zgrat | 975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
27-01-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c124f00908309cd17feca68030e5d58e.exe
Size

3.6MB
MD5

c124f00908309cd17feca68030e5d58e
SHA1

7b3b43803a22887c780e545d1b480d56c573819d
SHA256

975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f
SHA512

8df041a00ae350f74e12e91a6b6050ab0b64a45c3606b483fe2f43a4c9a2ad35e09a6aab9da4a73fb70bf21c84d4e3dc230aa52cfeff884eabd8ff5434356e05
SSDEEP

98304:CQAY9x3ZQXzWyzoYqxL24dUVOOFHxKf0/0sa:CQAYvpQXr8Yqx3dunqcs

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 6 IoCs

resource	yara_rule
behavioral1/memory/1972-0-0x00000000009F0000-0x0000000000D88000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000016608-81.dat	family_zgrat_v1
behavioral1/files/0x0032000000015c41-89.dat	family_zgrat_v1
behavioral1/files/0x0032000000015c41-90.dat	family_zgrat_v1
behavioral1/memory/2940-91-0x0000000000E80000-0x0000000001218000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0032000000015c41-535.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 10 IoCs

pid	Process
2940	smss.exe
2248	smss.exe
572	smss.exe
2836	smss.exe
1976	smss.exe
1028	smss.exe
668	smss.exe
1988	smss.exe
1072	smss.exe
1584	smss.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\smss.exe	c124f00908309cd17feca68030e5d58e.exe
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	c124f00908309cd17feca68030e5d58e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2016	PING.EXE
2968	PING.EXE
2796	PING.EXE
680	PING.EXE
2340	PING.EXE
2108	PING.EXE
1124	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe
1972	c124f00908309cd17feca68030e5d58e.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1972	c124f00908309cd17feca68030e5d58e.exe
Token: SeDebugPrivilege	2940	smss.exe
Token: SeDebugPrivilege	2248	smss.exe
Token: SeDebugPrivilege	572	smss.exe
Token: SeDebugPrivilege	2836	smss.exe
Token: SeDebugPrivilege	1976	smss.exe
Token: SeDebugPrivilege	1028	smss.exe
Token: SeDebugPrivilege	668	smss.exe
Token: SeDebugPrivilege	1988	smss.exe
Token: SeDebugPrivilege	1072	smss.exe
Token: SeDebugPrivilege	1584	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2556	1972	c124f00908309cd17feca68030e5d58e.exe	28
PID 1972 wrote to memory of 2556	1972	c124f00908309cd17feca68030e5d58e.exe	28
PID 1972 wrote to memory of 2556	1972	c124f00908309cd17feca68030e5d58e.exe	28
PID 2556 wrote to memory of 2644	2556	cmd.exe	30
PID 2556 wrote to memory of 2644	2556	cmd.exe	30
PID 2556 wrote to memory of 2644	2556	cmd.exe	30
PID 2556 wrote to memory of 2780	2556	cmd.exe	31
PID 2556 wrote to memory of 2780	2556	cmd.exe	31
PID 2556 wrote to memory of 2780	2556	cmd.exe	31
PID 2556 wrote to memory of 2940	2556	cmd.exe	32
PID 2556 wrote to memory of 2940	2556	cmd.exe	32
PID 2556 wrote to memory of 2940	2556	cmd.exe	32
PID 2940 wrote to memory of 2100	2940	smss.exe	34
PID 2940 wrote to memory of 2100	2940	smss.exe	34
PID 2940 wrote to memory of 2100	2940	smss.exe	34
PID 2100 wrote to memory of 1716	2100	cmd.exe	36
PID 2100 wrote to memory of 1716	2100	cmd.exe	36
PID 2100 wrote to memory of 1716	2100	cmd.exe	36
PID 2100 wrote to memory of 2968	2100	cmd.exe	37
PID 2100 wrote to memory of 2968	2100	cmd.exe	37
PID 2100 wrote to memory of 2968	2100	cmd.exe	37
PID 2100 wrote to memory of 2248	2100	cmd.exe	38
PID 2100 wrote to memory of 2248	2100	cmd.exe	38
PID 2100 wrote to memory of 2248	2100	cmd.exe	38
PID 2248 wrote to memory of 2520	2248	smss.exe	39
PID 2248 wrote to memory of 2520	2248	smss.exe	39
PID 2248 wrote to memory of 2520	2248	smss.exe	39
PID 2520 wrote to memory of 2480	2520	cmd.exe	41
PID 2520 wrote to memory of 2480	2520	cmd.exe	41
PID 2520 wrote to memory of 2480	2520	cmd.exe	41
PID 2520 wrote to memory of 1836	2520	cmd.exe	42
PID 2520 wrote to memory of 1836	2520	cmd.exe	42
PID 2520 wrote to memory of 1836	2520	cmd.exe	42
PID 2520 wrote to memory of 572	2520	cmd.exe	45
PID 2520 wrote to memory of 572	2520	cmd.exe	45
PID 2520 wrote to memory of 572	2520	cmd.exe	45
PID 572 wrote to memory of 2804	572	smss.exe	46
PID 572 wrote to memory of 2804	572	smss.exe	46
PID 572 wrote to memory of 2804	572	smss.exe	46
PID 2804 wrote to memory of 668	2804	cmd.exe	48
PID 2804 wrote to memory of 668	2804	cmd.exe	48
PID 2804 wrote to memory of 668	2804	cmd.exe	48
PID 2804 wrote to memory of 2796	2804	cmd.exe	49
PID 2804 wrote to memory of 2796	2804	cmd.exe	49
PID 2804 wrote to memory of 2796	2804	cmd.exe	49
PID 2804 wrote to memory of 2836	2804	cmd.exe	50
PID 2804 wrote to memory of 2836	2804	cmd.exe	50
PID 2804 wrote to memory of 2836	2804	cmd.exe	50
PID 2836 wrote to memory of 1108	2836	smss.exe	52
PID 2836 wrote to memory of 1108	2836	smss.exe	52
PID 2836 wrote to memory of 1108	2836	smss.exe	52
PID 1108 wrote to memory of 592	1108	cmd.exe	53
PID 1108 wrote to memory of 592	1108	cmd.exe	53
PID 1108 wrote to memory of 592	1108	cmd.exe	53
PID 1108 wrote to memory of 680	1108	cmd.exe	54
PID 1108 wrote to memory of 680	1108	cmd.exe	54
PID 1108 wrote to memory of 680	1108	cmd.exe	54
PID 1108 wrote to memory of 1976	1108	cmd.exe	55
PID 1108 wrote to memory of 1976	1108	cmd.exe	55
PID 1108 wrote to memory of 1976	1108	cmd.exe	55
PID 1976 wrote to memory of 2328	1976	smss.exe	56
PID 1976 wrote to memory of 2328	1976	smss.exe	56
PID 1976 wrote to memory of 2328	1976	smss.exe	56
PID 2328 wrote to memory of 556	2328	cmd.exe	58

C:\Users\Admin\AppData\Local\Temp\c124f00908309cd17feca68030e5d58e.exe
"C:\Users\Admin\AppData\Local\Temp\c124f00908309cd17feca68030e5d58e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LvvGXiBfBL.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2644
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2780
- - C:\Program Files\Microsoft Office\smss.exe
    "C:\Program Files\Microsoft Office\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1716
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        Runs ping.exe
        
        PID:2968
    - - C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MRBwkdmBhu.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1836
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pH8mwRqDTK.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        Runs ping.exe
        
        PID:2796
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaDMK3wxoK.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        Runs ping.exe
        
        PID:680
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:556
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        Runs ping.exe
        
        PID:2340
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat"
        14⤵
        
        PID:2716
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        Runs ping.exe
        
        PID:2108
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wr1mxRbh1u.bat"
        16⤵
        
        PID:2792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        Runs ping.exe
        
        PID:1124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2376
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
        18⤵
        
        PID:916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:1108
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        Runs ping.exe
        
        PID:2016
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat"
        20⤵
        
        PID:836
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2160
        
        C:\Program Files\Microsoft Office\smss.exe
        
        "C:\Program Files\Microsoft Office\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\smss.exe

Filesize
2.8MB

MD5
ee6ddea10a6e83038d59ab888c50c666

SHA1
a083d89f3153dee1c15492858d54be528b9e342f

SHA256
b32e3143dc66b8f2ab26593b8949285c373e5c75076630dbff3618a4a7516f13

SHA512
3462a7fabd2d3beaba46fa52ad29bc5774fc9e752d4c5719edbb47f089c83e4e5d0202efafac19120f6fc86c806e276bcd89b2301130ec7c2ff509274859cc24

Download Submit
C:\Program Files\Microsoft Office\smss.exe

Filesize
2.3MB

MD5
33cb374c578bd9cd27688c5e314b3206

SHA1
e10ac3cc687369818c1ef3e6b2e48b74b01964c9

SHA256
4f7982da8cf758652d56cc06449882f0f08be05a964efd73c9ad414727288b03

SHA512
3027843627a8d9a4eefc045e23b5dbcdf43bf77f40764f6ab5be6c49285439d3f5a0d3efb43d1bf47417fddaa944f548cb6b093728e5e4ce157f5e8c40166f3c

Download Submit
C:\Program Files\Microsoft Office\smss.exe

Filesize
1.3MB

MD5
55a18a2cacd016fd133c8e574aab5905

SHA1
212e075e38356f1a8c3c8e5af38f37c307785133

SHA256
5808ebfcae3538a96686df6ff9f32e185a3a53a7bc44cae103b996da2d97e1e8

SHA512
fbb89aedaa1901344aeebcf43534f562d131c3821347bbd5d058dcfe2785d923f888f0f5a3ae15ff6ba5f21674075c2b37be42930f66e4d78dbc502c76d6c560

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\wininit.exe

Filesize
3.6MB

MD5
c124f00908309cd17feca68030e5d58e

SHA1
7b3b43803a22887c780e545d1b480d56c573819d

SHA256
975033d24044a83505ee98f9f3b857e114ccb5f6179db6dce90804af911eea8f

SHA512
8df041a00ae350f74e12e91a6b6050ab0b64a45c3606b483fe2f43a4c9a2ad35e09a6aab9da4a73fb70bf21c84d4e3dc230aa52cfeff884eabd8ff5434356e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\LvvGXiBfBL.bat

Filesize
218B

MD5
9898650fe6d1191364c62bcff4180cd0

SHA1
da26d833fd675dd7d82140c22c496f7f9d6196ae

SHA256
d7f34c9f761d92029d5f265085fc1ff66e3bb58bc6ffc89a5df86a2e81e78794

SHA512
cb91cae8398866b6a1e33dae6bae00774bbed0bccc32fa9799db58594048024d3d938a1a87e8c11f348d50cae707167c61aa0aca80b0e07c0f01f75ccb9c4643

Download Submit
C:\Users\Admin\AppData\Local\Temp\MRBwkdmBhu.bat

Filesize
218B

MD5
20a08320d3c4ee387db3cf15a76fced9

SHA1
3e19e0d3182880d18453a7f09f8153081f22d0d8

SHA256
ace804d24102743c3c68c34607045aac61f5711f3e5b021975d037e75c44deb3

SHA512
034fba90c0e8d10739653dd2baaf2d30225923da344f240b7b86096d79aa9f9b2912457fd81dc7ec18f6f2f202570dc2ed32de30d2cd2b1458d8b23065342669

Download Submit
C:\Users\Admin\AppData\Local\Temp\NnkzcdwAFb.bat

Filesize
218B

MD5
85e2b24b760d9100220606b8b76c5750

SHA1
49222809d8ccccf798c4954054b47f268ca7b353

SHA256
088dbfa01a4d5ee642dbb96a0b0cba22c5da144264dd2a7f6fab0efc7474f639

SHA512
2b6c8a02336a6e25149c0ea9bd370636e352e5a1f38db48e763b87a201b5229db82a0a17fd3517806892e0c79380f971ac7cd5c457e5329580550717ff831c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\U5BoPe2aCH.bat

Filesize
170B

MD5
aa4299fabe3ad6b73fb2a8e1b22d7d0b

SHA1
69fc7ae60a36c4b186b69b88687de9c81fe0ea12

SHA256
eb1c463cbe31afac8427b32eba1d1519f64c49aeffc77a9c8fe71cd29814357a

SHA512
ebed82d757325208bd3409c731cd501005fe1e679c90f7b0c5c75f18eedcb5b3c668d288b67c79ffbafee99436419be7d3af66e159013884cb98310de7bfe2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaDMK3wxoK.bat

Filesize
170B

MD5
3e5ce1f3edfd409f2990566dd1e8b868

SHA1
350ead429b46291eb7d2316a8a64a015886e9c4d

SHA256
c8e4ffe769896ec30da11c96da1354cbce8ac5d8f33af62f9585c80f68606a37

SHA512
0e76fe58df85f44bf4ab69b0f23c59e6e5315ecc40b1a128ea9118c780ef1b17cd5e92f34e3216ef5f6a6717809a284c099e62a193a303c07c1cb2b52728e734

Download Submit
C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat

Filesize
170B

MD5
48c448b936d6915cce1cadbeac3ad753

SHA1
e557637333dfc3b3af0f949e0a1ea7f68a833a2b

SHA256
e12fb81df20ac67926bfd49800a5add6b33eab9b7e97d493a42c41e55677360d

SHA512
16bb53d1ba42ba84ae406dc4be3e8a8701c1441ef09de5abeb3bf9133aa28c3a42bb738cf7aba9c2903f4949918e2350323f73b256929089232cd8f2eb765f7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fhkx1dF1Mw.bat

Filesize
170B

MD5
b707294115e0d9549f66a10bc9cf3c59

SHA1
cd1c6e376592beb362f67b5591dc4f4f8a1fad95

SHA256
c2b5a59958b8eac1a92efc500f6348d24354d2dd5649c5e2f1fd6e1d5eefc692

SHA512
076bd718fe1bb5b27b1d91bda89a84c5df531aaca37886cade2ef16a699f6918bcdb51a2ae9e2cfc15ed0d92bd64b691415a25b464411effe266e4c7a6836b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\iWyGsAOhHU.bat

Filesize
170B

MD5
5b114ea3a371e5fcadc7a038d7746a6c

SHA1
10d61a47c85f7152a7d38575eafbd8957d0c9620

SHA256
ed7c46321b3cbb9984acacf2773ac6ba13c932827257a240644b3e9b67ec0354

SHA512
81b3feeadd0dd4e82b04a3656d0cd04652b95a4a3653b690ec6249e39e405e95bcfc75699bf5a536d4c44d00b8e8545b35a5c865951c15a10afc6b3e80ef7eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\pH8mwRqDTK.bat

Filesize
170B

MD5
293cfbb0805ae48c1e7d4c2ff137fbf7

SHA1
3349ea7b972bbc00a9bc71a2e8c453978b455ffc

SHA256
8a5bad3150ec277ca2a8eaf6c7606edb7e6b2e27901e3d4227dd393795bbb1c6

SHA512
9c8863b75a9426fa970906352d9f49c21e91b49bd0455d6a3a421f431181bd9474416fd218012b6981ed10960b206bd8b6a58d5b1282c6419a08aeb16124a91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wr1mxRbh1u.bat

Filesize
170B

MD5
63468727b498df1f682878b3f5b6716e

SHA1
b446e0e8b9bdfd1b42601b387c4b712cc89228a2

SHA256
3f276d66a72e06ce36583e46e3a98e5428ba69bd7d7d267dd2c2cd43ac989269

SHA512
8e66393bcc1dc5bca6ddd587ba646501ec142807b9244ac8448d1470825ff0a2d2f64f45e146a4ab28264bd8c5653f58e9d769ad03eb1ebd3285957928a1994a

Download Submit
memory/1972-45-0x0000000077490000-0x0000000077491000-memory.dmp

Filesize
4KB

Download
memory/1972-56-0x0000000077450000-0x0000000077451000-memory.dmp

Filesize
4KB

Download
memory/1972-16-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/1972-17-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/1972-19-0x0000000000720000-0x0000000000738000-memory.dmp

Filesize
96KB

Download
memory/1972-20-0x0000000077500000-0x0000000077501000-memory.dmp

Filesize
4KB

Download
memory/1972-21-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/1972-23-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/1972-25-0x00000000003B0000-0x00000000003C0000-memory.dmp

Filesize
64KB

Download
memory/1972-28-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-29-0x00000000774E0000-0x00000000774E1000-memory.dmp

Filesize
4KB

Download
memory/1972-27-0x0000000000570000-0x000000000057E000-memory.dmp

Filesize
56KB

Download
memory/1972-31-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-32-0x00000000774C0000-0x00000000774C1000-memory.dmp

Filesize
4KB

Download
memory/1972-30-0x00000000774D0000-0x00000000774D1000-memory.dmp

Filesize
4KB

Download
memory/1972-34-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/1972-37-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-38-0x00000000774B0000-0x00000000774B1000-memory.dmp

Filesize
4KB

Download
memory/1972-36-0x0000000000740000-0x000000000074C000-memory.dmp

Filesize
48KB

Download
memory/1972-39-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-40-0x00000000774A0000-0x00000000774A1000-memory.dmp

Filesize
4KB

Download
memory/1972-42-0x00000000008F0000-0x0000000000900000-memory.dmp

Filesize
64KB

Download
memory/1972-44-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/1972-12-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/1972-47-0x0000000002430000-0x0000000002442000-memory.dmp

Filesize
72KB

Download
memory/1972-48-0x0000000077480000-0x0000000077481000-memory.dmp

Filesize
4KB

Download
memory/1972-50-0x0000000000900000-0x000000000090E000-memory.dmp

Filesize
56KB

Download
memory/1972-51-0x0000000077470000-0x0000000077471000-memory.dmp

Filesize
4KB

Download
memory/1972-52-0x0000000077460000-0x0000000077461000-memory.dmp

Filesize
4KB

Download
memory/1972-54-0x0000000000930000-0x0000000000940000-memory.dmp

Filesize
64KB

Download
memory/1972-57-0x0000000000940000-0x0000000000950000-memory.dmp

Filesize
64KB

Download
memory/1972-14-0x0000000000700000-0x000000000071C000-memory.dmp

Filesize
112KB

Download
memory/1972-58-0x0000000077440000-0x0000000077441000-memory.dmp

Filesize
4KB

Download
memory/1972-60-0x000000001AA30000-0x000000001AA8A000-memory.dmp

Filesize
360KB

Download
memory/1972-62-0x0000000002450000-0x000000000245E000-memory.dmp

Filesize
56KB

Download
memory/1972-64-0x0000000002460000-0x0000000002470000-memory.dmp

Filesize
64KB

Download
memory/1972-66-0x0000000002470000-0x000000000247E000-memory.dmp

Filesize
56KB

Download
memory/1972-68-0x00000000024A0000-0x00000000024B8000-memory.dmp

Filesize
96KB

Download
memory/1972-70-0x0000000002480000-0x000000000248C000-memory.dmp

Filesize
48KB

Download
memory/1972-72-0x000000001AAE0000-0x000000001AB2E000-memory.dmp

Filesize
312KB

Download
memory/1972-88-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-0-0x00000000009F0000-0x0000000000D88000-memory.dmp

Filesize
3.6MB

Download
memory/1972-1-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1972-2-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-3-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1972-4-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-5-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/1972-6-0x000000001B610000-0x000000001B690000-memory.dmp

Filesize
512KB

Download
memory/1972-8-0x0000000000540000-0x0000000000566000-memory.dmp

Filesize
152KB

Download
memory/1972-10-0x0000000000380000-0x000000000038E000-memory.dmp

Filesize
56KB

Download
memory/1972-11-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/2940-97-0x0000000077540000-0x0000000077541000-memory.dmp

Filesize
4KB

Download
memory/2940-108-0x00000000774F0000-0x00000000774F1000-memory.dmp

Filesize
4KB

Download
memory/2940-103-0x0000000077510000-0x0000000077511000-memory.dmp

Filesize
4KB

Download
memory/2940-102-0x0000000077520000-0x0000000077521000-memory.dmp

Filesize
4KB

Download
memory/2940-99-0x0000000077530000-0x0000000077531000-memory.dmp

Filesize
4KB

Download
memory/2940-98-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2940-106-0x0000000077500000-0x0000000077501000-memory.dmp

Filesize
4KB

Download
memory/2940-95-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2940-94-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2940-93-0x000000001B460000-0x000000001B4E0000-memory.dmp

Filesize
512KB

Download
memory/2940-92-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-91-0x0000000000E80000-0x0000000001218000-memory.dmp

Filesize
3.6MB

Download
memory/2940-111-0x000007FEF5140000-0x000007FEF5B2C000-memory.dmp

Filesize
9.9MB

Download