Analysis of Ramsay components of Darkhotel's infiltration and
isolation network
Archived: 2026-04-05 22:05:07 UTC
1 Overview
Antiy CERT discovered the recent threat behavior of APT organization Darkhotel on April 20, 2020, and
continued to follow up the analysis. The Ramsay component of this penetration and isolation network and the
analysis report associated with the Darkhotel organization are now announced.
The Darkhotel organization is a general capability national/regional actor with a national background, also known
as Dubnium, Nemim, Tapaoux, APT-C-06, T-APT-02, etc. It was first disclosed by Kaspersky on August 10, 2015
and is a The active target countries that have been active so far are China, North Korea, India, and Japan. In the
previous attacks, hijacking WiFi delivery bait, spear phishing emails, 0day, nday, abuse of digital signatures, white
use, and infection of U disk files to achieve physical isolation and other technical means.
In this incident, the strategy of the Darkhotel organization is to bundle malicious code with legitimate
applications. Previous disclosures to the organization believed that this bundling strategy was to disguise
malicious code, which belongs to the initial delivery load stage of ATT&CK. But in fact, from the sample Ramsay
component captured recently, the malicious code bundled with the legitimate application belongs to the infected
file rather than a fake decoy. It belongs to the ATT&CK intranet horizontal migration penetration stage, which is
mainly used to spread malicious code on the isolated network. . There are four reasons for determining that the
Darkhotel penetration activity is an isolated network:
First, assuming that the target terminal is deployed with anti-virus software, the file infection method is easy to be
detected, but no more samples are found based on the hunting situation of active samples, indicating that
Darkhotel activities are limited to specific targets;
Second, most of the application installation packages for office scenarios come from shared disk downloads or
trust sharing between colleagues,ChigeEspecially in isolated network scenarios, it is impossible to download from
the official website of the application;
Third, in the early disclosures about Darkhotel, if there are missing components, they will be downloaded through
Powershell, but the analysis of this Darkhotel activity does not involve network requests or download behaviors;
Fourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control
instruction. When Ramsay scans an infected document brought into an isolated network environment, it reads the
corresponding instruction and executes the corresponding instruction The payload object spreads on the isolated
network as an attack weapon.
Through the correlation analysis, the payload of Darkhotel's initial delivery phase was captured.
https://www.programmersought.com/article/62493896999/
Page 1 of 36

Figure 1-1 The ATT&CK mapping corresponding to the penetration of the Ramsay component of the Darkhotel
organization
The operation involves 28 technical points in 10 stages. The specific technical behaviors are described in the
following table
Table 1-1 Description of the specific technical behavior of the penetration of the Ramsay component of the
Darkhotel organization
2 Malicious code analysis
2.1 Analysis of infected software
The time stamp of the infected software is March 4, 2020. It appears to be disguised as an installation package of
the well-known compression software 7Zip. Considering the Trojan's PE infection mechanism, this bait is likely to
be a victim's network. The normal 7Zip installation package infected by Ramsay v2 is not the initial bait.
https://www.programmersought.com/article/62493896999/
Page 2 of 36

Figure 2-1 Infected software icon
Ramsay v2 Trojan release principle is as follows：
The Installer structure is responsible for finding the location of the 4 special signs of the bait itself, extracting the
included normal 7Zip runner, Dropper and normal 7Zip installation package, releasing to a temporary directory
and running：
Figure 2-2 Schematic diagram of decoy installation package
The normal 7Zip runner is responsible for running the normal 7Zip installation package, and an interactive
interface pops up in the foreground.
https://www.programmersought.com/article/62493896999/
Page 3 of 36

Figure 2-3 Pop up the normal 7Zip installation interface
Dropper is responsible for releasing the subsequent series of functional components：
After Dropper is running, you need to check whether you want to create the
"%APPDATA%\\Microsoft\\UserSetting\\" directory, and then check whether your command parameter is
"gQ9VOe5m8zP6", and then start to release multiple functional components. The method of Dropper release is
different from 7Zip decoy, and it is more direct: starting from the specified offset of Dropper itself, reading the
specified size bytes, then changing the first two bytes back to the MZ header, and finally writing to the specified
position.
The included components are listed as follows, according to the system environment to choose to release：
Table 2-1 Each functional component
https://www.programmersought.com/article/62493896999/
Page 4 of 36

The following are examples of core functional components：
"bindsvc.exe" component
This component is responsible for infecting the EXE program in the non-system disk and the intranet network
share, waiting for the attack target to propagate into the isolated network. The infection result is the same as the
file structure of the 7Zip decoy above, but the normal software at the end is replaced with each infection. The
specific process is detailed in Chapter 3.
"msfte.dll" component
This component distinguishes between 32-bit and 64-bit. The attacker named it internally: "Ramsay".
Operation mode: "msfte.dll" can hijack the system service "WSearch" in the system32 directory, and it is called
and run by the system program "SearchSystemHost.exe" with SYSTEM permission.
The main functions are divided into DllEntryPoint(), AccessDebugTracer() and AccessRetailTracer() according to
the exported functions：
2.1.1 Export function: DllEntryPoint()
1. Obtain the local hardware GUID.
2. Release the script "%APPDATA%\\Microsoft\\Word\\winword.vbs" to extract plain text from users' recent
Word documents.
https://www.programmersought.com/article/62493896999/
Page 5 of 36

Figure 2-4 Extract text from the user's recent Word document
3. Steal users' recent documents：
Release the official WinRAR program, encrypt and package shortcuts of users' recent files：
%APPDATA%\\Microsoft\\Windows\\Recent\\*.lnk (shortcut for files recently accessed by users)
The packaging password is: PleaseTakeOut6031416!!@@##
4. Check whether it is in the process "HYON.exe" or "BON.exe" or "Cover.exe", corresponding to why the
software has not been determined. The attacker also gave the internal name of the "msfte.dll" component:
"Ramsay", and the internal version was v8.
Figure 2-5 The internal name of the "msfte.dll" component
5. Based on custom file transfer control instructions, see Chapter 3.
2.1.2 Export functions: AccessDebugTracer() and AccessRetailTracer()
https://www.programmersought.com/article/62493896999/
Page 6 of 36

1. Inject itself into the explorer.exe process.
2. Write its own version number to "%APPDATA%\\Microsoft\\UserSetting\\version.ini", this time the version is
8.
3. Collect system information, including system version, process list, network connection, network configuration,
routing information, ARP table, process calling msfte.dll, network sharing, Pin "server" host results (not exist
normally), call The hfile.sys system service. This information will be encrypted and saved to the .rtt file in the
"%APPDATA%\\Microsoft\\UserSetting\\MediaCache\\" directory.
Figure 2-6 Collecting system information
4. Collect document files with the suffixes ".txt", ".doc" and ".xls" in the Internet cache directory of the IE
browser:
"%USERPROFILE%\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\"
5. Collect information about each disk, including directory and file lists, disk names, total space, and remaining
space.
Enumerate A to Z to collect the information of the existing disk.
Create a window named "lua" and set the lpfnWndProc function to collect information when an external
removable storage device is connected：
https://www.programmersought.com/article/62493896999/
Page 7 of 36

Figure 2-7 Collecting information of external removable storage devices
6. Intranet CVE-2017-0147 vulnerability scan:
CVE-2017-0147 is a Windows SMB information leakage vulnerability in the famous Eternal series. Here, the
attacker sends a special data packet to the Microsoft server's message block 1.0 (SMBv1) in the intranet, and only
checks whether the vulnerability exists. use:
https://www.programmersought.com/article/62493896999/
Page 8 of 36

Figure 2-8 Sending a missing scan data packet to determine whether it is available
7. Intranet shared directory scanning:
Information collection: Collect sub-directories and file lists, disk names, total space, and remaining space shared
by intranet networks.
File collection: Collect document files with the suffixes ".txt", ".doc" and ".xls" in the network sharing directory.
8. Load the DLL named "netmgr_%d.dll" under the "%SystemRoot%\\System32\\Identities\\" directory, %d takes
1 to 9. The DLL is released by the hidden data passed in by the attacker (see Chapter 3 Ramsay's communication
method based on file transfer), and no entity is currently obtained:
Figure 2-9 Load netmgr_%d.dll
2.2 Analysis of Vulnerability Exploitation Documents
The vulnerability exploit document entered the target's internal network through spear phishing emails,
successively dropped VBS scripts through vulnerabilities CVE-2017-0199 and CVE-2017-8570, and added
registry entries to establish a persistent mechanism. The attacker concealed the PE file in the picture, loaded and
ran it through the VBS script, and used open source tools to bypass the UAC. The main function was to collect the
victim's system information and external removable storage device information.
https://www.programmersought.com/article/62493896999/
Page 9 of 36

The Ramsay v1 sample does not have the function of infecting normal files, but it has the ability to implement file
transfer control commands and exudation based on customization. Overall, the main purpose of this attack file is
to detect and detect the target network environment.
The text of the document bait "accept.docx" is blank, and the last save time is May 2, 2019, which is earlier than
the infected software bait.
The metadata includes "제목" in Korean, which means "title" in Chinese:
Figure 2-10 The metadata of the decoy document contains Korean
The document utilizes the CVE-2017-0199 vulnerability, and when triggered, it will open the included CVE-2017-
8570 vulnerability exploitation document "afchunk.rtf".
"Afchunk.rtf" executes the released SCT script OfficeTemporary.sct. OfficeTemporary.sct is responsible for
releasing and executing the VBS script %ALLUSERSPROFILE%\slmgr.vbs.
slmgr.vbs first adds itself to the Run entry of the registry to achieve boot startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\slmgr，%ALLUSERSPROFILE%\slmgr.vbs
Then extract the image file "image1.jpeg" contained in the document. Find the special logo in the picture data,
decode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE%
directory and run it.
https://www.programmersought.com/article/62493896999/
Page 10 of 36

Figure 2-11 Special logo and PE data attached to the picture
The complete process is as follows:
https://www.programmersought.com/article/62493896999/
Page 11 of 36

Figure 2-12 Document decoy execution process
The released random name.exe is an in-depth analysis and belongs to the earlier version of Dropper released by
the software decoy above.
There are many important function code overlaps with each other, for example:
· After running, first check whether its own parameter is "gQ9VOe5m8zP6".
· Run a set of CMD commands to collect system information.
· Collect information on local and external removable storage devices.
· Load the "netmgr_%d.dll" delivered by the attacker, %d takes 1 to 9.
· Shortcut to steal recent user files.
https://www.programmersought.com/article/62493896999/
Page 12 of 36

· Release open source scripts to extract plain text from users' recent Word documents.
· Use the open source UACME component BypassUAC.
· Command control based on file transfer, instructions and functions are the same.
The differences of this Dropper are as follows:
· With fewer functional components:
Table 2-2 Functional components
· Screen capture every 30 seconds
· When an external removable storage device is connected, in addition to collecting information, it will also
capture the screen at the moment.
· The password for RAR packaging is PleaseTakeOut!@#
· Based on custom file transfer control instructions, see Chapter 3.
3 Break through the isolated network conjecture
3.1 Breaking through the conjecture of isolated networks
The attacker's conjecture to break through the target isolation network is based on the threat behavior of the
malicious code function, rather than the association of the malicious code timing space. Darkhotel activities are
limited to specific targets. According to the USB data collected by the Ramsay v1 Trojan during the operation
activities, it was found that there is an isolated network in the target. Because the C2 based on the network
protocol cannot reach the isolated network, it has to develop an isolated network infection program.
On the other hand, in view of the fact that ordinary document files brought out by the isolated network through the
removable device are not classified, the attacker chooses to scan all documents inside the isolated network as
much as possible. The scenario attached to the infected general document greatly increases the possibility that
important information will be brought out by the mobile device. At the same time, the attacker kept the Ramsay v2
Trojan on the isolated network to continue scanning the document. Once the document was found to be brought
into the isolated network environment, it reads the corresponding instruction and executes the payload object
corresponding to the instruction.
The complete process of file transfer control instructions based on custom:
https://www.programmersought.com/article/62493896999/
Page 13 of 36

The attacker's current location may be on the target intranet, which can control a certain number of machines and
files on shared directories.
Step 1. Infect the normal EXE file and execute it through the machine that the victim carries into the isolated
network.
Step 2. The compromised data in the compromised isolated network machine is attached to the end of the normal
Word document;
1) Word documents with stolen data are carried by the victims and evacuated from the isolation network;
2) The attacker finds these Word documents and reads the attached theft data;
Step 3. The attacker infects the new Word document, attaching commands and executing objects.
1) The Word document was carried by the victim into the isolation network;
2) The additional commands and execution objects are executed in the machine that has been compromised in the
isolated network;
3) The log of the execution result is also taken out of the isolated network with step 2.
Figure 3-1 Flowchart of conjecture breakthrough
https://www.programmersought.com/article/62493896999/
Page 14 of 36

3.2 Break through the isolation network to realize code analysis
The means for the attacker to break through the isolation network is to infect the EXE files in the local non-system
disk and the shared directory of the intranet (especially in the removable storage device) to form a new bait with
the same structure as the 7Zip software bait, and then hope to attack The target is carried into the externally
isolated network environment through the mobile storage device to be run.
Figure 3-2 Normal EXE file infection process
The structure template of infection completion is shown in the figure below. The special sign
“9J7uQTqgTxhqHaGUue5caaEr3KU” at the end of the file is to mark the completion and avoid repeated
infection.
https://www.programmersought.com/article/62493896999/
Page 15 of 36

Figure 3-3 Structure template after infection
Communication method: Based on file transmission control instructions
The attacker chose to transfer data through office files to break through network isolation. We suspect that this
may be based on the office habits of the attack target frequently carrying document files in and out of the isolated
network.
The specific implementation of communication can be divided into the 2019 version and the 2020 version. Take
the 2019 version as an example:
Incoming instructions and execution objects:
The attacker can infect the .doc and .docx documents in the victim's host outside the isolated network, and append
instructions and data to the tail to form the structure in the figure below. Wait for the attack target to carry the
infected machine that arrives in the isolated network, the additional data will be read and executed by the Ramsay
component.
https://www.programmersought.com/article/62493896999/
Page 16 of 36

Figure 3-4 Instruction data additional structure
Based on the custom file transfer control instructions are as follows:
Table 3-1 Acceptable commands and functions
After the instruction is completed, the additional data is deleted and the infected file is restored.
Stealing data leaked:
This stage takes place in infected machines on the quarantine network. The steps are as follows:
Step 1: Search for local .doc and .docx documents, and ask them to be created or last accessed within 1 month.
Step 2: RAR encrypts and packs the folder where the stolen data is stored, the password is PleaseTakeOut!@#
Step 3: The RAR compressed package is subjected to another round of custom encryption.
Step 4: Append data to the end of the .doc or .docx document, including the Magic logo, native hardware GUID,
and encrypted packaged data. Since the same document file may be infected multiple times, there may be multiple
additional combinations at the end.
https://www.programmersought.com/article/62493896999/
Page 17 of 36

Figure 3-5 Additional structure of stolen data
Step 5 (guessing): Wait for the victim to carry the batch of data-attached documents into the isolation network and
reach the host or shared directory that has been compromised by the attacker.
Step 6 (guessing): Based on the fixed Magic value, the attacker periodically searches for files in the compromised
host or shared directory, finds the batch of documents, and extracts the GUID and secret data of the victim host
attached to the tail to complete the exfiltration.
4 Analysis of sample association and organization attribution
4.1 Sample association
According to the metadata and exploit characteristics of the "afchunk.rtf" attack document contained in
"accept.docx", another example of "afchunk.rtf" can be associated:
https://www.programmersought.com/article/62493896999/
Page 18 of 36

Figure 4-1 afchunk.rtf contained in "accept.docx"
Figure 4-2 The newly associated afchunk.rtf
The parent of the newly associated "afchunk.rtf" comes from the RAR compressed package "Technical
Agreement.rar". The overall execution process is as follows:
https://www.programmersought.com/article/62493896999/
Page 19 of 36

Figure 4-3 Complete execution process of associated samples
"Googleofficechk.sct" first constructs the information of the current process list of the system into the following
URL and returns it to C2:
http://find-image.com/img/image.php?K=F84hFhfeHUiFQE&test=Base64 encoded process list
https://www.programmersought.com/article/62493896999/
Page 20 of 36

Figure 4-4 Get the process list and return to C2
Then release "svupdate32.exe" and "msrvc32.exe" to the system startup directory.
"Msrvc32.exe" is responsible for collecting system information, including the system version, architecture, region,
language, and registrant, and constructs a URL to send this information back to C2:
http://win-api-essentials[.]com/package/v2.php?im=000C29A414B2&fg=u&inf=Base64 encoded system
information
Re-construct the URL and download the file to the randomly named file in the
"%LOCALAPPDATA%\Local\VirtualStore\" directory:
http://win-api-essentials[.]com/package/v2.php?im=000C29A414B2&fg=d
Alternate C2: http://service.email-126[.]net/box/open.php?se=000C29A414B2&fg=d
Finally, according to the instructions and file names contained in the C2 return data, the next operation is
performed on the randomly named files:
Table 4-1 Acceptable commands and functions
Related to the Samsay event and the DarkHotel historical Trojan:
https://www.programmersought.com/article/62493896999/
Page 21 of 36

After comparison, the "svupdate32.exe" component and the Trojan of this Ramsay event, as well as the DropBox-based Trojan program of the DarkHotel organization that was exposed by Tencent Yujian in January 2019:
eea409bbefee23eb475e4161f06d529a, each of which has a unique code shared:
Figure 4-5 "svupdate32.exe" shared code
https://www.programmersought.com/article/62493896999/
Page 22 of 36

Figure 4-6 DarkHotel's historical Trojan based on Dropbox
https://www.programmersought.com/article/62493896999/
Page 23 of 36

Figure 4-7 netwiz.exe in Ramsay activity
https://www.programmersought.com/article/62493896999/
Page 24 of 36

Figure 4-8 Sharing among the three
4.2 Organizational association
After in-depth code comparison, we found many connections between Ramsay and Darkhotel:
Algorithm overlap
The custom encryption algorithm logic used by Ramsay before the data landed is the same as the algorithm that
Chianxin previously disclosed [2] and used by the Darkhotel organization many times:
Figure 4-9 Ramsay's sample algorithm
https://www.programmersought.com/article/62493896999/
Page 25 of 36

Figure 4-10 The algorithm disclosed by Chianxin earlier
And the combination selection of the two algorithms, the second of which has only one more addition step than
has been disclosed:
Figure 4-11 Sample algorithm for this sample
Figure 4-12 The algorithm disclosed by Chianxin
2. Function and technology overlap:
There are many functions and technical overlaps between Ramsay and Darkhotel’s historical Trojans, such as：
https://www.programmersought.com/article/62493896999/
Page 26 of 36

· Hijack the system's WSearch service to achieve persistence and obtain SYSTEM permissions.
· Use WinRAR to encrypt and package the stolen files.
· Create a window named "lua" to realize file stealing.
· The current system information is collected through a set of CMD commands. Most of this set of commands
overlap and are in the same order.
3. Special logo heads overlap:
According to "bindsvc.exe" component used to locate the location of the data header：
Figure 4-13 The logo head of the Ramsay Trojan
The sample from June 2019 can be correlated. At this time, these three marker heads are still used as the location
of the positioning data:
Figure 4-14 The logo head of the Darkhotel special Trojan in the past
https://www.programmersought.com/article/62493896999/
Page 27 of 36

During the analysis of this Darkhotel event, it was observed that there are different special signs for different
sample loads, which have the role of locating the data location. These residual signs have also appeared in the
previous activities of Darkhotel. From the time axis, the activities of this event overlap with the previous
activities. It can be seen that Darkhotel has the ability to rapidly iterate according to changes in the target
environment, and timely The ability to update optimized load codes.
Figure 4-15 Darkhotel special logo evolution timeline
After detailed comparison, this old sample of 2019 is the Darkhotel special Trojan described in the report of the
Tencent Security Team's "Darkhotel's "Darkhotel's Latest Attack on Chinese Foreign Trade Persons" in June 2019
[3].
There are many codes overlapping with the Darkhotel special Trojan. For example, determine whether the
beginning of the data returned by C2 is "
https://www.programmersought.com/article/62493896999/
Page 28 of 36

Figure 4-16 Sample in 2019
https://www.programmersought.com/article/62493896999/
Page 29 of 36

Figure 4-17 Samples disclosed by the Tencent security team
The fields and values of the spliced C2 URL are also exactly the same:
C2 of the 2019 sample:
http://service-security-manager[.]com/c50c9f6c-a306-41d0-8d24-bf0c3a5f4a0e/21270.php?
vol=honeycomb&q=4znZCTTa2J24&guid=Native hardware GUID
Sample C2 of Tencent Yujian Report:
http://game-service[.]org/584e3411-14a7-41f4-ba1d-e203609b0471/6126.php?
vol=honeycomb&q=4znZCTTa2J24&guid=Local hardware GUID
4. The metadata of some decoy documents includes Korean "제목" and "사용자", the Chinese meanings
correspond to "title" and "user" respectively:
https://www.programmersought.com/article/62493896999/
Page 30 of 36

Figure 4-18 The metadata of the decoy document contains Korean
When the author of the decoy document inserts the picture object, the default language of Office is also Korean.
The Chinese meaning of "그림 3" is "Picture 3":
Figure 4-19 The attacker inserts a picture through the Korean version of Office
5 Summary
In the analysis process of Darkhotel's isolation network penetration activities, according to document metadata,
vulnerability utilization characteristics, Ramsay infection special signs, etc., it is also related to Darkhotel's related
activities in recent years, indicating the continuity and discovery of Darkhotel's attack activities in cyberspace.
After the high-value target can deploy the attack strategy in time, upgrade the malicious code infection
technology, improve the overall attack process, highlighting Darkhotel's advanced persistent threat attributes.
In 2019, Antiy released the "Nine Years Resurgence and Reflections of the Stuxnet Incident" [4], expressing that
the traditional anti-virus engine and threat intelligence have become two complementary mechanisms. The
traditional anti-virus engine is aimed at a large number of Malicious code detection and identification capabilities,
and through deep pre-processing, virtual execution and other mechanisms to deal with malicious code variants and
transformations, so in terms of load detection, there is unparalleled depth of recognition and analysis, but also
https://www.programmersought.com/article/62493896999/
Page 31 of 36

provides a large number of load objects Accurate judgment mechanism. In the threat intelligence pyramid,
"narrow sense intelligence" such as HASH, IP, and domain names are included in the bottom layer, that is, it is
difficult to obtain and low in application cost. It can be easily extracted as an attack indicator (beacon) by the
defender being analyzed, and can be connected to existing extension interfaces such as various security devices,
management devices, and protection software. If we compare Darkhotel’s activities for isolation network
penetration with the more complex and more complete A2PT seismograph, the cost of Darkhotel’s implementation
is lower, and the process of transmission, infection, and exudation is more dependent on personnel, but in the
longer In the sustainable attack cycle, there is still the possibility of reaching the goal. At the same time, in this
analysis of Darkhotel's sample association and organizational attribution, by establishing a reliable basic
identification capability and response mechanism, analyzing the TTP process and related intelligence of the
Darkhotel organization's evolution, a typical combination analysis of detection engine and threat intelligence has
been formed Case.
References
[1] It is suspected that the Darkhotel APT organization disclosed targeted attacks against Chinese trade industry
executives
[2] Sample analysis of recent activities of Darkhotel APT gang
https://ti.qianxin.com/blog/articles/analysis-of-darkhotel/
[3] "Darkhotel" (Darkhotel)'s latest attack on Chinese foreign traders disclosed
[4] Nine-year resurgence and reflection on the Zhennet incident
https://www.antiy.com/response/20190930.html
IOC
Serial number Hashes
1 03BD34A9BA4890F37AC8FED78FEAC199
2 07858D5562766D8239A7C961FEEA087C
3 08943BB237926DD1376D799A4AFE797D
4 0B04998EEB9FB22429A04E3D0E134548
https://www.programmersought.com/article/62493896999/
Page 32 of 36

5 186B2E42DE0D2E58D070313BD6730243
6 1F3606DDA801A6B7E6BD7CC0E8994241
7 25877AA787B213C67854A08452CDFC5B
8 3439318CEDCF37C1BF5FE6D49DDBB2CB
9 359D2D301455A95F8A2655965B386278
10 3654C3FA86F19D253E4C70BDF5F3D158
11 3E805824F80BBA35AC06EAFC80C6B6AD
12 4A52DB18E3618F79983F0CB1DD83F34A
13 4FA4C81A7D1B945B36403DC95943F01E
14 4FA4C81A7D1B945B36403DC95943F01E
15 52E32DE77509DCB406DA3B81FB9055D7
16 53984EF18C965B49EEB3686460AD540B
17 5D0FAA109DCFDA31AC2D493631E606C2
18 5F564A755100D63B9C6374DABD1E5321
19 615A0F818DC0DED2F138D6B3B2DFD6E5
https://www.programmersought.com/article/62493896999/
Page 33 of 36

20 6E47F8BE989792800C019BC24DFB1A25
21 74805C5477DA842EB0798B95324F3A65
22 7A5503B148E3A1D88BA9E07D95166159
23 7E4572DB796E27848D23EA5D1E8604AA
24 8413AB4D5A950F81B40CEEBC3F1E7273
25 8AA069860D591119AF2859856AD5F063
26 B2B51A85BDAD70FF19534CD013C07F24
27 BB72720BC4583C6C4C3CAA883A7DEC95
28 C2ADF8BF8D8E4409A4725D0334ED8AA6
29 CC4503B59BABD2E07CF278FF11CE99C7
30 CF133C06180F130C471C95B3A4EBD7A5
31 D0EAD87212B0573447F573639DA49FF8
32 EEA409BBEFEE23EB475E4161F06D529A
33 F028D23CB4EA2C5DCF0A2B6BCAADA0C0
34 A211C80068304FB4A9ACD7AB13720D55
https://www.programmersought.com/article/62493896999/
Page 34 of 36

35 AA6BB52BD5E3D8B21C113E5AB1A240EA
36 BB72720BC4583C6C4C3CAA883A7DEC95
37 C803D412A5E86FA8DE111B77F2A14523
38 DC0222F1E0868C3612A93BA2D83B99BE
39 E48B89715BF5E4C55EB5A1FED67865D9
40 E61BA12C33DB1696715401D8FD0BAAE9
41 F17D7098BDE0B29441BFCD797812CF88
42 FF5D43B210545F931AE80A847D1789BB
Serial number domain name
1 service-security-manager.com
2 find-image.com (registered email: lorinejeans11@mail.ru)
3 win-api-essentials.com
4 service.email-126.net
5 service.email-126.net
https://www.programmersought.com/article/62493896999/
Page 35 of 36

Source: https://www.programmersought.com/article/62493896999/
https://www.programmersought.com/article/62493896999/
Page 36 of 36