gh0strat | 1af33e2306b5a289bf96deea6551f1aacce51ef83b5817e8453927549fcee616

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe
Size

235KB
MD5

4d8741d0d693d12776df6f016fed1e2c
SHA1

6c1c6390058026edc33b7d697e6c42dcfac38ab0
SHA256

1af33e2306b5a289bf96deea6551f1aacce51ef83b5817e8453927549fcee616
SHA512

f9e3f7adcab76e8c694d5ecdd0aa61df3347a41019a64934b74f16b2cef02f93ca72690f77c72d5ca58637916174ddace89ed3161f07e0ec09cec6164a09bd20
SSDEEP

6144:SlnRhs9jerKEL4yDT06AoKSGm1egyzZa7kLJJMGB/rN:Su4KIU65L1egy1LJJMo

Score

10^/10

gh0strat bootkit defense_evasion discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001878d-26.dat	family_gh0strat
behavioral1/memory/3044-64-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat
behavioral1/memory/3044-95-0x0000000020000000-0x0000000020027000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\V1Tb9s3y\Parameters\ServiceDll = "C:\\Windows\\system32\\6oVUDN.dll"	ki1CCA2.tmp

Deletes itself 1 IoCs

pid	Process
2292	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2384	ki1CCA2.tmp
2948	inlD4AF.tmp

Loads dropped DLL 7 IoCs

pid	Process
3016	cmd.exe
3016	cmd.exe
2392	MsiExec.exe
3044	svchost.exe
2392	MsiExec.exe
1700	cmd.exe
1700	cmd.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\6oVUDN.dll	ki1CCA2.tmp
File created	C:\Windows\SysWOW64\emdnavdwtp	svchost.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File created	C:\Windows\Win.ini	ki1CCA2.tmp
File created	C:\Windows\Installer\f76d614.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76d614.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9CC.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inlD4AF.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7"	svchost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2384	ki1CCA2.tmp
2384	ki1CCA2.tmp
2384	ki1CCA2.tmp
2384	ki1CCA2.tmp
2384	ki1CCA2.tmp
2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe
2384	ki1CCA2.tmp
3044	svchost.exe
3044	svchost.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	2384	ki1CCA2.tmp
Token: SeRestorePrivilege	2384	ki1CCA2.tmp
Token: SeShutdownPrivilege	2808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeSecurityPrivilege	2860	msiexec.exe
Token: SeCreateTokenPrivilege	2808	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2808	msiexec.exe
Token: SeLockMemoryPrivilege	2808	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2808	msiexec.exe
Token: SeMachineAccountPrivilege	2808	msiexec.exe
Token: SeTcbPrivilege	2808	msiexec.exe
Token: SeSecurityPrivilege	2808	msiexec.exe
Token: SeTakeOwnershipPrivilege	2808	msiexec.exe
Token: SeLoadDriverPrivilege	2808	msiexec.exe
Token: SeSystemProfilePrivilege	2808	msiexec.exe
Token: SeSystemtimePrivilege	2808	msiexec.exe
Token: SeProfSingleProcessPrivilege	2808	msiexec.exe
Token: SeIncBasePriorityPrivilege	2808	msiexec.exe
Token: SeCreatePagefilePrivilege	2808	msiexec.exe
Token: SeCreatePermanentPrivilege	2808	msiexec.exe
Token: SeBackupPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2808	msiexec.exe
Token: SeShutdownPrivilege	2808	msiexec.exe
Token: SeDebugPrivilege	2808	msiexec.exe
Token: SeAuditPrivilege	2808	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2808	msiexec.exe
Token: SeChangeNotifyPrivilege	2808	msiexec.exe
Token: SeRemoteShutdownPrivilege	2808	msiexec.exe
Token: SeUndockPrivilege	2808	msiexec.exe
Token: SeSyncAgentPrivilege	2808	msiexec.exe
Token: SeEnableDelegationPrivilege	2808	msiexec.exe
Token: SeManageVolumePrivilege	2808	msiexec.exe
Token: SeImpersonatePrivilege	2808	msiexec.exe
Token: SeCreateGlobalPrivilege	2808	msiexec.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeIncBasePriorityPrivilege	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeBackupPrivilege	3044	svchost.exe
Token: SeRestorePrivilege	3044	svchost.exe
Token: SeIncBasePriorityPrivilege	2948	inlD4AF.tmp

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3016	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	31
PID 2204 wrote to memory of 3016	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	31
PID 2204 wrote to memory of 3016	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	31
PID 2204 wrote to memory of 3016	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	31
PID 3016 wrote to memory of 2384	3016	cmd.exe	33
PID 3016 wrote to memory of 2384	3016	cmd.exe	33
PID 3016 wrote to memory of 2384	3016	cmd.exe	33
PID 3016 wrote to memory of 2384	3016	cmd.exe	33
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 2808	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	34
PID 2204 wrote to memory of 1700	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	37
PID 2204 wrote to memory of 1700	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	37
PID 2204 wrote to memory of 1700	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	37
PID 2204 wrote to memory of 1700	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	37
PID 2204 wrote to memory of 2632	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	39
PID 2204 wrote to memory of 2632	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	39
PID 2204 wrote to memory of 2632	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	39
PID 2204 wrote to memory of 2632	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	39
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2860 wrote to memory of 2392	2860	msiexec.exe	41
PID 2204 wrote to memory of 2292	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	42
PID 2204 wrote to memory of 2292	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	42
PID 2204 wrote to memory of 2292	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	42
PID 2204 wrote to memory of 2292	2204	JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe	42
PID 2632 wrote to memory of 2960	2632	cmd.exe	44
PID 2632 wrote to memory of 2960	2632	cmd.exe	44
PID 2632 wrote to memory of 2960	2632	cmd.exe	44
PID 2632 wrote to memory of 2960	2632	cmd.exe	44
PID 1700 wrote to memory of 2948	1700	cmd.exe	45
PID 1700 wrote to memory of 2948	1700	cmd.exe	45
PID 1700 wrote to memory of 2948	1700	cmd.exe	45
PID 1700 wrote to memory of 2948	1700	cmd.exe	45
PID 2948 wrote to memory of 2664	2948	inlD4AF.tmp	47
PID 2948 wrote to memory of 2664	2948	inlD4AF.tmp	47
PID 2948 wrote to memory of 2664	2948	inlD4AF.tmp	47
PID 2948 wrote to memory of 2664	2948	inlD4AF.tmp	47

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4d8741d0d693d12776df6f016fed1e2c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\ki1CCA2.tmp
    C:\Users\Admin\AppData\Local\Temp\ki1CCA2.tmp
    3⤵
    - Server Software Component: Terminal Services DLL
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\insD1E0.tmp.msi" /quiet
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\inlD4AF.tmp
    C:\Users\Admin\AppData\Local\Temp\inlD4AF.tmp cdf1912.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlD4AF.tmp > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\expand.exe
    expand.exe "C:\Users\Admin\AppData\Local\Temp\favorites_url.cab" -F:*.* "C:\Users\Admin\Favorites"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2292

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k imgsvc
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C7C0A3DB8E8122E151D0864381A5A452
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp

Filesize
768B

MD5
d20d9eda31a2d0300e4589df7f352370

SHA1
79b46d2dbb489914cfedafdbc90e62951471b48e

SHA256
d7a1d6a8cf5c3fbb85cd06147a599f5274630b86b1c89721f10a60c1bbe994d8

SHA512
d28c5b69325a9833776ea362445b77b231a0ec9b9b8b4a2ad37a434ee8b2b0c1903d6ade1e372f73ac8ada951e0a24076cf23d9307d27fed5927f4bf8b0d0a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_dws_file.bat

Filesize
57B

MD5
39545efc8e2c69689ff1630e1b49e949

SHA1
06661a99e7871a0af09eee3cbea79691f8c09776

SHA256
a70aa36464714a7a1f2b180a3c8140d2b489983bb8f0cc04cd7961494caf4004

SHA512
a1355d797570794c9b5c2ef75780c1d454d1a43d823137fbb881fc18a7fceb406cc2e0c90cbf635459603fb27d96606b18e9688b760f13522549870648e2f2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\run_kl_file.bat

Filesize
45B

MD5
4aa0414abeab412f90cb038c3228282c

SHA1
5d056b563122dc642c029346d7e1bdb09719ca65

SHA256
a07c41498e8156735c11fbcce89ad16092ff6c19fc0bb202b65a742585437c7f

SHA512
99139c0e5022815be6cbe61e8cc7193510342835145fe86e60318592dcb92b31a49482f4029e867d690c5b26b7e22ed9c03e434e6cfb4eab7259f1834d0d9307

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp_ext_favurl_cab.bat

Filesize
98B

MD5
8663de6fce9208b795dc913d1a6a3f5b

SHA1
882193f208cf012eaf22eeaa4fef3b67e7c67c15

SHA256
2909ea8555f2fc19097c1070a1da8fcfd6dc6886aa1d99d7e0c05e53feeb5b61

SHA512
9381063e0f85e874be54ae22675393b82c6ab54b223090148e4acbeff6f22393c96c90b83d6538461b695528af01d1f1231cf5dc719f07d6168386974b490688

Download Submit
C:\Windows\Installer\MSID8E1.tmp

Filesize
48KB

MD5
9067aad412defc0d2888479609041392

SHA1
36cfffc3bafeb24f88ad5886ca5787ca008b6ba9

SHA256
99f4e00b6908057a2fe5067ff6c8b6e32b5c07558ab79139dc4b998f1da4b517

SHA512
e69f259d78b02e6c1a5d9c45898b59372329a5288fff655dd741353f112b2b8eed18b01caa2bf312a91f5e314e1c0b036321b37c8efbebdcf3650ba6b12dee6a

Download Submit
\??\c:\users\admin\appdata\local\temp\favorites_url.cab

Filesize
425B

MD5
da68bc3b7c3525670a04366bc55629f5

SHA1
15fda47ecfead7db8f7aee6ca7570138ba7f1b71

SHA256
73f3605192b676c92649034768378909a19d13883a7ea6f8ba1b096c78ffadb5

SHA512
6fee416affcb6a74621479697bca6f14f5429b00de3aa595abe3c60c6b2e094877b59f8783bbe7bdd567fa565d0630bb02def5603f8f0ea92fe8f2c3ac5383c0

Download Submit
\??\c:\windows\SysWOW64\6ovudn.dll

Filesize
48.1MB

MD5
12b455b201fb5235c1e0e2d15423b7e7

SHA1
6e4ee672262dc1af0e9aa789e1dbb7e37bec8b06

SHA256
c407f21f050165e8845d761ef74a19d7a69c3a4115e174fe25210dcf7e4d2546

SHA512
ea1a661390ab89f22626dcbf416d4d9d664f88d5adcfc5b0dcb78503445d84b4d9ebb27b0e5a065e2eb46639a102c5c320f3b8192c50f036f3e0f5c81daac39a

Download Submit
memory/2204-0-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2204-7-0x00000000033A0000-0x00000000033B0000-memory.dmp

Filesize
64KB

Download
memory/2204-55-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2204-56-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2204-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2384-53-0x0000000023560000-0x0000000023595BE0-memory.dmp

Filesize
214KB

Download
memory/2384-21-0x0000000023560000-0x0000000023595BE0-memory.dmp

Filesize
214KB

Download
memory/2948-93-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3016-19-0x0000000023560000-0x0000000023596000-memory.dmp

Filesize
216KB

Download
memory/3016-17-0x0000000023560000-0x0000000023596000-memory.dmp

Filesize
216KB

Download
memory/3044-64-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download
memory/3044-86-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3044-95-0x0000000020000000-0x0000000020027000-memory.dmp

Filesize
156KB

Download