 IoCs

pid	Process
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 512	1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe	86
PID 1908 wrote to memory of 512	1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe	86
PID 1908 wrote to memory of 512	1908	bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbfbed6628ef8c7aee1dc3575e807000_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\WINDOWS\ls.exe
  C:\WINDOWS\ls.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:512

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s fastuserswitchingcompatibility
1⤵
- Server Software Component: Terminal Services DLL
- Sets service image path in registry
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\ESpeechEngine.fne

Filesize
176KB

MD5
60187d963dbd1066fbdab69c18043712

SHA1
0e37b2f54c48a9559358587fbdd909c76c1ed1cb

SHA256
379e6233c6d6f07b70b8d6c89037822b0521e260c94fe9f041af6424540308bc

SHA512
faa405283152bfd78db0aec5938370e40f1265704f0090f669c2e595a96f4e108045ee572c3c1d300a0476dc3d8a28d5131be032b41845ac31a516b4af38116c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\PBShell.fne

Filesize
36KB

MD5
ae663d23828e2c0873fb294a8a2a21d1

SHA1
2edd95515215170f2e5dc2428ac631b5aa2ab681

SHA256
21970bccf9c8dd23cbf36b5f5bca9e6bc32335bcfb5e19d2f97a1b2ee2eefa96

SHA512
70225619899266d7a307f6eeab2f4c709f48b66c57a2266143c787b984209d454634daaaf9165025e850fc3de8e10a968b900c80d89389ef848551b0701ef311

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eNetIntercept.fne

Filesize
156KB

MD5
ca08022deda03a89eb0f3232b265bca6

SHA1
29a3585b6c524a28fd272214691b65a48b7027b1

SHA256
00a98605d8ee60639c8de56862a50f1adf3f83e265ab636f98c017b719b013bf

SHA512
65587c3c0a3d0feaf1aa7c676626ae0a8bd158595af4e855cf7588ef8a831903350a756dd2f8010dda10173abdb1418751e92c509c6b74a3b829465ab5030c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\iext.fnr

Filesize
216KB

MD5
cba933625bfa502fc4a1d9f34e1e4473

SHA1
5319194388c0e53321f99f1541b97af191999a09

SHA256
25549c7781b3f1b92e73b0ea721d177207cce914a66f3229a71291f2eb160013

SHA512
f5fb4b97c4f68a20e0847e6528740ce659c4501726f3b2dff1ac83e88a3b7198099da03edb0f069cd4af7ed568a2373597b235cd239895addfa5226d3a444142

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
638e737b2293cf7b1f14c0b4fb1f3289

SHA1
f8e2223348433b992a8c42c4a7a9fb4b5c1158bc

SHA256
baad4798c3ab24dec8f0ac3cde48e2fee2e2dffa60d2b2497cd295cd6319fd5b

SHA512
4d714a0980238c49af10376ff26ec9e6415e7057925b32ec1c24780c3671047ac5b5670e46c1c6cf9f160519be8f37e1e57f05c30c6c4bda3b275b143aa0bf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
C:\WINDOWS\ls.exe

Filesize
188KB

MD5
07bb3f83b423098af18b278fb27e30e8

SHA1
342c16f8fb15ab08b81caae45bb07a2c2e46df9c

SHA256
e34e2e66ad58085be12331af700e233529048a3698a0f9a4d4ca3c0a3ae61222

SHA512
19839f9c41edd667c397b2983939086ac85957ca12afd08c8a3b06797dcc19dc86d6c4df3acb33b17a199ee4a1e48d44311c81e8e31222158964009299b0df68

Download Submit
\??\c:\progra~3\applic~1\storm\update\nmnpy.dll

Filesize
152KB

MD5
c9aceea91f08cf0c3f5a176b3a28bd3d

SHA1
c6c648ebd2f84a62fca6250b6e700fde0e436d4b

SHA256
6e06cc0b8151b8e253ebd4b6d87b59395ba5251f18cd61180578a592cbabf606

SHA512
d6b7043054eac45e622f465a7ea60d51a5ebd63321f68bd6e83b191f364ba8767c0bfd614fb2b99cdee8411b4595940fef947a02c3b71c1f8814b588d6c7e165

Download Submit
memory/512-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/512-61-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1908-53-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-25-0x0000000002800000-0x000000000282F000-memory.dmp

Filesize
188KB

Download
memory/1908-56-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-55-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-0-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1908-52-0x0000000002C59000-0x0000000002C5A000-memory.dmp

Filesize
4KB

Download
memory/1908-51-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-50-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-32-0x0000000002A90000-0x0000000002AD4000-memory.dmp

Filesize
272KB

Download
memory/1908-39-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/1908-18-0x00000000025A0000-0x00000000025CA000-memory.dmp

Filesize
168KB

Download
memory/1908-97-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/1908-1-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1908-68-0x0000000000400000-0x00000000005ED000-memory.dmp

Filesize
1.9MB

Download
memory/1908-69-0x0000000002C50000-0x0000000002C8D000-memory.dmp

Filesize
244KB

Download
memory/1908-70-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/1908-74-0x0000000002B00000-0x0000000002B0C000-memory.dmp

Filesize
48KB

Download
memory/2672-86-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download
memory/2672-66-0x0000000010000000-0x0000000010028000-memory.dmp

Filesize
160KB

Download