zgrat | d19a0d180f6f962ea912480c752eafe875eb2d869bc4214e4304c6ea3c525ec3

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C94596D2DD331B02A3BDF89A8A528880.exe
Size

3.1MB
MD5

c94596d2dd331b02a3bdf89a8a528880
SHA1

fa42da7569f0baf01185969915372c068f80d926
SHA256

d19a0d180f6f962ea912480c752eafe875eb2d869bc4214e4304c6ea3c525ec3
SHA512

68d9296bc3575da5ffb6c83e811ff7129d100d6aef767c1fd7998050cdcc9ce47f28a05cbb11b11473045144d95e1b02d16dc0879c31aa701ee1637fefaeb508
SSDEEP

49152:t/5oiXZgc3ZLp7PXi19L2xjNlQH/OaZc6mwkD75TwXNElsBLtRgJjOv+7p4:t/5jXZg49oLcN+Hm7AElMLJv

Score

10^/10

zgrat discovery rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe	family_zgrat_v1
behavioral2/memory/4572-62-0x0000000000060000-0x000000000018A000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Installer.exeC94596D2DD331B02A3BDF89A8A528880.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	C94596D2DD331B02A3BDF89A8A528880.exe

Drops startup file 1 IoCs

Processes:

Installer.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe Installer.exe
Executes dropped EXE 9 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exeqemu-ga.exe

pid process

2272 7z.exe
3620 7z.exe
464 7z.exe
3160 7z.exe
3144 7z.exe
4888 7z.exe
1548 7z.exe
4572 Installer.exe
3148 qemu-ga.exe
Loads dropped DLL 7 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe

pid process

2272 7z.exe
3620 7z.exe
464 7z.exe
3160 7z.exe
3144 7z.exe
4888 7z.exe
1548 7z.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Installer.exe

pid process

4572 Installer.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Installer.exe

pid	process
2272	7z.exe
3620	7z.exe
464	7z.exe
3160	7z.exe
3144	7z.exe
4888	7z.exe
1548	7z.exe
4572	Installer.exe
3148	qemu-ga.exe

pid	process
2272	7z.exe
3620	7z.exe
464	7z.exe
3160	7z.exe
3144	7z.exe
4888	7z.exe
1548	7z.exe

pid	process
4572	Installer.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7z.exe7z.exe7z.exeInstaller.exe

description	pid	process
Token: SeRestorePrivilege	2272	7z.exe
Token: 35	2272	7z.exe
Token: SeSecurityPrivilege	2272	7z.exe
Token: SeSecurityPrivilege	2272	7z.exe
Token: SeRestorePrivilege	3620	7z.exe
Token: 35	3620	7z.exe
Token: SeSecurityPrivilege	3620	7z.exe
Token: SeSecurityPrivilege	3620	7z.exe
Token: SeRestorePrivilege	464	7z.exe
Token: 35	464	7z.exe
Token: SeSecurityPrivilege	464	7z.exe
Token: SeSecurityPrivilege	464	7z.exe
Token: SeRestorePrivilege	3160	7z.exe
Token: 35	3160	7z.exe
Token: SeSecurityPrivilege	3160	7z.exe
Token: SeSecurityPrivilege	3160	7z.exe
Token: SeRestorePrivilege	3144	7z.exe
Token: 35	3144	7z.exe
Token: SeSecurityPrivilege	3144	7z.exe
Token: SeSecurityPrivilege	3144	7z.exe
Token: SeRestorePrivilege	4888	7z.exe
Token: 35	4888	7z.exe
Token: SeSecurityPrivilege	4888	7z.exe
Token: SeSecurityPrivilege	4888	7z.exe
Token: SeRestorePrivilege	1548	7z.exe
Token: 35	1548	7z.exe
Token: SeSecurityPrivilege	1548	7z.exe
Token: SeSecurityPrivilege	1548	7z.exe
Token: SeDebugPrivilege	4572	Installer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

C94596D2DD331B02A3BDF89A8A528880.execmd.exeInstaller.exe

description	pid	process	target process
PID 2244 wrote to memory of 956	2244	C94596D2DD331B02A3BDF89A8A528880.exe	cmd.exe
PID 2244 wrote to memory of 956	2244	C94596D2DD331B02A3BDF89A8A528880.exe	cmd.exe
PID 956 wrote to memory of 2980	956	cmd.exe	mode.com
PID 956 wrote to memory of 2980	956	cmd.exe	mode.com
PID 956 wrote to memory of 2272	956	cmd.exe	7z.exe
PID 956 wrote to memory of 2272	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3620	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3620	956	cmd.exe	7z.exe
PID 956 wrote to memory of 464	956	cmd.exe	7z.exe
PID 956 wrote to memory of 464	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3160	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3160	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3144	956	cmd.exe	7z.exe
PID 956 wrote to memory of 3144	956	cmd.exe	7z.exe
PID 956 wrote to memory of 4888	956	cmd.exe	7z.exe
PID 956 wrote to memory of 4888	956	cmd.exe	7z.exe
PID 956 wrote to memory of 1548	956	cmd.exe	7z.exe
PID 956 wrote to memory of 1548	956	cmd.exe	7z.exe
PID 956 wrote to memory of 2948	956	cmd.exe	attrib.exe
PID 956 wrote to memory of 2948	956	cmd.exe	attrib.exe
PID 956 wrote to memory of 4572	956	cmd.exe	Installer.exe
PID 956 wrote to memory of 4572	956	cmd.exe	Installer.exe
PID 956 wrote to memory of 4572	956	cmd.exe	Installer.exe
PID 4572 wrote to memory of 3148	4572	Installer.exe	qemu-ga.exe
PID 4572 wrote to memory of 3148	4572	Installer.exe	qemu-ga.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2948 attrib.exe

pid	process
2948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\C94596D2DD331B02A3BDF89A8A528880.exe
"C:\Users\Admin\AppData\Local\Temp\C94596D2DD331B02A3BDF89A8A528880.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
2⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\system32\mode.com
mode 65,10
3⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p7970281081126315687166120894 -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\system32\attrib.exe
attrib +H "Installer.exe"
3⤵
- Views/modifies file attributes
PID:2948

C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
"Installer.exe"
3⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4572

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:3148

C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
756KB

MD5
f2376033ebedfce006d3fff185d3174c

SHA1
6b17ebb839ddae9788be7bdd7e298d82b11448a9

SHA256
7a225346ec6032d7104b3e7e68f9a97b16f656801ed97a817ca6bf1e6d7c77a0

SHA512
ef163404e4d60ba8a16960923933045f638fdbcbe4820aa32c5b19ecef7d04f34116d8669b304d37fae7f16e48a5264091dffd7f650a94743626af676475b36f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
819KB

MD5
a71bfc1b1706c52d0a2a16c88a468324

SHA1
e327da5adea3b4289bf64db3bcf246abcba431c6

SHA256
b9cb95cffaebb4c1ea9218609b0a31580dbee387ce4bf158b09ad73633cb7fc2

SHA512
7f40255750381c0a202d0ed95be7d8bff69beea7f178a62b21f039dd407bb762c3132d5f270952861124ce5bf0a513e99620712d589c1a3053c3eef604f68174

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
660KB

MD5
e9154cf6d5bde86c3fe4994bd0b78b19

SHA1
e00fe893c55460be78ceec64c70b15dc73a92d56

SHA256
a0ae71c8146e1d5f3123d2fe5b084990ffe046251ce34e98bbd1d2315caf44c8

SHA512
e14cc7035b5ad6d1905a72929b8b2bb6f37f2516429c7fbbc10fae82e9ae30b24016e52c06d54928716a43db64e11fc77b725777f2cef946d1444a538246d39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
458KB

MD5
650962279084f68e7ee24cc095102b2d

SHA1
dd913b413a4bc27b892ad073ebeea82c4b5dd192

SHA256
7ceb46f151ffe81274354c5598a17a2ce0f417d5980335b99034ae1cd7f2321f

SHA512
767ee7be69f86b25b76a2a81cd349e5de43ce22ed9b9511bdf16db568b1bb7a6befa514124486b42b1ec06d9115df7b8a52721755b70fd5d9ad49d54e6f88167

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
142KB

MD5
63e1f7c959d60a043db40323d383c7c7

SHA1
b33dc97936e3f9bf47a499e708c3e45d687adfef

SHA256
f39d093845b7905259304d6481f4e71199f198579e89ff15527cefa9eff47aba

SHA512
d94e96b8fa9cddd07e089902791077dff5ac89ea79cb7eb478ad4da5718ce0082f7a6ecae9108d9d84d105200dc14b14974abf8a62dbe1f429c434b651931cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
37KB

MD5
be1a3dba3c19777e5469c3742f487774

SHA1
41e2864a9a32d1ee587b68f05bf63cf4a8d4fef9

SHA256
08cc90af5c3dd2fab6c12ef93d25721d8efaf1c729bc435a1efcb5904ea8ad21

SHA512
f1803a3dbe871eed1b54ba2e8f416bda91eb0ba4b46a87ffaf848811327743c3e147dfac9743a1bbb60a6d5e7f4607315ce27b550393fd7e449fcfd379937862

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
82KB

MD5
af371ac957382ad83cf6ad34737c38e3

SHA1
26ec9b6483bec34fd4a68ef293ebf4e090f0cb25

SHA256
5e9c9071e34a71c96b1bf9dde43ff50031a113e9378d40aff8cd20b396313645

SHA512
d2986db44c3b2721fd507761c15657621da8039902b532dd839c0b9d4e7916c00c65e341f4a04c7cc9b2cbe081a292e13d492b47152f617f19716e49f9515341

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
95KB

MD5
c13d75d89612b7e945c1870fdb027535

SHA1
705c0f01315493d0f3641a227c3eea0e4a5d4c7c

SHA256
a92390a05ba3e95ef8908c5d2b9b3193320539ac016866b14cbc07821010cb8f

SHA512
5f2861372be983d12cfc3dde4f9ce8ccde5f2e6969aadb595c97bc9d6794198714c78c59f7c6113a17a26b7cafc543e60039045e33b0d1692fca03405cb21ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
188KB

MD5
9254c6d3b333d1ba167205449f10b0d8

SHA1
c6e42d7d27049434435d7626821ef78db0a00707

SHA256
90eda5449bf0c41af1cb1041671a18c57da6bad468151865a77815e4f1d82f99

SHA512
9ee8efbe7ce00fbfbba91eaf8ba7ffcb0b67717605962cbe14687663196855d8ffd5c211954da98624723aedd9ce2236b0aa0b6dfc3cdb0bb5a1d5b871c4d7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
360KB

MD5
d2f5633a74fb1360883226879e747375

SHA1
fe461be3088ff1a9cad746e7bffb859a5603e918

SHA256
c79cd2b1389ee4cea81aae7e1670630acbedb55d21da96af1c9688ace56ff15b

SHA512
689cafaf03edd70fd9dddb10dee96e409a296326a7b59f20b5f65f2e379f60eee48018181033c803799836f3396322dc640a7c0ea789ec13fc33d69c2eff0239

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
225KB

MD5
bdba759c0e19fb2033190422542555ce

SHA1
15f830c25d88c348c09623c87dfb3cfe84e16240

SHA256
3c928a6dc4bc8bdf2d96cac2ef4e81ce732c29f95a07e085c7efb7c53ad06e14

SHA512
1d50a165b3b4ef24b392a739ac21c58bf89c4dc873b6d0f8d188563a9c11e0fa9a4d40762a3c525873e55232d46734e5939c9ba84f8da5a5a4fb218c902e97ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
382KB

MD5
8f11a9c0a7b4ac835c2e08afb4033aef

SHA1
921977e827fdd79656ca464afabcae265b13aa47

SHA256
71c2fbbed000383950ab9c9d61ff528047470c57433ae6572c0af44bac607d95

SHA512
89abeab78e759aa491a4eb3e5869fe69c616af87627a3d72e99931e57e2d66400fe8ed7b9cf12e3bc525c2bcc6779fd7f5cc5e1a031a3eff4fe7dfafba54ca7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
303KB

MD5
7a7f39ee1470b773bf57a01f505cb86f

SHA1
67c20d913ab775ce6cae375fb01bfb8efc7cb476

SHA256
adfcf72704aafc5452711511fdc54e5a4a93141debd26de6ed885e9700e25211

SHA512
0d6d667e5ec3b67015ac1269e5dc3f7fcc35840de2791782ed262a2fe6d6f10dc6a8e738aeb6a929247f5c59249e270944f26cf9f9efe1060e48d6295229b530

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
38KB

MD5
deda63affa42037a83eb3fd5259fbeb0

SHA1
e7edd719f1c498a83135288dec6e9402d242bc49

SHA256
dee0cd4365ce491442be93f29013fc78833c1ce86bc1535b349877b738f58a4c

SHA512
8f20a3d54746747a47dfd4ec509d946cc40553d37b25dd4f6741023b2faf4435e76250ab033942e9d653911827f4e4c64c6ada316d874ab94f715476f4722f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\Installer.exe

Filesize
1KB

MD5
f1eb8b98fdbdb0bf4aea0e50bc6680d7

SHA1
6888d55f006b0f3f9e688953c9598127efe15081

SHA256
eeb19ad5a8c5a9267c7aa88b8cea1f909ccd42d662936b5d8822997c49597401

SHA512
e74d7db05280c9279c7ee85fc1866bb0b3fa2d265b3b5186dc85a2cb917b22d18b220d35dc9245010090f09a56a54c3056bdbbd683fe48337b68dca31a831099

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
57KB

MD5
3979cd5758e8ad9f549f0f07ff38b4d9

SHA1
e227ede0cbf950bbea401da967e820fe47adc8b9

SHA256
e40ab8ee8773b2e289a876967e8ac06fd9ad929eda15ce438951071b3f136084

SHA512
9b87b3f7a66a29e791103e207650a911d0f502908d16267dae79e97318fbf814bf520d2268430f9adbd8a1a3aa29d1169037aaae6487ba17c3fa1a8fa747f18a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
170KB

MD5
ff324139faf8f5ae3ca929bc2ac144f1

SHA1
ccd936dcbf348530122958afa74ce6627e713a96

SHA256
4001278e56b41926b64813ade0b0dc7fbd6203051126a13f34f191c432e429a7

SHA512
01dbbddd648df74648f33191cdc57dfc948ccce9df86e7da05f39a37decba489956e845528718fbdbb7cb51e92a3f8a15f135b21989d4c543f8adb85c7afbb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
1KB

MD5
313e848e56d110bb56534adf841ea70a

SHA1
54a783b2f35b255992cba84e911800570976734e

SHA256
37725296400e4b646bb5f93d137059617a35c4841f7a3ea22f4b4b75e91ecfad

SHA512
45ee3228e22c0da8e3b96671c33c5e50a0247e61ae654c6ab3399b80309ace8337c07766f48924b142586b5d2ff4f9968a9825169f237bcbdf1af4d2d212f9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
159KB

MD5
fc91b6ee5c2ebe91da1ade60e138e605

SHA1
0eb7ad6db0f20e3c76b54f3e7c0e2d6ecf958fe4

SHA256
0ea3d2e85a6bdabe1222d67bc5fb34f2d75da80552b218a33f137c6b5c450704

SHA512
5938fc55b32f586510006a5d08bd0150a295fc05b107f522062271634438512868e405d8f23ebce0aa042892bf033100e70aab8e4bedf5961fb9afdbc780a6b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
66KB

MD5
c249d3e1deaa0fada3a7639ccc0a9a1a

SHA1
d069eeb6c4d118499ad88fd29b58a323e6779890

SHA256
c8bf4464d07b0aee3baf435246fe88d2276071e3fef3859b9ca2fcb1226ba7a8

SHA512
9a56845477d1eafde38f75795912119810f440eb2e4feecb57a7fd2c084691061524aa397d37657ce24d68ec28bc577f9b18f872f62d2b7bffa437aee3e0fb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

Filesize
220KB

MD5
fd60767931825f661f914a1566de6b15

SHA1
2d1ba400f36ecb4ff0a5c6ec6d608c0f059a9c66

SHA256
427ecdf5dae3bba40938e0c80f449194e68f747d619a2c4b994cadec621b7240

SHA512
11c81f6444c722971d2a5335b0aae2fc9d15dcd64a512d7add9e1df156edb75f8b9f73e06d8c6dd07a10cb620cb34cd5f71fbbf8501254b45c5b1a80d2fc56f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

Filesize
393KB

MD5
6b38d486f54ecf7d5559d1c83a6e5a0c

SHA1
be779aedea000a8796e76b7f873d47ac2fdf4cbb

SHA256
91c5fc21cd16690480793041b643585d54a254a422c67530d18b5f7015fbe338

SHA512
a4eadf579126a7364112fbfac2836dba5aa5a9df627c6f1378ab32212610db19e1d78fafa3cddf54750b4c692f53af880aeee9ece52247a8b6aacb3bdada56de

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

Filesize
576KB

MD5
10070d7d30f0d374ac316ee8423f8df0

SHA1
09b0421e9d382a6ced24531b74256aab02b2f740

SHA256
5cc26759b0449cd766106671444b3ee1560ae0fca2acb5d03de9f98a70f436c2

SHA512
ce4d6e05499fdfcb4a4efcf236205275d81318bafc79823e5bc5fcd1d9fa7af45d8161f03bdc4b815a4ac6e39fbb3f05731b357aaf25c0c9c579afdede99fa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.2MB

MD5
7f73290548312b6be6f6b57e3f4731fd

SHA1
85d9a327430239308563a263bfdda50f0b4483cc

SHA256
b0440c0db22666e089579ba71e1167ea5a35d2768eaacccd65d18d04c3c13df2

SHA512
7afe3555ecc29b9bd2650c6864cc87d79fa6dfe978ed9d580bd96c52f604ff6edba341ed0871a33c6e50f7922d6ac7c0585a6a88aa63a315b33ce9516596ef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
474B

MD5
eff7f771389f9f45dea4b3237e2b4edc

SHA1
b8f77db37dd2e395c4df239e904ba16b6ede5d10

SHA256
c01ec7124093a6708fc1b49264b8990a6b34bcca5120b464ef810d2ef38e588b

SHA512
98f4d39115ce2691bbee37114572b89ead766f24aa1817ec0bb64f3308a882bb343add378ae2bdeb8a6feb15e90f54574c136faf77de7e751d2f8ba09f7adc6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
memory/3148-93-0x00007FFAFE0D0000-0x00007FFAFEB91000-memory.dmp

Filesize
10.8MB

Download
memory/3148-92-0x00007FFAFE0D0000-0x00007FFAFEB91000-memory.dmp

Filesize
10.8MB

Download
memory/3148-90-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/4572-69-0x0000000004DA0000-0x0000000004DEC000-memory.dmp

Filesize
304KB

Download
memory/4572-74-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/4572-67-0x0000000004E30000-0x0000000004F3A000-memory.dmp

Filesize
1.0MB

Download
memory/4572-68-0x0000000004D60000-0x0000000004D9C000-memory.dmp

Filesize
240KB

Download
memory/4572-65-0x0000000005340000-0x0000000005958000-memory.dmp

Filesize
6.1MB

Download
memory/4572-70-0x0000000005080000-0x00000000050E6000-memory.dmp

Filesize
408KB

Download
memory/4572-71-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/4572-72-0x0000000005B60000-0x0000000005BF2000-memory.dmp

Filesize
584KB

Download
memory/4572-73-0x0000000005C80000-0x0000000005CF6000-memory.dmp

Filesize
472KB

Download
memory/4572-66-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/4572-75-0x0000000006AC0000-0x0000000006B10000-memory.dmp

Filesize
320KB

Download
memory/4572-76-0x0000000007DF0000-0x0000000007FB2000-memory.dmp

Filesize
1.8MB

Download
memory/4572-77-0x00000000084F0000-0x0000000008A1C000-memory.dmp

Filesize
5.2MB

Download
memory/4572-63-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4572-64-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/4572-91-0x0000000073DD0000-0x0000000074580000-memory.dmp

Filesize
7.7MB

Download
memory/4572-62-0x0000000000060000-0x000000000018A000-memory.dmp

Filesize
1.2MB

Download
memory/4572-61-0x0000000073DD0000-0x0000000074580000-memory.dmp

Filesize
7.7MB

Download