zgrat | 36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

Analysis

max time kernel
148s
max time network
139s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
21/11/2023, 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

506761d4ae9aa7134c001c7f0b7b4827.exe
Size

590KB
MD5

506761d4ae9aa7134c001c7f0b7b4827
SHA1

45b12d344817ca14e1f630da7f624b2093e7728d
SHA256

36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63
SHA512

6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63
SSDEEP

12288:I2kEUbOlK2wyuxkVT0qIGk7TeO7Ii2amedllsEqUbBm+wsSqRhxMuTw1gk:I2QLyVwRGkf7Ii8eLuzekcGuTc

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 35 IoCs

resource	yara_rule
behavioral1/memory/2248-3-0x0000000000920000-0x0000000000A04000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-5-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-7-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-4-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-9-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-11-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-13-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-15-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-17-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-19-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-21-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-23-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-25-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-27-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-31-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-33-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-29-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-35-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-37-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-41-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-45-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-47-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-51-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-49-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-43-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-39-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-53-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-59-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-61-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-57-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-55-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-63-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-67-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2248-65-0x0000000000920000-0x00000000009FF000-memory.dmp	family_zgrat_v1
behavioral1/memory/2352-6603-0x000000001BA00000-0x000000001BB00000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2304	Key.exe
2352	kwaddafc.exe
2748	Values.exe
3056	dsuob.exe

Loads dropped DLL 4 IoCs

pid	Process
1644	taskeng.exe
1644	taskeng.exe
1644	taskeng.exe
2756	aspnet_compiler.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2304 set thread context of 1372	2304	Key.exe	37
PID 2748 set thread context of 2756	2748	Values.exe	44

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3028	powershell.exe
2304	Key.exe
2304	Key.exe
1788	powershell.exe
1600	powershell.exe
2756	aspnet_compiler.exe
2756	aspnet_compiler.exe
2756	aspnet_compiler.exe
2756	aspnet_compiler.exe
2756	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	2248	506761d4ae9aa7134c001c7f0b7b4827.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2304	Key.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1372	InstallUtil.exe
Token: SeDebugPrivilege	2352	kwaddafc.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2748	Values.exe
Token: SeDebugPrivilege	2756	aspnet_compiler.exe
Token: SeDebugPrivilege	3056	dsuob.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3028	2308	taskeng.exe	33
PID 2308 wrote to memory of 3028	2308	taskeng.exe	33
PID 2308 wrote to memory of 3028	2308	taskeng.exe	33
PID 1644 wrote to memory of 2304	1644	taskeng.exe	36
PID 1644 wrote to memory of 2304	1644	taskeng.exe	36
PID 1644 wrote to memory of 2304	1644	taskeng.exe	36
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2304 wrote to memory of 1372	2304	Key.exe	37
PID 2308 wrote to memory of 1788	2308	taskeng.exe	38
PID 2308 wrote to memory of 1788	2308	taskeng.exe	38
PID 2308 wrote to memory of 1788	2308	taskeng.exe	38
PID 1644 wrote to memory of 2352	1644	taskeng.exe	40
PID 1644 wrote to memory of 2352	1644	taskeng.exe	40
PID 1644 wrote to memory of 2352	1644	taskeng.exe	40
PID 2308 wrote to memory of 1600	2308	taskeng.exe	41
PID 2308 wrote to memory of 1600	2308	taskeng.exe	41
PID 2308 wrote to memory of 1600	2308	taskeng.exe	41
PID 1644 wrote to memory of 2748	1644	taskeng.exe	43
PID 1644 wrote to memory of 2748	1644	taskeng.exe	43
PID 1644 wrote to memory of 2748	1644	taskeng.exe	43
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2748 wrote to memory of 2756	2748	Values.exe	44
PID 2756 wrote to memory of 3056	2756	aspnet_compiler.exe	45
PID 2756 wrote to memory of 3056	2756	aspnet_compiler.exe	45
PID 2756 wrote to memory of 3056	2756	aspnet_compiler.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\506761d4ae9aa7134c001c7f0b7b4827.exe
"C:\Users\Admin\AppData\Local\Temp\506761d4ae9aa7134c001c7f0b7b4827.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\taskeng.exe
taskeng.exe {626E197E-837C-4243-8DEF-AEDC50DB58B7} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600

C:\Windows\system32\taskeng.exe
taskeng.exe {8311B574-A50C-4E1D-89AC-16DEFE591732} S-1-5-21-2085049433-1067986815-1244098655-1000:AHLBRYJO\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\IsInvalid\rekuk\Key.exe
  C:\Users\Admin\AppData\Local\IsInvalid\rekuk\Key.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1372
- C:\Users\Admin\AppData\Local\Temp\kwaddafc.exe
  C:\Users\Admin\AppData\Local\Temp\kwaddafc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe
  C:\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Users\Admin\AppData\Local\Temp\dsuob.exe
      "C:\Users\Admin\AppData\Local\Temp\dsuob.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\IsInvalid\rekuk\Key.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
C:\Users\Admin\AppData\Local\IsInvalid\rekuk\Key.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsuob.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\dsuob.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwaddafc.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwaddafc.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7c91760ad80f5d261abdb4e662a5c285

SHA1
32b43ae8b6c6ac36cf8ce84adbcf14bdb9344952

SHA256
f8271929879765df1fb802b5cd8bd97d374929a2bc3b5c5fb5a117d97297f4d3

SHA512
dd1276c5b67c434a9d9428fd3d5292d50b7d1d47ca29ccd4681fec8f88bb7256a8ffaa0afa7780987a7f558a18d986a474d4fe3892c0a7081b8a3cc82b603318

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94f0563ddf1283759c38735ea1469a1d

SHA1
21892bee1e75a4a123943ec23b500e02ec2c9e36

SHA256
1774e86384c3a3e5ac5a44d190c6dc9efc3b097e06887c8e13b64f6c7f80d5a4

SHA512
93f5f428d40d888e099b91878e4d303a977300c4502f145a130a59e527a63ce5133adad6ec4f2c55a96246128ecae59b6242ba8d1cf23a0b6faa28d0476b8e54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5FSD9VYBAY277VKFW09O.temp

Filesize
7KB

MD5
7c91760ad80f5d261abdb4e662a5c285

SHA1
32b43ae8b6c6ac36cf8ce84adbcf14bdb9344952

SHA256
f8271929879765df1fb802b5cd8bd97d374929a2bc3b5c5fb5a117d97297f4d3

SHA512
dd1276c5b67c434a9d9428fd3d5292d50b7d1d47ca29ccd4681fec8f88bb7256a8ffaa0afa7780987a7f558a18d986a474d4fe3892c0a7081b8a3cc82b603318

Download Submit
C:\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
C:\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
C:\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
\Users\Admin\AppData\Local\IsInvalid\rekuk\Key.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
\Users\Admin\AppData\Local\Temp\dsuob.exe

Filesize
590KB

MD5
506761d4ae9aa7134c001c7f0b7b4827

SHA1
45b12d344817ca14e1f630da7f624b2093e7728d

SHA256
36216f13d2670aadc24589c4810c4ef62e9370a4e3cf05f8015b1beb5e0c4a63

SHA512
6989bed145db2b4397a3f6b76a5be58b102270ed94ac42c7914cfe17c916bd6779b8575f6a0e39d7f8a18343dcd5579f5f72a759b873c453e85d6314dd217d63

Download Submit
\Users\Admin\AppData\Local\Temp\kwaddafc.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
\Users\Admin\AppData\Roaming\RevisionNumber\Values.exe

Filesize
628KB

MD5
ff4a1fe6224d33770f881a7a96e33c3d

SHA1
640f780df5f878335f4f164d7c0fa584de7162f0

SHA256
bff608d07ccd836d3c076e9c34166867d9299e561edbc9d878e95776bb3ab630

SHA512
d34d269934f1f5b88432f562bc12f0f28e787fd67d8b7a61539152e02df65488c12cc90f82b1f05fe4784ab636b7c95d9f1ccb03b5d9025e194a3a4ba45dd223

Download Submit
memory/1372-6590-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/1372-4448-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1372-4396-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/1372-6593-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1372-6595-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1372-4394-0x0000000140000000-0x0000000140098000-memory.dmp

Filesize
608KB

Download
memory/1372-6614-0x000000001B700000-0x000000001B780000-memory.dmp

Filesize
512KB

Download
memory/1600-6617-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/1600-6613-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

Filesize
9.6MB

Download
memory/1600-6616-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/1600-6615-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/1600-6612-0x0000000000FC0000-0x0000000001040000-memory.dmp

Filesize
512KB

Download
memory/1600-6611-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

Filesize
9.6MB

Download
memory/1600-6618-0x000007FEEE500000-0x000007FEEEE9D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-6585-0x0000000000EF0000-0x0000000000EF8000-memory.dmp

Filesize
32KB

Download
memory/1788-6584-0x0000000019DA0000-0x000000001A082000-memory.dmp

Filesize
2.9MB

Download
memory/1788-6586-0x000007FEEFBA0000-0x000007FEF053D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-6587-0x000007FEEFBA0000-0x000007FEF053D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-6588-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/1788-6589-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/1788-6591-0x0000000000D90000-0x0000000000E10000-memory.dmp

Filesize
512KB

Download
memory/1788-6592-0x000007FEEFBA0000-0x000007FEF053D000-memory.dmp

Filesize
9.6MB

Download
memory/2248-29-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-37-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-2186-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2248-2183-0x00000000007C0000-0x000000000080C000-memory.dmp

Filesize
304KB

Download
memory/2248-2182-0x00000000021B0000-0x0000000002206000-memory.dmp

Filesize
344KB

Download
memory/2248-65-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-67-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-63-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-55-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-57-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-61-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-59-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-53-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-39-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-43-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-49-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-51-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-0-0x000000013F600000-0x000000013F698000-memory.dmp

Filesize
608KB

Download
memory/2248-47-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-45-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-41-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-2184-0x0000000002500000-0x0000000002554000-memory.dmp

Filesize
336KB

Download
memory/2248-35-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-33-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-31-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-27-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-25-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-23-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-21-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-19-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-17-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-15-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-13-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-11-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-9-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-4-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-7-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-5-0x0000000000920000-0x00000000009FF000-memory.dmp

Filesize
892KB

Download
memory/2248-3-0x0000000000920000-0x0000000000A04000-memory.dmp

Filesize
912KB

Download
memory/2248-2-0x000000001BBE0000-0x000000001BC60000-memory.dmp

Filesize
512KB

Download
memory/2248-1-0x000007FEF6060000-0x000007FEF6A4C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-4384-0x000000001B4B0000-0x000000001B504000-memory.dmp

Filesize
336KB

Download
memory/2304-2205-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2304-2203-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-2204-0x000000013F790000-0x000000013F828000-memory.dmp

Filesize
608KB

Download
memory/2304-4385-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2304-4395-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-4498-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-4397-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2304-4422-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2352-6604-0x00000000008E0000-0x0000000000936000-memory.dmp

Filesize
344KB

Download
memory/2352-6605-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2352-6603-0x000000001BA00000-0x000000001BB00000-memory.dmp

Filesize
1024KB

Download
memory/2352-6602-0x000000013F1A0000-0x000000013F242000-memory.dmp

Filesize
648KB

Download
memory/2352-6621-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2352-6601-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-6627-0x000000013FCB0000-0x000000013FD52000-memory.dmp

Filesize
648KB

Download
memory/2748-6642-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2748-6637-0x000000001B560000-0x000000001B5E0000-memory.dmp

Filesize
512KB

Download
memory/2748-6631-0x000000001B560000-0x000000001B5E0000-memory.dmp

Filesize
512KB

Download
memory/2748-6628-0x000000001B560000-0x000000001B5E0000-memory.dmp

Filesize
512KB

Download
memory/2748-6626-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-6639-0x0000000140000000-0x00000001400A2000-memory.dmp

Filesize
648KB

Download
memory/2756-6640-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2756-6641-0x000007FEF5C60000-0x000007FEF664C000-memory.dmp

Filesize
9.9MB

Download
memory/2756-6643-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/2756-6644-0x000000001B4D0000-0x000000001B550000-memory.dmp

Filesize
512KB

Download
memory/3028-2194-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/3028-2195-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-2196-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/3028-2197-0x0000000001160000-0x00000000011E0000-memory.dmp

Filesize
512KB

Download
memory/3028-2198-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-2193-0x000007FEF5CB0000-0x000007FEF664D000-memory.dmp

Filesize
9.6MB

Download
memory/3028-2192-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/3028-2191-0x0000000019DA0000-0x000000001A082000-memory.dmp

Filesize
2.9MB

Download