flawedammyy | 43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee

Analysis

max time kernel
109s
max time network
132s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1813cdbea071efd7e0b261e0b1f47635.exe
Size

7.6MB
MD5

1813cdbea071efd7e0b261e0b1f47635
SHA1

cb7bfedfa84c2de310fdf36b6fac39c6d8a6c971
SHA256

43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee
SHA512

a5ac24cff7a276acc8d629dcb170c51ee8c1d65960f0fbf105a775264a63264bfb126008e5ea4daba812ef1d79881bda3e077bb1349166d474a609dd06e65b77
SSDEEP

196608:4AId0+vNSQpice0XxZcTjfKYQGj8jFDO/3V1hoGv:4zm+v9eeQjCBnjNO/FTXv

Score

10^/10

flawedammyy discovery evasion persistence trojan upx

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
672	1813cdbea071efd7e0b261e0b1f47635.tmp
1788	SuporteZeus.exe

Modifies Windows Firewall 1 TTPs 7 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1820	NETSH.exe
1744	NETSH.exe
1984	NETSH.exe
1376	NETSH.exe
1852	NETSH.exe
1604	NETSH.exe
1268	NETSH.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001429e-65.dat	upx
behavioral1/files/0x000600000001429e-66.dat	upx
behavioral1/files/0x000600000001429e-67.dat	upx
behavioral1/files/0x000600000001429e-69.dat	upx
behavioral1/files/0x000600000001429e-71.dat	upx
behavioral1/memory/1788-75-0x0000000000FD0000-0x000000000112E000-memory.dmp	upx
behavioral1/memory/1788-144-0x0000000000FD0000-0x000000000112E000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
1348	1813cdbea071efd7e0b261e0b1f47635.exe
672	1813cdbea071efd7e0b261e0b1f47635.tmp
672	1813cdbea071efd7e0b261e0b1f47635.tmp
672	1813cdbea071efd7e0b261e0b1f47635.tmp
672	1813cdbea071efd7e0b261e0b1f47635.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/1788-75-0x0000000000FD0000-0x000000000112E000-memory.dmp	autoit_exe
behavioral1/memory/1788-144-0x0000000000FD0000-0x000000000112E000-memory.dmp	autoit_exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\VncZeusTecnologia.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-2OL1I.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\ORXGKKZC\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AtualizadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\libcurl.dll	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-KPHH4.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-END0N.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-5OSKA.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS\1429.tmp	SuporteZeus.exe
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-U1J5D.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-VJGRC.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-U078A.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\debugZT_SuporteZeus.exe.log	SuporteZeus.exe
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-1H8MR.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-E4ARV.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AnyDesk.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\curl.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-T9AP1.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-19NF8.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp

Launches sc.exe 6 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1544	SC.exe
1628	SC.exe
1012	SC.exe
1096	SC.exe
1364	SC.exe
1580	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1544	SCHTASKS.exe
1628	SCHTASKS.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
528	taskkill.exe
1180	taskkill.exe
1944	taskkill.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	SuporteZeus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	SuporteZeus.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	SuporteZeus.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\admin, user	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\winmgmts:\ORXGKKZC\root\cimv2	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\WinNT:\ztadmin, user	SuporteZeus.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
672	1813cdbea071efd7e0b261e0b1f47635.tmp
672	1813cdbea071efd7e0b261e0b1f47635.tmp
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe
1788	SuporteZeus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	1944	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe
Token: SeSecurityPrivilege	844	wmic.exe
Token: SeTakeOwnershipPrivilege	844	wmic.exe
Token: SeLoadDriverPrivilege	844	wmic.exe
Token: SeSystemProfilePrivilege	844	wmic.exe
Token: SeSystemtimePrivilege	844	wmic.exe
Token: SeProfSingleProcessPrivilege	844	wmic.exe
Token: SeIncBasePriorityPrivilege	844	wmic.exe
Token: SeCreatePagefilePrivilege	844	wmic.exe
Token: SeBackupPrivilege	844	wmic.exe
Token: SeRestorePrivilege	844	wmic.exe
Token: SeShutdownPrivilege	844	wmic.exe
Token: SeDebugPrivilege	844	wmic.exe
Token: SeSystemEnvironmentPrivilege	844	wmic.exe
Token: SeRemoteShutdownPrivilege	844	wmic.exe
Token: SeUndockPrivilege	844	wmic.exe
Token: SeManageVolumePrivilege	844	wmic.exe
Token: 33	844	wmic.exe
Token: 34	844	wmic.exe
Token: 35	844	wmic.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
672	1813cdbea071efd7e0b261e0b1f47635.tmp
672	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
672	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 1348 wrote to memory of 672	1348	1813cdbea071efd7e0b261e0b1f47635.exe	26
PID 672 wrote to memory of 1788	672	1813cdbea071efd7e0b261e0b1f47635.tmp	27
PID 672 wrote to memory of 1788	672	1813cdbea071efd7e0b261e0b1f47635.tmp	27
PID 672 wrote to memory of 1788	672	1813cdbea071efd7e0b261e0b1f47635.tmp	27
PID 672 wrote to memory of 1788	672	1813cdbea071efd7e0b261e0b1f47635.tmp	27
PID 1788 wrote to memory of 1012	1788	SuporteZeus.exe	31
PID 1788 wrote to memory of 1012	1788	SuporteZeus.exe	31
PID 1788 wrote to memory of 1012	1788	SuporteZeus.exe	31
PID 1788 wrote to memory of 1012	1788	SuporteZeus.exe	31
PID 1788 wrote to memory of 1040	1788	SuporteZeus.exe	33
PID 1788 wrote to memory of 1040	1788	SuporteZeus.exe	33
PID 1788 wrote to memory of 1040	1788	SuporteZeus.exe	33
PID 1788 wrote to memory of 1040	1788	SuporteZeus.exe	33
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	35
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	35
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	35
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	35
PID 1788 wrote to memory of 1560	1788	SuporteZeus.exe	37
PID 1788 wrote to memory of 1560	1788	SuporteZeus.exe	37
PID 1788 wrote to memory of 1560	1788	SuporteZeus.exe	37
PID 1788 wrote to memory of 1560	1788	SuporteZeus.exe	37
PID 1788 wrote to memory of 1240	1788	SuporteZeus.exe	39
PID 1788 wrote to memory of 1240	1788	SuporteZeus.exe	39
PID 1788 wrote to memory of 1240	1788	SuporteZeus.exe	39
PID 1788 wrote to memory of 1240	1788	SuporteZeus.exe	39
PID 1788 wrote to memory of 780	1788	SuporteZeus.exe	41
PID 1788 wrote to memory of 780	1788	SuporteZeus.exe	41
PID 1788 wrote to memory of 780	1788	SuporteZeus.exe	41
PID 1788 wrote to memory of 780	1788	SuporteZeus.exe	41
PID 1788 wrote to memory of 1124	1788	SuporteZeus.exe	43
PID 1788 wrote to memory of 1124	1788	SuporteZeus.exe	43
PID 1788 wrote to memory of 1124	1788	SuporteZeus.exe	43
PID 1788 wrote to memory of 1124	1788	SuporteZeus.exe	43
PID 1788 wrote to memory of 1800	1788	SuporteZeus.exe	45
PID 1788 wrote to memory of 1800	1788	SuporteZeus.exe	45
PID 1788 wrote to memory of 1800	1788	SuporteZeus.exe	45
PID 1788 wrote to memory of 1800	1788	SuporteZeus.exe	45
PID 1788 wrote to memory of 1680	1788	SuporteZeus.exe	47
PID 1788 wrote to memory of 1680	1788	SuporteZeus.exe	47
PID 1788 wrote to memory of 1680	1788	SuporteZeus.exe	47
PID 1788 wrote to memory of 1680	1788	SuporteZeus.exe	47
PID 1788 wrote to memory of 1852	1788	SuporteZeus.exe	49
PID 1788 wrote to memory of 1852	1788	SuporteZeus.exe	49
PID 1788 wrote to memory of 1852	1788	SuporteZeus.exe	49
PID 1788 wrote to memory of 1852	1788	SuporteZeus.exe	49
PID 1788 wrote to memory of 1604	1788	SuporteZeus.exe	51
PID 1788 wrote to memory of 1604	1788	SuporteZeus.exe	51
PID 1788 wrote to memory of 1604	1788	SuporteZeus.exe	51
PID 1788 wrote to memory of 1604	1788	SuporteZeus.exe	51
PID 1788 wrote to memory of 528	1788	SuporteZeus.exe	53
PID 1788 wrote to memory of 528	1788	SuporteZeus.exe	53
PID 1788 wrote to memory of 528	1788	SuporteZeus.exe	53
PID 1788 wrote to memory of 528	1788	SuporteZeus.exe	53
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	56
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	56
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	56
PID 1788 wrote to memory of 1180	1788	SuporteZeus.exe	56
PID 1788 wrote to memory of 1944	1788	SuporteZeus.exe	58

C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe
"C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\is-6SLD0.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6SLD0.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp" /SL5="$90120,7763926,67584,C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:672
- - C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe
    "C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe" -STIconfig
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies system certificate store
    - NTFS ADS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\SC.exe
      SC stop "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1012
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1180
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:1560
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1240
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN "Zeus Tecnologia STI"
      4⤵
      PID:780
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecSTI
      4⤵
      PID:1124
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:1800
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:1680
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAtualiza"
      4⤵
      Modifies Windows Firewall
      PID:1852
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAmmyyAdm"
      4⤵
      Modifies Windows Firewall
      PID:1604
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AmmyyAdmin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:528
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AtualizadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im gerenciadorZeus.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1944
  - - C:\Windows\SysWOW64\SC.exe
      SC delete "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:1096
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" /ADD
      4⤵
      PID:468
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" /ADD
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "zeustec" "Zeus!2125"
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "zeustec" "Zeus!2125"
        5⤵
        
        PID:996
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='zeustec' and Domain='ORXGKKZC'" SET PasswordExpires=FALSE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1780
  - - C:\Windows\SysWOW64\net.exe
      net users zeustec /fullname:"ZeusTecnologia"
      4⤵
      PID:980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users zeustec /fullname:"ZeusTecnologia"
        5⤵
        
        PID:1984
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "zeustec" /ADD
      4⤵
      PID:1184
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "zeustec" /ADD
        5⤵
        
        PID:804
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
      4⤵
      PID:1084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" "zeustec" /ADD
        5⤵
        
        PID:336
  - - C:\Windows\SysWOW64\Wbem\wmic.exe
      wmic useraccount where name="admin" call rename "ZTadmin"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" /ADD
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" /ADD
        5⤵
        
        PID:1268
  - - C:\Windows\SysWOW64\NET.exe
      NET USER "ztadmin" "Cliente@3456"
      4⤵
      PID:1608
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 USER "ztadmin" "Cliente@3456"
        5⤵
        
        PID:2008
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      WMIC USERACCOUNT WHERE "Name='ztadmin' and Domain='ORXGKKZC'" SET PasswordExpires=FALSE
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\net.exe
      net users ztadmin /fullname:"ZTAdmin"
      4⤵
      PID:1800
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 users ztadmin /fullname:"ZTAdmin"
        5⤵
        
        PID:820
  - - C:\Windows\SysWOW64\NET.exe
      NET LOCALGROUP "Administrators" "ztadmin" /ADD
      4⤵
      PID:1520
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 LOCALGROUP "Administrators" "ztadmin" /ADD
        5⤵
        
        PID:1592
  - - C:\Windows\SysWOW64\cacls.exe
      cacls "C:\Program Files (x86)\Zeus Tecnologia STI\DOWNLOADS" /T /E /C /P Users:F
      4⤵
      PID:980
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -monitor-timeout-ac 15
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\powercfg.exe
      powercfg -x -standby-timeout-ac 0
      4⤵
      PID:528
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:30 /RI 10 /DU 00:18 /K /tn ZeusTecnologia\ZeusTecSTI /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe' -STI" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1544
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /ru system /create /sc daily /st 12:50 /tn ZeusTecnologia\ZeusTecINV /tr "'C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe' -INV" /f /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1628
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAtualiza" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\atualizadorZeus.exe" enable=YES profile=ANY description="Atualizador - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:1268
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall add rule name="ZeusAmmyyAdm" dir=IN action=ALLOW program="C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe" enable=YES profile=ANY description="Ammyy Admin - Zeus Tecnologia"
      4⤵
      Modifies Windows Firewall
      PID:1820
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Descoberta de Rede" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:1744
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Network Discovery" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:1984
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall set rule GROUP="Área de Trabalho Remota" NEW enable=YES
      4⤵
      Modifies Windows Firewall
      PID:1376
  - - C:\Windows\SysWOW64\SC.exe
      SC create "AmmyyAdmin" binPath= "\"C:\Program Files (x86)\Zeus Tecnologia STI\AmmyyAdmin.exe\" -service" DisplayName= "Ammyy Admin" start= auto
      4⤵
      Launches sc.exe
      PID:1364
  - - C:\Windows\SysWOW64\SC.exe
      SC description "AmmyyAdmin" "Sistema de suporte remoto utilizado pela www.ZeusTecnologia.com.br"
      4⤵
      Launches sc.exe
      PID:1580
  - - C:\Windows\SysWOW64\SC.exe
      SC failure "AmmyyAdmin" reset=60 actions=restart/60000
      4⤵
      Launches sc.exe
      PID:1544
  - - C:\Windows\SysWOW64\SC.exe
      SC start "AmmyyAdmin" | findstr "RUNNING START_PENDING"
      4⤵
      Launches sc.exe
      PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

New Service

T1050

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Account Manipulation

T1098

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SLD0.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6SLD0.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe

Filesize
1.1MB

MD5
8d79a74e9577d4d1a42e9a0e76033e4c

SHA1
795b91dafd2b16847cb393d98f419bdd9e48fdf3

SHA256
1ad012e6a910a80338958b2ad90d1cbd2ca1355f15021b205be23715474530d0

SHA512
e411eef003131660b87b978bbd778b9e3dc86537b4d0c2f529ec9e5e26c8bb7760dd62352ca55d9fbf874718cedcb7c7726f11e0b26a31ab5698e5fba051be2b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
\Users\Admin\AppData\Local\Temp\is-6SLD0.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
memory/672-74-0x0000000003AD0000-0x0000000003C2E000-memory.dmp

Filesize
1.4MB

Download
memory/672-73-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/672-77-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/672-78-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/672-79-0x0000000003AD0000-0x0000000003C2E000-memory.dmp

Filesize
1.4MB

Download
memory/672-72-0x0000000001FE0000-0x0000000001FF0000-memory.dmp

Filesize
64KB

Download
memory/672-62-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download
memory/1348-61-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1348-55-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-76-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1348-145-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1788-144-0x0000000000FD0000-0x000000000112E000-memory.dmp

Filesize
1.4MB

Download
memory/1788-75-0x0000000000FD0000-0x000000000112E000-memory.dmp

Filesize
1.4MB

Download