zgrat | 101331c13483b3530f33ff1d8983e5ad4b391b2bcb212143cb41e5095d0c5e19

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BF73AF9BE79A72DF70F1DD89E86E37B6.exe
Size

8.2MB
MD5

bf73af9be79a72df70f1dd89e86e37b6
SHA1

088887c3bcffa084e35769a8a44cf027e56e5f67
SHA256

101331c13483b3530f33ff1d8983e5ad4b391b2bcb212143cb41e5095d0c5e19
SHA512

3b0c73699f4054a38a55cfcbf30bf100b4af233100756e523b7190a768d549d85d14c92430784010e16735cea902ace1bfeddc505d08f87f526ef60072545148
SSDEEP

49152:x3XGwQS8y7rtnzktV5RdWJx8cLFNE0R8a:NXXlStVIJxZFN5

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/628-0-0x0000000000D40000-0x0000000000F42000-memory.dmp	family_zgrat_v1
C:\Users\Default\explorer.exe	family_zgrat_v1
behavioral1/memory/1664-98-0x0000000000030000-0x0000000000232000-memory.dmp	family_zgrat_v1
C:\Windows\Microsoft.NET\services.exe	family_zgrat_v1
C:\Windows\Microsoft.NET\services.exe	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2580	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2580	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 1 IoCs

Processes:

services.exe

pid process

1664 services.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1664	services.exe

Drops file in Windows directory 5 IoCs

Processes:

BF73AF9BE79A72DF70F1DD89E86E37B6.exe

description	ioc	process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\BF73AF9BE79A72DF70F1DD89E86E37B6.exe	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\7cb0405e17053d	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
File created	C:\Windows\Microsoft.NET\services.exe	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
File opened for modification	C:\Windows\Microsoft.NET\services.exe	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
File created	C:\Windows\Microsoft.NET\c5b4cb5e9653cc	BF73AF9BE79A72DF70F1DD89E86E37B6.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2480	schtasks.exe
2732	schtasks.exe
2668	schtasks.exe
2720	schtasks.exe
2848	schtasks.exe
2768	schtasks.exe
2472	schtasks.exe
2532	schtasks.exe
2572	schtasks.exe
2972	schtasks.exe
1940	schtasks.exe
1908	schtasks.exe
1948	schtasks.exe
1936	schtasks.exe
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

BF73AF9BE79A72DF70F1DD89E86E37B6.exe

pid	process
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

services.exe

pid process

1664 services.exe

pid	process
1664	services.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

BF73AF9BE79A72DF70F1DD89E86E37B6.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exe

description	pid	process
Token: SeDebugPrivilege	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1664	services.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

BF73AF9BE79A72DF70F1DD89E86E37B6.execmd.exe

description	pid	process	target process
PID 628 wrote to memory of 2444	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 2444	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 2444	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1172	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1172	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1172	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1996	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1996	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1996	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1788	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1788	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 1788	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 860	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 860	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 860	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	powershell.exe
PID 628 wrote to memory of 2632	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	cmd.exe
PID 628 wrote to memory of 2632	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	cmd.exe
PID 628 wrote to memory of 2632	628	BF73AF9BE79A72DF70F1DD89E86E37B6.exe	cmd.exe
PID 2632 wrote to memory of 540	2632	cmd.exe	chcp.com
PID 2632 wrote to memory of 540	2632	cmd.exe	chcp.com
PID 2632 wrote to memory of 540	2632	cmd.exe	chcp.com
PID 2632 wrote to memory of 968	2632	cmd.exe	w32tm.exe
PID 2632 wrote to memory of 968	2632	cmd.exe	w32tm.exe
PID 2632 wrote to memory of 968	2632	cmd.exe	w32tm.exe
PID 2632 wrote to memory of 1664	2632	cmd.exe	services.exe
PID 2632 wrote to memory of 1664	2632	cmd.exe	services.exe
PID 2632 wrote to memory of 1664	2632	cmd.exe	services.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BF73AF9BE79A72DF70F1DD89E86E37B6.exe
"C:\Users\Admin\AppData\Local\Temp\BF73AF9BE79A72DF70F1DD89E86E37B6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\BF73AF9BE79A72DF70F1DD89E86E37B6.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Idle.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\services.exe'
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i7Fq0MKgjk.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:540

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
3⤵
PID:968

C:\Windows\Microsoft.NET\services.exe
"C:\Windows\Microsoft.NET\services.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\Microsoft.NET\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BF73AF9BE79A72DF70F1DD89E86E37B6" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\BF73AF9BE79A72DF70F1DD89E86E37B6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BF73AF9BE79A72DF70F1DD89E86E37B6B" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\BF73AF9BE79A72DF70F1DD89E86E37B6.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BF73AF9BE79A72DF70F1DD89E86E37B6B" /sc MINUTE /mo 8 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\BF73AF9BE79A72DF70F1DD89E86E37B6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\i7Fq0MKgjk.bat

Filesize
213B

MD5
9bb4d7f9272a6f827051a3788503147c

SHA1
65c6d76bf9733eed58c6d66b5d5d15a9a3b6ccfe

SHA256
f1507fc7c698d57f2a3ec2f4a02e723efd9926ecb363cf5ba8d6255aebf020b5

SHA512
abee8b10b1d81da0d6bc5033ae194299848eaefc1419694e7e7d0d4a94ea48547da84b99095281223f933b8044e91a2948512f17f3e09a2fee4ba868063805a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
2KB

MD5
c62c89664f8db3037b70836ffb9b1c77

SHA1
94e61a3e0bc56443e4ed5b75924cff4c4a3f9914

SHA256
3977fe1a6f07b5c47802cabfbed634b9d990b50c2ccca302640c2c1a1863c3b1

SHA512
c103f9467e5d9329e552fb63b6854e32d618a5a98089150e16c83335e31cdb05b4dd2c46915718fff4e847fb45b49e2bed3b950eccae2919d3597f534e833b7b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AAQ2PDOBL95YA65LX9BW.temp

Filesize
7KB

MD5
159388a3f6e5dd399aa7a0a8b7719547

SHA1
ae329f84ccb4bcbd09297ba1a127c179bfbf6e15

SHA256
344a882de69122e12607d3977dc44a885fae19132e97c67c18b2986bb6d856c2

SHA512
1accab029f719ccfda445b86999a0830f6d5ce20d8bbb543c463680f3965a538bc3724cd229644b790dcee9932d394a3414660fc50bf811c591d7fa06d2bb29b

Download Submit
C:\Users\Default\explorer.exe

Filesize
5.8MB

MD5
0190e39b7f131c14dcb4e0587175b96f

SHA1
d3aae304ed9f5730e6f66ac2912543a271a49783

SHA256
bd866589c2dadc0e02627aead966f389e7df129197f7b110c15764c83c410dce

SHA512
21d7d6b332ad1595dd0e2230138e5d9b99466ca6789c4d25e87117bc0c27e18eb439fb27c59bb763da15d1fb93e186345f60e4ee8d303b456931435ebf040e13

Download Submit
C:\Windows\Microsoft.NET\services.exe

Filesize
4.2MB

MD5
6a5deb797bf06e60fd35fd79fac0ebd2

SHA1
154d57f09ea6412bfa008eac02b73e5ab1c48ebb

SHA256
e275c2fa86630b322d2d1dcc61b7f97de22fb52e590a1af2c53c32f163d5c238

SHA512
eba878003665c1a7a13f660cd45a290a464f2b63c5aacb9918d6a5cf57d9b73bfa6bf9cf5984575458a2d80a89e07dd77e3c6352c05fc00f1ef84db99ef91f62

Download Submit
C:\Windows\Microsoft.NET\services.exe

Filesize
3.3MB

MD5
5ebf18b61c161711cd475d35cc7a051f

SHA1
df4019d39b1027a31edecd706d20691a901a0593

SHA256
972c98b6be83a5596f7906de76debb66cc89258d3c44b560813689e5c160b951

SHA512
a771ecf71ceef93071c092edb3eac6ab78c45ca24f52ccec86dafd81d77de6392759e0f1d0fbfa94140c33e8b739fa7e909be9ee50779fa8eae4ffb2a431fba5

Download Submit
memory/628-11-0x0000000076D90000-0x0000000076D91000-memory.dmp

Filesize
4KB

Download
memory/628-29-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/628-10-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/628-0-0x0000000000D40000-0x0000000000F42000-memory.dmp

Filesize
2.0MB

Download
memory/628-12-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/628-14-0x0000000000440000-0x0000000000458000-memory.dmp

Filesize
96KB

Download
memory/628-17-0x0000000076D70000-0x0000000076D71000-memory.dmp

Filesize
4KB

Download
memory/628-16-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/628-19-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/628-20-0x0000000076D60000-0x0000000076D61000-memory.dmp

Filesize
4KB

Download
memory/628-21-0x0000000076D50000-0x0000000076D51000-memory.dmp

Filesize
4KB

Download
memory/628-23-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/628-26-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/628-27-0x0000000076D40000-0x0000000076D41000-memory.dmp

Filesize
4KB

Download
memory/628-25-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/628-8-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/628-30-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/628-31-0x0000000076D30000-0x0000000076D31000-memory.dmp

Filesize
4KB

Download
memory/628-7-0x0000000076DA0000-0x0000000076DA1000-memory.dmp

Filesize
4KB

Download
memory/628-6-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/628-4-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/628-3-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/628-73-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/628-2-0x000000001B430000-0x000000001B4B0000-memory.dmp

Filesize
512KB

Download
memory/628-1-0x000007FEF5320000-0x000007FEF5D0C000-memory.dmp

Filesize
9.9MB

Download
memory/860-65-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/860-90-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/860-92-0x00000000029A4000-0x00000000029A7000-memory.dmp

Filesize
12KB

Download
memory/860-88-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/860-86-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/860-91-0x00000000029A0000-0x0000000002A20000-memory.dmp

Filesize
512KB

Download
memory/860-87-0x00000000029AB000-0x0000000002A12000-memory.dmp

Filesize
412KB

Download
memory/1172-94-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1172-93-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/1172-116-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1172-89-0x0000000002CEB000-0x0000000002D52000-memory.dmp

Filesize
412KB

Download
memory/1172-95-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/1664-104-0x0000000076DA0000-0x0000000076DA1000-memory.dmp

Filesize
4KB

Download
memory/1664-107-0x0000000076D90000-0x0000000076D91000-memory.dmp

Filesize
4KB

Download
memory/1664-112-0x0000000076D70000-0x0000000076D71000-memory.dmp

Filesize
4KB

Download
memory/1664-113-0x0000000076D60000-0x0000000076D61000-memory.dmp

Filesize
4KB

Download
memory/1664-117-0x0000000076D50000-0x0000000076D51000-memory.dmp

Filesize
4KB

Download
memory/1664-118-0x0000000076D40000-0x0000000076D41000-memory.dmp

Filesize
4KB

Download
memory/1664-119-0x0000000076D30000-0x0000000076D31000-memory.dmp

Filesize
4KB

Download
memory/1664-106-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1664-108-0x0000000076D80000-0x0000000076D81000-memory.dmp

Filesize
4KB

Download
memory/1664-102-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1664-98-0x0000000000030000-0x0000000000232000-memory.dmp

Filesize
2.0MB

Download
memory/1664-101-0x000000001B2C0000-0x000000001B340000-memory.dmp

Filesize
512KB

Download
memory/1664-100-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/1664-99-0x000007FEF4930000-0x000007FEF531C000-memory.dmp

Filesize
9.9MB

Download
memory/1788-75-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/1788-74-0x0000000002CFB000-0x0000000002D62000-memory.dmp

Filesize
412KB

Download
memory/1788-78-0x0000000002CF4000-0x0000000002CF7000-memory.dmp

Filesize
12KB

Download
memory/1996-83-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/1996-82-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-66-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1996-85-0x0000000002324000-0x0000000002327000-memory.dmp

Filesize
12KB

Download
memory/1996-76-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download
memory/1996-79-0x0000000002320000-0x00000000023A0000-memory.dmp

Filesize
512KB

Download
memory/1996-80-0x000000000232B000-0x0000000002392000-memory.dmp

Filesize
412KB

Download
memory/2444-84-0x0000000002DF4000-0x0000000002DF7000-memory.dmp

Filesize
12KB

Download
memory/2444-77-0x0000000002DFB000-0x0000000002E62000-memory.dmp

Filesize
412KB

Download
memory/2444-81-0x000007FEEEAA0000-0x000007FEEF43D000-memory.dmp

Filesize
9.6MB

Download