zgrat | 252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c

Analysis

max time kernel
281s
max time network
303s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 04:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
Size

1.7MB
MD5

e3b4b83722d659d4c00b2ee746dbea0d
SHA1

a97e44f8c4f7ce19ef5a08b865e03da5f6c9b50d
SHA256

252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c
SHA512

46d6a70276db93a3c7e97379e2f43681e5e909d136432de76ced035e22d0fca95c0e3e3a6423734a123ad270a27f84cc550e9415d20a69992cfe13719026b334
SSDEEP

24576:rQa+rRep38knZGbO4oFya8ZbRxaiXvnEc3Suvb7sNPwEFfTPCRi4Vz:rZ+rRe3zn4ioa8ZbRMiXO07sNPwERWV

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2416-0-0x00000000010A0000-0x0000000001260000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000015da6-26.dat	family_zgrat_v1
behavioral1/files/0x0009000000015da6-79.dat	family_zgrat_v1
behavioral1/memory/2876-80-0x0000000000E50000-0x0000000001010000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000015da6-78.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
2876	wininit.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\lsass.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files\Internet Explorer\fr-FR\6203df4a6bafc7	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\winlogon.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\cc11b995f2a76d	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\wininit.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File opened for modification	C:\Windows\Web\Wallpaper\wininit.exe	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
File created	C:\Windows\Web\Wallpaper\56085415360792	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	wininit.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	wininit.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2988	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
2832	powershell.exe
2712	powershell.exe
2796	powershell.exe
2776	powershell.exe
2840	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	wininit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2876	wininit.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2796	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	28
PID 2416 wrote to memory of 2796	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	28
PID 2416 wrote to memory of 2796	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	28
PID 2416 wrote to memory of 2832	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	29
PID 2416 wrote to memory of 2832	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	29
PID 2416 wrote to memory of 2832	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	29
PID 2416 wrote to memory of 2840	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	30
PID 2416 wrote to memory of 2840	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	30
PID 2416 wrote to memory of 2840	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	30
PID 2416 wrote to memory of 2776	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	31
PID 2416 wrote to memory of 2776	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	31
PID 2416 wrote to memory of 2776	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	31
PID 2416 wrote to memory of 2712	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	32
PID 2416 wrote to memory of 2712	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	32
PID 2416 wrote to memory of 2712	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	32
PID 2416 wrote to memory of 2968	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	38
PID 2416 wrote to memory of 2968	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	38
PID 2416 wrote to memory of 2968	2416	252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe	38
PID 2968 wrote to memory of 2932	2968	cmd.exe	40
PID 2968 wrote to memory of 2932	2968	cmd.exe	40
PID 2968 wrote to memory of 2932	2968	cmd.exe	40
PID 2968 wrote to memory of 2988	2968	cmd.exe	41
PID 2968 wrote to memory of 2988	2968	cmd.exe	41
PID 2968 wrote to memory of 2988	2968	cmd.exe	41
PID 2968 wrote to memory of 2876	2968	cmd.exe	42
PID 2968 wrote to memory of 2876	2968	cmd.exe	42
PID 2968 wrote to memory of 2876	2968	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe
"C:\Users\Admin\AppData\Local\Temp\252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\lsass.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4aHiaViwNS.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2932
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:2988
- - C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe
    "C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Modifies system certificate store
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe

Filesize
1.7MB

MD5
e3b4b83722d659d4c00b2ee746dbea0d

SHA1
a97e44f8c4f7ce19ef5a08b865e03da5f6c9b50d

SHA256
252128128e81ecb5cf4c79eb8fef31fa773994df2a13a626f4c1bc33e991c33c

SHA512
46d6a70276db93a3c7e97379e2f43681e5e909d136432de76ced035e22d0fca95c0e3e3a6423734a123ad270a27f84cc550e9415d20a69992cfe13719026b334

Download Submit
C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe

Filesize
337KB

MD5
36c7506325206437b2de4041ecf56290

SHA1
9d4652b45086b57c1a0640b6c1d47d9bd739ae04

SHA256
149d9feb93458fac5f7eaabb289cfde17f48017689a240f8b03091abca65d2fb

SHA512
c7bc1201c384d7a1a928d722ace17020dc7fb171a4d4146d1afa0304000288cb18e16f7884c80938526215631a16e88d4f0f00f7bb1a7bfae8b88a1b3ffb6037

Download Submit
C:\Recovery\add7a402-9b9f-11ee-a130-ac12cddc57f5\wininit.exe

Filesize
483KB

MD5
6d9e7ae99b80b2a04c309444aac8a69b

SHA1
fb373ce335ef3a6189ada254dae94171f9425550

SHA256
d919573c0f7c33f352dac6b7bf18da3c64f36db7cdf9dd3893185c8cf1d3fc7d

SHA512
c252b8d8ed8d4b34089bd68a83042d63b858bb9aea44cb99ecf70534502b4af87fd8944d2d511a80d671c54c9673dae9dcd204df7d7341111d9a8353ec76cf83

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aHiaViwNS.bat

Filesize
188B

MD5
0c61289d79d316856fa3866e9db3b4c8

SHA1
fa9f0a3460cb7f1d81cc8beb84e45d0c1059d839

SHA256
b60a61822defbb4803936f6df15165d42b86badcaf81a443815876241f08b4e8

SHA512
b5695e4edbe503bf9f403a70948cbcf5fb11e6ffed501e3cf9b55b2fcf3a61f2219c99e4b2d27683cccaaea797a57308d1abe0ca996e55b6b6182843d60b11d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
95e8e2e15a79f3711dcc9a25935ef26a

SHA1
099c2a4bf5644002bc4a4f9e2c463916941a0968

SHA256
c54ac46f7c219394d4837904145de0e80b7e7195ebb9c74443bd15917d59f4ce

SHA512
8428f26c8187fb64a999359a3adda3d3515a12c23c514f39f0c32f50cd8202cc6edbfccb340b21f7eeef05612168f3d8cfcd9b3845425484fdb7ceeab75fbf19

Download Submit
memory/2416-14-0x0000000076C60000-0x0000000076C61000-memory.dmp

Filesize
4KB

Download
memory/2416-17-0x0000000076C50000-0x0000000076C51000-memory.dmp

Filesize
4KB

Download
memory/2416-7-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/2416-11-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2416-10-0x0000000076C70000-0x0000000076C71000-memory.dmp

Filesize
4KB

Download
memory/2416-13-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/2416-5-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2416-8-0x0000000076C80000-0x0000000076C81000-memory.dmp

Filesize
4KB

Download
memory/2416-16-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/2416-4-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2416-3-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2416-32-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-2-0x000000001B2B0000-0x000000001B330000-memory.dmp

Filesize
512KB

Download
memory/2416-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2416-0-0x00000000010A0000-0x0000000001260000-memory.dmp

Filesize
1.8MB

Download
memory/2712-72-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2712-69-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2712-77-0x000000000251B000-0x0000000002582000-memory.dmp

Filesize
412KB

Download
memory/2712-66-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2712-47-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2712-73-0x0000000002510000-0x0000000002590000-memory.dmp

Filesize
512KB

Download
memory/2776-60-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2776-68-0x000000000288B000-0x00000000028F2000-memory.dmp

Filesize
412KB

Download
memory/2776-65-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2796-75-0x000000000253B000-0x00000000025A2000-memory.dmp

Filesize
412KB

Download
memory/2796-64-0x0000000002534000-0x0000000002537000-memory.dmp

Filesize
12KB

Download
memory/2796-63-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2796-62-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2832-49-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2832-67-0x0000000002934000-0x0000000002937000-memory.dmp

Filesize
12KB

Download
memory/2832-61-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2832-70-0x000000000293B000-0x00000000029A2000-memory.dmp

Filesize
412KB

Download
memory/2840-71-0x000007FEF5250000-0x000007FEF5BED000-memory.dmp

Filesize
9.6MB

Download
memory/2840-74-0x0000000002854000-0x0000000002857000-memory.dmp

Filesize
12KB

Download
memory/2840-76-0x000000000285B000-0x00000000028C2000-memory.dmp

Filesize
412KB

Download
memory/2876-82-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2876-90-0x0000000076C70000-0x0000000076C71000-memory.dmp

Filesize
4KB

Download
memory/2876-80-0x0000000000E50000-0x0000000001010000-memory.dmp

Filesize
1.8MB

Download
memory/2876-83-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2876-84-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2876-87-0x0000000076C80000-0x0000000076C81000-memory.dmp

Filesize
4KB

Download
memory/2876-85-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2876-81-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-93-0x0000000076C50000-0x0000000076C51000-memory.dmp

Filesize
4KB

Download
memory/2876-92-0x0000000076C60000-0x0000000076C61000-memory.dmp

Filesize
4KB

Download
memory/2876-94-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Filesize
9.9MB

Download
memory/2876-95-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2876-96-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download
memory/2876-97-0x000000001B5A0000-0x000000001B620000-memory.dmp

Filesize
512KB

Download