gh0strat | d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b

Analysis

max time kernel
124s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe
Size

2.2MB
MD5

4b516af36eb352798108ae0318dc913a
SHA1

9eb738904e80784b59b0d12743348e45079853dd
SHA256

d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b
SHA512

dfd0b23d26398d51af34da23be6bcf77013491a31876ca1bc0216510dd717b8bcaa7ed687aebb87fff04400265555adb3bad7a39f73d052007df14e37ed971b7
SSDEEP

24576:QOvfKVPgFtTRfUxgul41mMa3+O6D6z87l/G+:P3K2fRWOmMa3+O6D6o7l/G+

Score

10^/10

gh0strat discovery execution rat

Malware Config

Signatures

Gh0st RAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/4856-122-0x0000000003650000-0x00000000036CB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3936	powershell.exe
3632	powershell.exe
2208	powershell.exe
208	powershell.exe
4372	powershell.exe
1112	powershell.exe
2164	powershell.exe
2132	powershell.exe
2344	powershell.exe
2744	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000\Control Panel\International\Geo\Nation	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe

Executes dropped EXE 1 IoCs

pid	Process
4856	21EC2020.exe

Loads dropped DLL 25 IoCs

pid	Process
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	21EC2020.exe
File opened (read-only)	\??\K:	21EC2020.exe
File opened (read-only)	\??\M:	21EC2020.exe
File opened (read-only)	\??\N:	21EC2020.exe
File opened (read-only)	\??\P:	21EC2020.exe
File opened (read-only)	\??\T:	21EC2020.exe
File opened (read-only)	\??\U:	21EC2020.exe
File opened (read-only)	\??\V:	21EC2020.exe
File opened (read-only)	\??\B:	21EC2020.exe
File opened (read-only)	\??\J:	21EC2020.exe
File opened (read-only)	\??\O:	21EC2020.exe
File opened (read-only)	\??\R:	21EC2020.exe
File opened (read-only)	\??\S:	21EC2020.exe
File opened (read-only)	\??\W:	21EC2020.exe
File opened (read-only)	\??\Y:	21EC2020.exe
File opened (read-only)	\??\Z:	21EC2020.exe
File opened (read-only)	\??\H:	21EC2020.exe
File opened (read-only)	\??\I:	21EC2020.exe
File opened (read-only)	\??\L:	21EC2020.exe
File opened (read-only)	\??\Q:	21EC2020.exe
File opened (read-only)	\??\X:	21EC2020.exe
File opened (read-only)	\??\G:	21EC2020.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	21EC2020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	21EC2020.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	21EC2020.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
2344	powershell.exe
2344	powershell.exe
1112	powershell.exe
1112	powershell.exe
2208	powershell.exe
2208	powershell.exe
2132	powershell.exe
2132	powershell.exe
2164	powershell.exe
2164	powershell.exe
3936	powershell.exe
3936	powershell.exe
2744	powershell.exe
2744	powershell.exe
4372	powershell.exe
4372	powershell.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe
4856	21EC2020.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	3936	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4856	21EC2020.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe
444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe
4856	21EC2020.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 2164	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	108
PID 444 wrote to memory of 2164	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	108
PID 444 wrote to memory of 2164	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	108
PID 444 wrote to memory of 4372	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	110
PID 444 wrote to memory of 4372	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	110
PID 444 wrote to memory of 4372	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	110
PID 444 wrote to memory of 2132	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	112
PID 444 wrote to memory of 2132	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	112
PID 444 wrote to memory of 2132	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	112
PID 444 wrote to memory of 2344	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	114
PID 444 wrote to memory of 2344	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	114
PID 444 wrote to memory of 2344	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	114
PID 444 wrote to memory of 1112	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	115
PID 444 wrote to memory of 1112	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	115
PID 444 wrote to memory of 1112	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	115
PID 444 wrote to memory of 3936	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	118
PID 444 wrote to memory of 3936	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	118
PID 444 wrote to memory of 3936	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	118
PID 444 wrote to memory of 2208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	119
PID 444 wrote to memory of 2208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	119
PID 444 wrote to memory of 2208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	119
PID 444 wrote to memory of 3632	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	120
PID 444 wrote to memory of 3632	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	120
PID 444 wrote to memory of 3632	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	120
PID 444 wrote to memory of 208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	121
PID 444 wrote to memory of 208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	121
PID 444 wrote to memory of 208	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	121
PID 444 wrote to memory of 2744	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	126
PID 444 wrote to memory of 2744	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	126
PID 444 wrote to memory of 2744	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	126
PID 444 wrote to memory of 4856	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	128
PID 444 wrote to memory of 4856	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	128
PID 444 wrote to memory of 4856	444	d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe	128

C:\Users\Admin\AppData\Local\Temp\d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe
"C:\Users\Admin\AppData\Local\Temp\d2a1eaedbaaa1d37a0cf6275ed1ba241437047ea206bf9f92043b31a9082972b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:444
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy Unrestricted
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4372
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1112
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisablePrivacyMode $true
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Public\00C04FC964FF' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Users\Public\08002B30309D\21EC2020.exe
  "C:\Users\Public\08002B30309D\21EC2020.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e03d3a9e96ae6dbee071f3bbf77b4f98

SHA1
3b104c534a7666859ff786c1e29fd03f0dc9c100

SHA256
183fe219bc796c2f6e20829319934fa116724396b22e57b66a55b6688281cf89

SHA512
1b7aa7448c409502774aa7adf897b1149641afe34af5e4fe7ba0beeb0809620e63d2cb9aed4fd14c176dda64347e92d701b7eec1cb3ed78d17f3de7e79a0a0ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
faa525abd08920a37f326b01c321bce6

SHA1
f291d3887a23078d1fc9272fc5757aa0442959c6

SHA256
a51ba33a7f1e3a35f295c6d4328370235d4e666135e39ed0aab8fd7d2f628994

SHA512
df9f2f542962383e8ec7927b61af38c50e987a0c7f4d51f340e4f543bd4146d5208320478d5ca5c8220133b3d681739fa1c2868f6cea90b11023726c8a08bdda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c2a2ceaa876e9a85b545ff5683d6f198

SHA1
0fa20efc8cb64e1d05785439fa82a046e910a240

SHA256
32eacb773dbe2affbcc7da17e60becc788d14b62d12cdd79c776a65e96758d21

SHA512
a7573271f16472a54ac1c77413ed5f677905fcbcbe37e29b9a60669230b74d1585ac3bb3863a6e2da512209c96322bd8f1c456f657fc346fd4eeda2e8f502ebb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4e4446c9648c016bbace7d0b7f12ad1f

SHA1
a8ce6ca56aa8560891f7c5cb2dbe8050714a7c37

SHA256
bdd93f6a14fb26d09d04201b673e414d890e54c580e464c3d80c53ab1f731f8f

SHA512
341d98fc5e0549fdc74cd3d202493a25368b38912df4b13701f84c7b6ad36181db410d2b0767e6bf2557fe6aa06258ff62f90a74ec4e44dc575fb3d2775d8a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8b610c5ffcb5d2a2c7cd5fd636f9d027

SHA1
e7ce58294135e6fe2c622eeec739b16715cefbbf

SHA256
70efd166e9901c4405765c447e792b233963a64f6e64878003d0e88b2ba086e8

SHA512
569e994fd63727c909041399eaedddfe02b8120a490580efad3a4bb41b1628e19cc4af80376fbdc43d08950354c151fd058186c113409fd51f174b37a131573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_srkhsvxi.obe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\08002B30309D\0f40fc17.ppf

Filesize
576KB

MD5
0b4cbc017dd8300e2369dd6d9fe08704

SHA1
8eb5932ecc95bfc931dc1b26c8a8b8c732205e9c

SHA256
bbe25c3ec119ab1101d696b1998ddcc9f6066cbbfa81e90973256c11ad53ebf5

SHA512
21a43095faadc882d8f7fe784532f13bc5e772c84ec2476022838d328b85a48bee3e0f273d25a4e174a77fed266efb44415db2c80cca179daabc4ea63a69d85f

Download Submit
C:\Users\Public\08002B30309D\21EC2020.dat

Filesize
61B

MD5
2205f6c03ab7539345665c7cac92c3a8

SHA1
8c99f860e1770609bfc45d5d2648dd84b864960f

SHA256
d85e6f8deac85918eb0fb59eaa9d27097cd0df6fa83e5b135d980b509d41dbe7

SHA512
f4037fbf56797eb03e403767ee3d033504138be77a06cd1cf6f3d0fb145be505655be49e96aac1c798bb558522e16228a983a58fd2ee0c4bdabd2f9ad0d354ff

Download Submit
C:\Users\Public\08002B30309D\21EC2020.exe

Filesize
346KB

MD5
b575cfefd5c7b14f4743ef2ad74b2736

SHA1
f433813501a7b5b96186bb02fe69ca01580627ed

SHA256
a38708da0db2003a1d14ed1e9d45a9ecb30a6294d472692f804ffb0cea70334b

SHA512
ea912b2589142f1a89ef84e503bf65999beb7aa76d2aa50e1e7edc178bf841debed906fc11da555a004fc715f52fa09baf3a3fe4b42c33e5c9cf811eba676e5e

Download Submit
C:\Users\Public\08002B30309D\Config.ini

Filesize
92B

MD5
e5182d72b06b42c5a104e4057965013f

SHA1
aa1f6a25b921a337fac11c233facc8ad36b755be

SHA256
c49387b35c8aa1e067eb02fa998db4ca13c9e7dde6a5267cb60ab68fb48ff8d3

SHA512
a08850f2b3db8425f4eed0202eb598f9f50dd41c77e444e3d08c009aef5e359ced27349eea63a302f6a3b2c13d27291d634a8b0bbd0b43cd696ce76fb609128a

Download Submit
C:\Users\Public\08002B30309D\DuiLib.dll

Filesize
1.5MB

MD5
a3b393d6604c40c51f9f28533161ab81

SHA1
19480433f1a094f135eff78e4b63c5b47411f333

SHA256
a830e40e43aef4d9d7b7eeb6d94c17cd2cb11be7f3ee8adce2399ec5c0a6049c

SHA512
12c460443ae98c0a57abe98e8d70802367d9fe2a14faf66164a094ffdb10ee6d8a6b41e4c96e58a423218f3653ea56d804ed15614ff6957948025f78389c3313

Download Submit
C:\Users\Public\08002B30309D\MSVCP140.dll

Filesize
438KB

MD5
1fb93933fd087215a3c7b0800e6bb703

SHA1
a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb

SHA256
2db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01

SHA512
79cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e

Download Submit
C:\Users\Public\08002B30309D\Plugin.dll

Filesize
271KB

MD5
27378e77fed60b91b9eacef55b10d3a2

SHA1
603050de753ae268e09aca9e37b30ac4e647b6b7

SHA256
553920c1b7dbcabcd18e8a17a3f0b3bd91f3fd2a3375a6163c8e85d441cb8a18

SHA512
95be8277a4ceaf29a2c7bbba6f8e06fb894bb883ff457e08851352dd751375f94c551a78204fc30838aa2c4a6741f49e30bfa6f0b6a6f0287c5d77b0e9ed6c6d

Download Submit
C:\Users\Public\08002B30309D\QKGuide.dll

Filesize
893KB

MD5
057d333133ba16ad86fa644e8b28adf7

SHA1
7542ae74dbcaef4fd60e82937080efa1c2ac954f

SHA256
51d34fdf50a1542a86f2befa3e0f7615832558d29e41cf92c9206b44b67e1350

SHA512
83a61c8da999bdcc3bb47b47d8aeea3fb8605404cda949acb91bb0b7aaba7d1c854f7cf44d8d5ba81d5be5d2c3dfc5babf66f72bf1137c2786b34bd32b853e78

Download Submit
C:\Users\Public\08002B30309D\QKHook.dll

Filesize
24KB

MD5
32f12897dbfad3149821d503013c6a28

SHA1
52fc6755add14e6f6eb2b2f5a20d8022a32c8225

SHA256
93fcab146f4061b93e6566b1846cfefd05dae52afd763fdd261e6a0543436671

SHA512
c0547fb67c4d80e2d2744179c4b21d1e9b8694f53a6c843adc7e28df48b0e56c95c25b6cfc956f440d856add2bfc339b8178c820c28a09250854b5a57587db59

Download Submit
C:\Users\Public\08002B30309D\QKParameterMgr.dll

Filesize
35KB

MD5
1390bc15e3d2b403d962c6c6e9e77fee

SHA1
dab2a8a69cb014c682544c94efc2a9219fd603cc

SHA256
ae1cec46aaa7841b0d4e2dd719272821469be8121b32a60609b1bc3bfd5638d3

SHA512
e794d64bd63b8bbacdd59e8ad1b2b23011f07a8de70217082f56b710cadfec4f4579756eb693ceb9a223933366bb4058d26e7c5867d4c4e67988aa4532cbad5a

Download Submit
C:\Users\Public\08002B30309D\QKPhotoshopMgr.dll

Filesize
551KB

MD5
a1b899fd31bff8b4d87e2edd78006b31

SHA1
199280dabac2c32324c59ec8da76c0126e5710e7

SHA256
09c6a24b0714da6e4bef6ed8070f6986c005cd974c35a4f7a9f406b88ee038b3

SHA512
40d9466ee6ae644c19e9c2f505370ed647379c6d3389a908ad32f24ed0cf6ef95728192a443324fde3a312b1fd31a4eb3ea616881595dac6ee1b4a047b948a17

Download Submit
C:\Users\Public\08002B30309D\QKPlugin.dll

Filesize
307KB

MD5
216c638d1e32032145687d2e3851394a

SHA1
fdcb1cb31625a8023880a716205b29a1b7f71aa2

SHA256
965fd4c884b66a65c7b6800a43f1c6f9a0b5a5766606301494da227a8a80f35e

SHA512
5b50ad6f3a5aa25de08174df90db067676fb13991b93bcadba2698b0e69c096f46892467b1d6f75227825447b9eedbf40f6415d8804115fa3201a43bd7360bd0

Download Submit
C:\Users\Public\08002B30309D\QKRecord.dll

Filesize
353KB

MD5
428f062a15575599e0fcbef2374754a8

SHA1
5dacffd79a14ac1b3b0377885460cc1bf1023810

SHA256
0553c54a2082a89b04bfa0a8373185ffcfa202523e98159a5e20012df1ce99b5

SHA512
492d4c4e35b55abc2f0517aa4fc3235bb88b115d7dc2b666f847f2b100d84b011eb9540675b60d3d68da4de6e49bff7253cd5428c991ac7ae521b73e0eacba27

Download Submit
C:\Users\Public\08002B30309D\QKResource.dll

Filesize
616KB

MD5
e471a8665c05062f45e343b7f89ad319

SHA1
58a98da8295458c073d10622158a6a53a20be534

SHA256
1f75c77513b2554d94c692d6e7a00b674dcec354913159aea7f324062a4fa798

SHA512
f033a1e8044b070a8f2ad4fe97e06f810747988ce5bb269bd6a502b39c24158ce0a150305666b73de74252762371e5d091ed258fc11e94259c78bcaba04dfc46

Download Submit
C:\Users\Public\08002B30309D\alibabacloud-oss-cpp-sdk.dll

Filesize
1.0MB

MD5
0aaeb781e651be69f6d643a72b15c6cb

SHA1
8be4066c628629ffe77254c2cc452aecc1fee8dc

SHA256
e9359d5c42b6767d63525ae73eb194a88c3e68111cee4ec1a2bdbb8ecf530bb9

SHA512
c6f1af6bb30005f8b89951612961ef8db706d39ace2e674cf54a14445fdfcfe8cf8c5762fe04406b9d87154a919cc47e251eaefd9cbd15e00b2ecf471854e6f5

Download Submit
C:\Users\Public\08002B30309D\concrt140.dll

Filesize
243KB

MD5
8651e6272e310d5c64d0c91ca975b029

SHA1
0e2433c8771ac420b5684c79e96eb7e206350757

SHA256
b721897db5542d5b0c970ec624440442ed9ae781e55147feb9ff264f70f66cde

SHA512
d99d049b9ae9f7bcf9e6737b26a90f544a08ff49e06fdc39617b869eb97676024e18ba42e680db255a8a04f323de494dd8e7b706007e9b961c78a64cdf078ff6

Download Submit
C:\Users\Public\08002B30309D\libcurl.dll

Filesize
775KB

MD5
081162013cc03abf2ef0ed5f542242ff

SHA1
441c2805563a69dc3b9b56bf69990eedf103a591

SHA256
238d495fc4475f3850faae6c9d9803ec8bb7ecfc484453df0aeac13cc5ad74f0

SHA512
189cbc68b175e8a9a9a4878e5795690e169809d0a92c12a004fcec4c7186e8c08f9f653ba59667992d8efa05b88f53ba64d10772b90e97627767c74a688ff77a

Download Submit
C:\Users\Public\08002B30309D\libeay32.dll

Filesize
1.2MB

MD5
1707bc560de9c69ae7325b6f63c8ec96

SHA1
d15e908a921cd17fbcfe0000b264d52e8fd413e7

SHA256
648a673ec8504f8255de37996a21895279985e011124e8ff2c7249271d5890cb

SHA512
941b3a76d43626d3d8e369437b83e63689eb3f8ecf90737a2d2df8df1c38e19e02146938af12d0fa9850ba3154ad60d74c5e4b80cae4ff6e3bff9d2583538ad5

Download Submit
C:\Users\Public\08002B30309D\libmysql.dll

Filesize
3.5MB

MD5
fcd72aa6a80b75556057d77b729f17c5

SHA1
8689cd54043136e644c82cb8eae419a5d43289ca

SHA256
6a59443d3a5cf8572e2e80b5987040ddbf2630e14036204a3bf77ce27e02d918

SHA512
e2c7c02ec1b997c3888ce20e8a3ac4c84a4e36a6e1c37aaf1a65983096ba64e60fbe61ca988821a1807872e9bf284cc577938db5957abcb57555321a7e36c7ba

Download Submit
C:\Users\Public\08002B30309D\mfc140u.dll

Filesize
4.8MB

MD5
06f307b7ddb0994b448b9786cf5811b8

SHA1
4d70c5206e84b23916e4c686f430e5dcdc70dfc3

SHA256
dde3c8e9e7d414913a29979798311d095c1b8869ee405a1c3fcbba14da90446d

SHA512
b26bcfca4569ce9fb4b7196c952ce38b0e3a30aeff2e7ac4b2ea1c695c658c1d92029fb7e31ad231e62de8dff2a86ab3821aa1f9d5c944d88b263d88efeca16a

Download Submit
C:\Users\Public\08002B30309D\msc.dll

Filesize
1.7MB

MD5
18d35237d397e8396c30356ddb12dd9c

SHA1
8f86896fd6f884f05c48c3034b7b55b7d9e50a5a

SHA256
1c1f3b6df9347b864ac879ef841196b97ed02f5be941fd490817831889b97b84

SHA512
e2e1e1fdb6e161b28e90236edd0b35d3b91f507161b50615caaaa8f9484946c72ea35298838e1b538e4d2801aff9cece97b89447e78a3dc2ae4fdc962a26c5c3

Download Submit
C:\Users\Public\08002B30309D\opencv_core2413.dll

Filesize
1.9MB

MD5
b83a304b66f3c9799cae2be75bec361b

SHA1
d7ccc4067af699e62f9a7f9001589d3d8c7f4ac6

SHA256
b0f02252f1cee1826f3b193e682344a8d9785e424e8009b60a7700e5c88271c8

SHA512
dfa3dfa9faf6a85af25fa4f12726ec27075053112e9455461e435ff424bff0635bd624c39c2e15f962b4aab3a6374b23024e7d805e0e8f2d54df1f92e7edd6f2

Download Submit
C:\Users\Public\08002B30309D\opencv_highgui2413.dll

Filesize
1.9MB

MD5
f6a0b1bf98161f7231039f6ffceee155

SHA1
7f888d40d50ae85490e2126c9f9a14ce78d4c7d0

SHA256
1ad5b3f2447a6d48e3ade61cbdc4abb0f18f3dbc8b7dcd3b050d60c68197d0df

SHA512
69ea3f74d40a5aecedb5ea120e01a5cd348af9542f16124973b028a3e2965d3d63a804d0bab1bdd4b548e55f8bb21365605b241891993177cfc08608d895764b

Download Submit
C:\Users\Public\08002B30309D\opencv_imgproc2413.dll

Filesize
1.6MB

MD5
27e2d298d6905a73ea98b7a2c4c889c5

SHA1
600eb3e14e20f91c7e9788bf3cde864f9e1bc17c

SHA256
f67e68461b7fa1bdf83b00020affc17c203e5d5fb6d051c00d2654e181115f8f

SHA512
751cceddd052cb3a540b842ed9a69f0842f3c1a5d503555ba990838550b0e784dafc577e0070383af7cfe36bf51a4944b9a9fadfbcfdbcc92ba6deb52ff30f95

Download Submit
C:\Users\Public\08002B30309D\task.dat

Filesize
114B

MD5
1cada2504a645239f5eb4668bbdd9eb8

SHA1
2f5ad9b2a69a750275684327642a6bbb5b1cea51

SHA256
1f58b562491071aba811ef75491ab372d1b88632964d49f7b2281cb71dc5ee18

SHA512
25da333be20f0682efcfd324463441e4b367c20b3605ed5e24200be839415ba44bb1537aeb65a309494a13023921cc00547b43ec14d66ffb91a03ccc4d5bebcb

Download Submit
C:\Users\Public\08002B30309D\vcruntime140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
memory/1112-245-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/1112-322-0x0000000007CF0000-0x0000000007CFE000-memory.dmp

Filesize
56KB

Download
memory/1112-319-0x0000000007CC0000-0x0000000007CD1000-memory.dmp

Filesize
68KB

Download
memory/1112-318-0x0000000007D40000-0x0000000007DD6000-memory.dmp

Filesize
600KB

Download
memory/2132-132-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/2132-317-0x0000000007C90000-0x0000000007C9A000-memory.dmp

Filesize
40KB

Download
memory/2132-133-0x0000000006290000-0x00000000062F6000-memory.dmp

Filesize
408KB

Download
memory/2132-134-0x0000000006300000-0x0000000006654000-memory.dmp

Filesize
3.3MB

Download
memory/2132-244-0x0000000007920000-0x00000000079C3000-memory.dmp

Filesize
652KB

Download
memory/2132-234-0x0000000006EB0000-0x0000000006ECE000-memory.dmp

Filesize
120KB

Download
memory/2132-223-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/2132-131-0x0000000006180000-0x00000000061A2000-memory.dmp

Filesize
136KB

Download
memory/2132-296-0x0000000008260000-0x00000000088DA000-memory.dmp

Filesize
6.5MB

Download
memory/2132-220-0x00000000068E0000-0x00000000068FE000-memory.dmp

Filesize
120KB

Download
memory/2132-221-0x0000000006900000-0x000000000694C000-memory.dmp

Filesize
304KB

Download
memory/2132-222-0x0000000006ED0000-0x0000000006F02000-memory.dmp

Filesize
200KB

Download
memory/2164-266-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/2208-265-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/2208-323-0x00000000071F0000-0x0000000007204000-memory.dmp

Filesize
80KB

Download
memory/2208-324-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/2208-325-0x00000000072D0000-0x00000000072D8000-memory.dmp

Filesize
32KB

Download
memory/2344-70-0x00000000024B0000-0x00000000024E6000-memory.dmp

Filesize
216KB

Download
memory/2344-233-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/2344-116-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/2744-295-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/2744-255-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/3632-307-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/3936-297-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/4372-285-0x000000006DCD0000-0x000000006DD1C000-memory.dmp

Filesize
304KB

Download
memory/4856-122-0x0000000003650000-0x00000000036CB000-memory.dmp

Filesize
492KB

Download