flawedammyy | 43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee

Analysis

max time kernel
69s
max time network
106s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18/10/2022, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1813cdbea071efd7e0b261e0b1f47635.exe
Size

7.6MB
MD5

1813cdbea071efd7e0b261e0b1f47635
SHA1

cb7bfedfa84c2de310fdf36b6fac39c6d8a6c971
SHA256

43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee
SHA512

a5ac24cff7a276acc8d629dcb170c51ee8c1d65960f0fbf105a775264a63264bfb126008e5ea4daba812ef1d79881bda3e077bb1349166d474a609dd06e65b77
SSDEEP

196608:4AId0+vNSQpice0XxZcTjfKYQGj8jFDO/3V1hoGv:4zm+v9eeQjCBnjNO/FTXv

Score

10^/10

flawedammyy discovery evasion persistence trojan upx

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
900	1813cdbea071efd7e0b261e0b1f47635.tmp
1696	SuporteZeus.exe

Modifies Windows Firewall 1 TTPs 7 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2008	NETSH.exe
1660	NETSH.exe
1488	NETSH.exe
1672	NETSH.exe
880	NETSH.exe
1256	NETSH.exe
1956	NETSH.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000015473-64.dat	upx
behavioral1/files/0x0006000000015473-65.dat	upx
behavioral1/files/0x0006000000015473-69.dat	upx
behavioral1/files/0x0006000000015473-71.dat	upx
behavioral1/files/0x0006000000015473-73.dat	upx
behavioral1/memory/1696-75-0x00000000012E0000-0x000000000143E000-memory.dmp	upx
behavioral1/memory/1696-83-0x00000000012E0000-0x000000000143E000-memory.dmp	upx
behavioral1/memory/1696-141-0x00000000012E0000-0x000000000143E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1824	1813cdbea071efd7e0b261e0b1f47635.exe
900	1813cdbea071efd7e0b261e0b1f47635.tmp
900	1813cdbea071efd7e0b261e0b1f47635.tmp
900	1813cdbea071efd7e0b261e0b1f47635.tmp
900	1813cdbea071efd7e0b261e0b1f47635.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1696-75-0x00000000012E0000-0x000000000143E000-memory.dmp	autoit_exe
behavioral1/memory/1696-83-0x00000000012E0000-0x000000000143E000-memory.dmp	autoit_exe
behavioral1/memory/1696-141-0x00000000012E0000-0x000000000143E000-memory.dmp	autoit_exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-PDUEL.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-N8NS7.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\libcurl.dll	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\curl.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-3RAOJ.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AtualizadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\VncZeusTecnologia.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-DAO5D.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-9I67O.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-URK2L.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\GRXNNIIE\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-RKQT5.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-9KKF0.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-NCOPE.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-OJT08.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\debugZT_SuporteZeus.exe.log	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AnyDesk.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-I868R.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS\367.tmp	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2032	SC.exe
1932	SC.exe
320	SC.exe
1768	SC.exe
544	SC.exe
1672	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1568	SCHTASKS.exe
1760	SCHTASKS.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
692	taskkill.exe
1532	taskkill.exe
1968	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SuporteZeus.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\GRXNNIIE\root\cimv2	SuporteZeus.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
900	1813cdbea071efd7e0b261e0b1f47635.tmp
900	1813cdbea071efd7e0b261e0b1f47635.tmp
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe
1696	SuporteZeus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1848	WMIC.exe
Token: SeSecurityPrivilege	1848	WMIC.exe
Token: SeTakeOwnershipPrivilege	1848	WMIC.exe
Token: SeLoadDriverPrivilege	1848	WMIC.exe
Token: SeSystemProfilePrivilege	1848	WMIC.exe
Token: SeSystemtimePrivilege	1848	WMIC.exe
Token: SeProfSingleProcessPrivilege	1848	WMIC.exe
Token: SeIncBasePriorityPrivilege	1848	WMIC.exe
Token: SeCreatePagefilePrivilege	1848	WMIC.exe
Token: SeBackupPrivilege	1848	WMIC.exe
Token: SeRestorePrivilege	1848	WMIC.exe
Token: SeShutdownPrivilege	1848	WMIC.exe
Token: SeDebugPrivilege	1848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1848	WMIC.exe
Token: SeRemoteShutdownPrivilege	1848	WMIC.exe
Token: SeUndockPrivilege	1848	WMIC.exe
Token: SeManageVolumePrivilege	1848	WMIC.exe
Token: 33	1848	WMIC.exe
Token: 34	1848	WMIC.exe
Token: 35	1848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1848	WMIC.exe
Token: SeSecurityPrivilege	1848	WMIC.exe
Token: SeTakeOwnershipPrivilege	1848	WMIC.exe
Token: SeLoadDriverPrivilege	1848	WMIC.exe
Token: SeSystemProfilePrivilege	1848	WMIC.exe
Token: SeSystemtimePrivilege	1848	WMIC.exe
Token: SeProfSingleProcessPrivilege	1848	WMIC.exe
Token: SeIncBasePriorityPrivilege	1848	WMIC.exe
Token: SeCreatePagefilePrivilege	1848	WMIC.exe
Token: SeBackupPrivilege	1848	WMIC.exe
Token: SeRestorePrivilege	1848	WMIC.exe
Token: SeShutdownPrivilege	1848	WMIC.exe
Token: SeDebugPrivilege	1848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1848	WMIC.exe
Token: SeRemoteShutdownPrivilege	1848	WMIC.exe
Token: SeUndockPrivilege	1848	WMIC.exe
Token: SeManageVolumePrivilege	1848	WMIC.exe
Token: 33	1848	WMIC.exe
Token: 34	1848	WMIC.exe
Token: 35	1848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	752	wmic.exe
Token: SeSecurityPrivilege	752	wmic.exe
Token: SeTakeOwnershipPrivilege	752	wmic.exe
Token: SeLoadDriverPrivilege	752	wmic.exe
Token: SeSystemProfilePrivilege	752	wmic.exe
Token: SeSystemtimePrivilege	752	wmic.exe
Token: SeProfSingleProcessPrivilege	752	wmic.exe
Token: SeIncBasePriorityPrivilege	752	wmic.exe
Token: SeCreatePagefilePrivilege	752	wmic.exe
Token: SeBackupPrivilege	752	wmic.exe
Token: SeRestorePrivilege	752	wmic.exe
Token: SeShutdownPrivilege	752	wmic.exe
Token: SeDebugPrivilege	752	wmic.exe
Token: SeSystemEnvironmentPrivilege	752	wmic.exe
Token: SeRemoteShutdownPrivilege	752	wmic.exe
Token: SeUndockPrivilege	752	wmic.exe
Token: SeManageVolumePrivilege	752	wmic.exe
Token: 33	752	wmic.exe
Token: 34	752	wmic.exe
Token: 35	752	wmic.exe
Token: SeIncreaseQuotaPrivilege	752	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
900	1813cdbea071efd7e0b261e0b1f47635.tmp
900	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
900	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 1824 wrote to memory of 900	1824	1813cdbea071efd7e0b261e0b1f47635.exe	27
PID 900 wrote to memory of 1696	900	1813cdbea071efd7e0b261e0b1f47635.tmp	28
PID 900 wrote to memory of 1696	900	1813cdbea071efd7e0b261e0b1f47635.tmp	28
PID 900 wrote to memory of 1696	900	1813cdbea071efd7e0b261e0b1f47635.tmp	28
PID 900 wrote to memory of 1696	900	1813cdbea071efd7e0b261e0b1f47635.tmp	28
PID 1696 wrote to memory of 2032	1696	SuporteZeus.exe	32
PID 1696 wrote to memory of 2032	1696	SuporteZeus.exe	32
PID 1696 wrote to memory of 2032	1696	SuporteZeus.exe	32
PID 1696 wrote to memory of 2032	1696	SuporteZeus.exe	32
PID 1696 wrote to memory of 1712	1696	SuporteZeus.exe	34
PID 1696 wrote to memory of 1712	1696	SuporteZeus.exe	34
PID 1696 wrote to memory of 1712	1696	SuporteZeus.exe	34
PID 1696 wrote to memory of 1712	1696	SuporteZeus.exe	34
PID 1696 wrote to memory of 1864	1696	SuporteZeus.exe	36
PID 1696 wrote to memory of 1864	1696	SuporteZeus.exe	36
PID 1696 wrote to memory of 1864	1696	SuporteZeus.exe	36
PID 1696 wrote to memory of 1864	1696	SuporteZeus.exe	36
PID 1696 wrote to memory of 1564	1696	SuporteZeus.exe	38
PID 1696 wrote to memory of 1564	1696	SuporteZeus.exe	38
PID 1696 wrote to memory of 1564	1696	SuporteZeus.exe	38
PID 1696 wrote to memory of 1564	1696	SuporteZeus.exe	38
PID 1696 wrote to memory of 1168	1696	SuporteZeus.exe	40
PID 1696 wrote to memory of 1168	1696	SuporteZeus.exe	40
PID 1696 wrote to memory of 1168	1696	SuporteZeus.exe	40
PID 1696 wrote to memory of 1168	1696	SuporteZeus.exe	40
PID 1696 wrote to memory of 1540	1696	SuporteZeus.exe	42
PID 1696 wrote to memory of 1540	1696	SuporteZeus.exe	42
PID 1696 wrote to memory of 1540	1696	SuporteZeus.exe	42
PID 1696 wrote to memory of 1540	1696	SuporteZeus.exe	42
PID 1696 wrote to memory of 1920	1696	SuporteZeus.exe	44
PID 1696 wrote to memory of 1920	1696	SuporteZeus.exe	44
PID 1696 wrote to memory of 1920	1696	SuporteZeus.exe	44
PID 1696 wrote to memory of 1920	1696	SuporteZeus.exe	44
PID 1696 wrote to memory of 1944	1696	SuporteZeus.exe	46
PID 1696 wrote to memory of 1944	1696	SuporteZeus.exe	46
PID 1696 wrote to memory of 1944	1696	SuporteZeus.exe	46
PID 1696 wrote to memory of 1944	1696	SuporteZeus.exe	46
PID 1696 wrote to memory of 1916	1696	SuporteZeus.exe	48
PID 1696 wrote to memory of 1916	1696	SuporteZeus.exe	48
PID 1696 wrote to memory of 1916	1696	SuporteZeus.exe	48
PID 1696 wrote to memory of 1916	1696	SuporteZeus.exe	48
PID 1696 wrote to memory of 1660	1696	SuporteZeus.exe	50
PID 1696 wrote to memory of 1660	1696	SuporteZeus.exe	50
PID 1696 wrote to memory of 1660	1696	SuporteZeus.exe	50
PID 1696 wrote to memory of 1660	1696	SuporteZeus.exe	50
PID 1696 wrote to memory of 1488	1696	SuporteZeus.exe	52
PID 1696 wrote to memory of 1488	1696	SuporteZeus.exe	52
PID 1696 wrote to memory of 1488	1696	SuporteZeus.exe	52
PID 1696 wrote to memory of 1488	1696	SuporteZeus.exe	52
PID 1696 wrote to memory of 692	1696	SuporteZeus.exe	54
PID 1696 wrote to memory of 692	1696	SuporteZeus.exe	54
PID 1696 wrote to memory of 692	1696	SuporteZeus.exe	54
PID 1696 wrote to memory of 692	1696	SuporteZeus.exe	54
PID 1696 wrote to memory of 1532	1696	SuporteZeus.exe	57
PID 1696 wrote to memory of 1532	1696	SuporteZeus.exe	57
PID 1696 wrote to memory of 1532	1696	SuporteZeus.exe	57
PID 1696 wrote to memory of 1532	1696	SuporteZeus.exe	57
PID 1696 wrote to memory of 1968	1696	SuporteZeus.exe	59

C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe
"C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Users\Admin\AppData\Local\Temp\is-GBGOS.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GBGOS.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp" /SL5="$60122,7763926,67584,C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:900
- - C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe
    "C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe" -STIconfig
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies system certificate store
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\SysWOW64\SC.exe
      SC stop "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:2032
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1712
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1864
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:1564
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1168
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN "Zeus Tecnologia STI"
      4⤵
      PID:1540
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecSTI
      4⤵
      PID:1920
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:1916
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAtualiza"
      4⤵
      Modifies Windows Firewall
      PID:1660
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAmmyyAdm"
      4⤵
      Modifies Windows Firewall
      PID:1488
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AmmyyAdmin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:692
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AtualizadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1532
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im gerenciadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1968
  - - C:\Windows\SysWOW64\SC.exe
      SC delete "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1932
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" /ADD
      4⤵
      PID:640
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" /ADD
        5⤵
        
        PID:1912
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" "Zeus!2125"
      4⤵
      PID:1916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" "Zeus!2125"
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='zeustec' and Domain='GRXNNIIE'" SET PasswordExpires=FALSE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1848
  - - C:\Windows\SysWOW64\net.exe
      net users zeustec /fullname:"ZeusTecnologia"
      4⤵
      PID:880
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users zeustec /fullname:"ZeusTecnologia"
        5⤵
        
        PID:1488
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "zeustec" /ADD
      4⤵
      PID:1500
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "zeustec" /ADD
        5⤵
        
        PID:1820
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
      4⤵
      PID:1988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
        5⤵
        
        PID:1532
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic useraccount where name="admin" call rename "ZTadmin"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:752
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" /ADD
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" /ADD
        5⤵
        
        PID:320
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" "Cliente@3456"
      4⤵
      PID:840
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" "Cliente@3456"
        5⤵
        
        PID:1252
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='ztadmin' and Domain='GRXNNIIE'" SET PasswordExpires=FALSE
      4⤵
      PID:1812
  - - C:\Windows\SysWOW64\net.exe
      net users ztadmin /fullname:"ZTAdmin"
      4⤵
      PID:1848
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users ztadmin /fullname:"ZTAdmin"
        5⤵
        
        PID:1080
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "ztadmin" /ADD
      4⤵
      PID:1468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "ztadmin" /ADD
        5⤵
        
        PID:1512
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS" /T /E /C /P Users:F
      4⤵
      PID:1984
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -monitor-timeout-ac 15
      4⤵
      PID:2028
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -standby-timeout-ac 0
      4⤵
      PID:1308
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:30 /RI 10 /DU 00:18 /K /tn ZeusTecnologia\ZeusTecSTI /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe' -STI" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1568
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:50 /tn ZeusTecnologia\ZeusTecINV /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe' -INV" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1760
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAtualiza" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe" enable=YES profile=ANY description="Atualizador - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:1672
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAmmyyAdm" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe" enable=YES profile=ANY description="Ammyy Admin - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:880
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Descoberta de Rede" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:1256
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Network Discovery" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:1956
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Área de Trabalho Remota" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:2008
  - - C:\Windows\SysWOW64\SC.exe
      SC create "AmmyyAdmin" binPath= "\"C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe\" -service" DisplayName= "Ammyy Admin" start= auto
      4⤵
      Launches sc.exe
      PID:320
  - - C:\Windows\SysWOW64\SC.exe
      SC description "AmmyyAdmin" "Sistema de suporte remoto utilizado pela www.ZeusTecnologia.com.br"
      4⤵
      Launches sc.exe
      PID:1768
  - - C:\Windows\SysWOW64\SC.exe
      SC failure "AmmyyAdmin" reset=60 actions=restart/60000
      4⤵
      Launches sc.exe
      PID:544
  - - C:\Windows\SysWOW64\SC.exe
      SC start "AmmyyAdmin" | findstr "RUNNING START_PENDING"
      4⤵
      Launches sc.exe
      PID:1672

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBGOS.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GBGOS.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe

Filesize
1.1MB

MD5
8d79a74e9577d4d1a42e9a0e76033e4c

SHA1
795b91dafd2b16847cb393d98f419bdd9e48fdf3

SHA256
1ad012e6a910a80338958b2ad90d1cbd2ca1355f15021b205be23715474530d0

SHA512
e411eef003131660b87b978bbd778b9e3dc86537b4d0c2f529ec9e5e26c8bb7760dd62352ca55d9fbf874718cedcb7c7726f11e0b26a31ab5698e5fba051be2b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Users\Admin\AppData\Local\Temp\is-GBGOS.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
memory/900-68-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/900-81-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/900-61-0x00000000741E1000-0x00000000741E3000-memory.dmp

Filesize
8KB

Download
memory/900-67-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/900-74-0x0000000003CC0000-0x0000000003E1E000-memory.dmp

Filesize
1.4MB

Download
memory/1696-75-0x00000000012E0000-0x000000000143E000-memory.dmp

Filesize
1.4MB

Download
memory/1696-83-0x00000000012E0000-0x000000000143E000-memory.dmp

Filesize
1.4MB

Download
memory/1696-141-0x00000000012E0000-0x000000000143E000-memory.dmp

Filesize
1.4MB

Download
memory/1824-142-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-66-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1824-54-0x0000000075571000-0x0000000075573000-memory.dmp

Filesize
8KB

Download