gh0strat | 55250ffcf517527e1a9da7a2ddc48587bc58d15cbcae1b9869a8a880288ceb13

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 04:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe
Size

235KB
MD5

31842d7013c9d89f72389ebd80f8eb6a
SHA1

a0d19957dd904abed634377a790942a7c334dbfa
SHA256

55250ffcf517527e1a9da7a2ddc48587bc58d15cbcae1b9869a8a880288ceb13
SHA512

628d665017c36d5d3eb9a4dfa62a321a00ba71846a7f45a42be7a381fc8e64e863db71048ffce662cf73b6d8f53c9b80aa211aab86cf290bd500f08c749638a1
SSDEEP

6144:SlnRhs9jerKEL4yDT06AoKSGm1egyzZa7kLJJMGB/rr:Su4KIU65L1egy1LJJMi

Score

10^/10

gh0strat bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001942f-26.dat	family_gh0strat
behavioral1/memory/2672-77-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/2672-94-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\fjGleqI9\Parameters\ServiceDll = "C:\\Windows\\system32\\6oVUDN.dll"	ki1FA18.tmp

Deletes itself 1 IoCs

pid	Process
2644	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2772	ki1FA18.tmp
2836	inl2D0.tmp

Loads dropped DLL 7 IoCs

pid	Process
2684	cmd.exe
2684	cmd.exe
708	MsiExec.exe
2672	svchost.exe
708	MsiExec.exe
1528	cmd.exe
1528	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\6oVUDN.dll	ki1FA18.tmp
File created	C:\Windows\SysWOW64\noqhlpiuxu	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI955.tmp	msiexec.exe
File created	C:\Windows\Win.ini	ki1FA18.tmp
File created	C:\Windows\Installer\f77035b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77035b.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI780.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl2D0.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2772	ki1FA18.tmp
2772	ki1FA18.tmp
2772	ki1FA18.tmp
2772	ki1FA18.tmp
2772	ki1FA18.tmp
2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe
2772	ki1FA18.tmp
2672	svchost.exe
2672	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2772	ki1FA18.tmp
Token: SeRestorePrivilege	2772	ki1FA18.tmp
Token: SeShutdownPrivilege	2716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeSecurityPrivilege	2548	msiexec.exe
Token: SeCreateTokenPrivilege	2716	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2716	msiexec.exe
Token: SeLockMemoryPrivilege	2716	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2716	msiexec.exe
Token: SeMachineAccountPrivilege	2716	msiexec.exe
Token: SeTcbPrivilege	2716	msiexec.exe
Token: SeSecurityPrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: SeLoadDriverPrivilege	2716	msiexec.exe
Token: SeSystemProfilePrivilege	2716	msiexec.exe
Token: SeSystemtimePrivilege	2716	msiexec.exe
Token: SeProfSingleProcessPrivilege	2716	msiexec.exe
Token: SeIncBasePriorityPrivilege	2716	msiexec.exe
Token: SeCreatePagefilePrivilege	2716	msiexec.exe
Token: SeCreatePermanentPrivilege	2716	msiexec.exe
Token: SeBackupPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeShutdownPrivilege	2716	msiexec.exe
Token: SeDebugPrivilege	2716	msiexec.exe
Token: SeAuditPrivilege	2716	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2716	msiexec.exe
Token: SeChangeNotifyPrivilege	2716	msiexec.exe
Token: SeRemoteShutdownPrivilege	2716	msiexec.exe
Token: SeUndockPrivilege	2716	msiexec.exe
Token: SeSyncAgentPrivilege	2716	msiexec.exe
Token: SeEnableDelegationPrivilege	2716	msiexec.exe
Token: SeManageVolumePrivilege	2716	msiexec.exe
Token: SeImpersonatePrivilege	2716	msiexec.exe
Token: SeCreateGlobalPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeIncBasePriorityPrivilege	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeRestorePrivilege	2548	msiexec.exe
Token: SeTakeOwnershipPrivilege	2548	msiexec.exe
Token: SeBackupPrivilege	2672	svchost.exe
Token: SeRestorePrivilege	2672	svchost.exe
Token: SeIncBasePriorityPrivilege	2836	inl2D0.tmp

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2684	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	30
PID 2656 wrote to memory of 2684	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	30
PID 2656 wrote to memory of 2684	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	30
PID 2656 wrote to memory of 2684	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	30
PID 2684 wrote to memory of 2772	2684	cmd.exe	32
PID 2684 wrote to memory of 2772	2684	cmd.exe	32
PID 2684 wrote to memory of 2772	2684	cmd.exe	32
PID 2684 wrote to memory of 2772	2684	cmd.exe	32
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 2716	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	33
PID 2656 wrote to memory of 1528	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	36
PID 2656 wrote to memory of 1528	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	36
PID 2656 wrote to memory of 1528	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	36
PID 2656 wrote to memory of 1528	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	36
PID 2656 wrote to memory of 1692	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	38
PID 2656 wrote to memory of 1692	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	38
PID 2656 wrote to memory of 1692	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	38
PID 2656 wrote to memory of 1692	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	38
PID 2656 wrote to memory of 2644	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	40
PID 2656 wrote to memory of 2644	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	40
PID 2656 wrote to memory of 2644	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	40
PID 2656 wrote to memory of 2644	2656	JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe	40
PID 1692 wrote to memory of 2608	1692	cmd.exe	42
PID 1692 wrote to memory of 2608	1692	cmd.exe	42
PID 1692 wrote to memory of 2608	1692	cmd.exe	42
PID 1692 wrote to memory of 2608	1692	cmd.exe	42
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 2548 wrote to memory of 708	2548	msiexec.exe	43
PID 1528 wrote to memory of 2836	1528	cmd.exe	44
PID 1528 wrote to memory of 2836	1528	cmd.exe	44
PID 1528 wrote to memory of 2836	1528	cmd.exe	44
PID 1528 wrote to memory of 2836	1528	cmd.exe	44
PID 2836 wrote to memory of 2236	2836	inl2D0.tmp	46
PID 2836 wrote to memory of 2236	2836	inl2D0.tmp	46
PID 2836 wrote to memory of 2236	2836	inl2D0.tmp	46
PID 2836 wrote to memory of 2236	2836	inl2D0.tmp	46

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_31842d7013c9d89f72389ebd80f8eb6a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\AppData\Local\Temp\ki1FA18.tmp
    C:\Users\Admin\AppData\Local\Temp\ki1FA18.tmp
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insFF75.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\inl2D0.tmp
    C:\Users\Admin\AppData\Local\Temp\inl2D0.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl2D0.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCA55EA452853C4EC08627055E5313B2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
56B

MD5
af3aaf96cd6aff70451d192cf3188e02

SHA1
4f532c4d297d305773bd5c914bb786a68b7d6fb7

SHA256
ac8445aff52ab8e9817308a52b2248b5e4533449ae9165abad0128635942b683

SHA512
7ac786b8d4d46eb86770c14a4f9980eaafb6fd97fab7489f6c273c556d2d0cb4ffd02edd2683df64e70d9619d3a572876c83fdd102b3fbecb3934b27cab6bbd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
ecbe9e5ec81c2d6249527df653eddbdf

SHA1
e91bb244293b31b79bcda781500865b9921fdcaa

SHA256
3290caef6c9ae261806b832d2fb5ea8078227eaca908d95276e57479ac7c363a

SHA512
c0471deeb29a7871c9fa47719ad714cd6b4520f9016eee6d168a15e4321f9c948a673ca869eb653072c887ffe79998f4301474c371921488a87839d7b9c576e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\Installer\MSI780.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\??\c:\windows\SysWOW64\6ovudn.dll

Filesize
48.1MB

MD5
34942deabb7861d45cc3496063c557d1

SHA1
fa2c44fbdedb0aa260a246120b2fb685ae3e9d46

SHA256
0ad1a88747358972043d14383b6203992afee52b5646be3a2d791cd820790c1c

SHA512
0f12e80c3981c526f1de24f2d20e4c9058d3fc2be84ea12ddc65821565ad79b9dede56185818346e584c235fa6424b0c33a8585c2059f02cd3903cb3e5d1f1cd

Download Submit
memory/2656-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2656-10-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2656-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2656-51-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2656-50-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2672-94-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2672-90-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2672-77-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/2684-18-0x0000000023560000-0x0000000023596000-memory.dmp

Filesize
216KB

Download
memory/2684-20-0x0000000023560000-0x0000000023596000-memory.dmp

Filesize
216KB

Download
memory/2772-55-0x0000000023560000-0x0000000023595BE0-memory.dmp

Filesize
214KB

Download
memory/2772-21-0x0000000023560000-0x0000000023595BE0-memory.dmp

Filesize
214KB

Download
memory/2836-92-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download