zgrat | 217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

native.exe
Size

2.1MB
MD5

1a917a85dcbb1d3df5f4dd02e3a62873
SHA1

567f528fec8e7a4787f8c253446d8f1b620dc9d6
SHA256

217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
SHA512

341acbd43efac1718c7f3e3795549acf29237a2675bdadcb7e52ce18aac6dcc6ae628e1b6edfa2338ed6d9923c148cb4322c75fad86d5c0e6f2327c2270563ec
SSDEEP

49152:/WlrvpDXJLRxe123BMGwxB19y0IEjaV/EC5O7pD:/apzJy1kMxt2R/ET

Score

10^/10

zgrat rat

Malware Config

Signatures

Detect ZGRat V1 37 IoCs

resource	yara_rule
behavioral1/memory/2136-2-0x0000000004BB0000-0x0000000004DB8000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-3-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-4-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-6-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-8-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-10-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-12-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-14-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-16-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-18-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-20-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-22-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-24-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-26-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-28-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-30-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-32-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-34-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-36-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-38-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-40-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-42-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-44-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-46-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-48-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-50-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-52-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-54-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-56-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-58-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-60-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-62-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-64-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2136-66-0x0000000004BB0000-0x0000000004DB3000-memory.dmp	family_zgrat_v1
behavioral1/memory/2760-951-0x0000000004D50000-0x0000000004E7A000-memory.dmp	family_zgrat_v1
behavioral1/memory/812-1925-0x00000000011B0000-0x0000000001298000-memory.dmp	family_zgrat_v1
behavioral1/memory/2808-8140-0x0000000001760000-0x00000000017E0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 10 IoCs

pid	Process
2760	BBLb.exe
812	BBLb.exe
2164	AttributeString.exe
2388	AttributeString.exe
2432	AttributeString.exe
2032	AttributeString.exe
2420	AttributeString.exe
2916	AttributeString.exe
1744	AttributeString.exe
3048	AttributeString.exe

Loads dropped DLL 2 IoCs

pid	Process
2136	native.exe
2760	BBLb.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 1736	2136	native.exe	29
PID 2760 set thread context of 812	2760	BBLb.exe	30
PID 2164 set thread context of 1744	2164	AttributeString.exe	46
PID 1744 set thread context of 2352	1744	AttributeString.exe	47
PID 2352 set thread context of 928	2352	MSBuild.exe	50

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2408	powershell.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
2164	AttributeString.exe
1744	AttributeString.exe
1744	AttributeString.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	native.exe
Token: SeDebugPrivilege	2760	BBLb.exe
Token: SeDebugPrivilege	812	BBLb.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2164	AttributeString.exe
Token: SeDebugPrivilege	1744	AttributeString.exe
Token: SeDebugPrivilege	2352	MSBuild.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	928	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2760	2136	native.exe	28
PID 2136 wrote to memory of 2760	2136	native.exe	28
PID 2136 wrote to memory of 2760	2136	native.exe	28
PID 2136 wrote to memory of 2760	2136	native.exe	28
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2136 wrote to memory of 1736	2136	native.exe	29
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 2760 wrote to memory of 812	2760	BBLb.exe	30
PID 840 wrote to memory of 2408	840	taskeng.exe	36
PID 840 wrote to memory of 2408	840	taskeng.exe	36
PID 840 wrote to memory of 2408	840	taskeng.exe	36
PID 2072 wrote to memory of 2164	2072	taskeng.exe	39
PID 2072 wrote to memory of 2164	2072	taskeng.exe	39
PID 2072 wrote to memory of 2164	2072	taskeng.exe	39
PID 2072 wrote to memory of 2164	2072	taskeng.exe	39
PID 2164 wrote to memory of 2388	2164	AttributeString.exe	40
PID 2164 wrote to memory of 2388	2164	AttributeString.exe	40
PID 2164 wrote to memory of 2388	2164	AttributeString.exe	40
PID 2164 wrote to memory of 2388	2164	AttributeString.exe	40
PID 2164 wrote to memory of 2432	2164	AttributeString.exe	41
PID 2164 wrote to memory of 2432	2164	AttributeString.exe	41
PID 2164 wrote to memory of 2432	2164	AttributeString.exe	41
PID 2164 wrote to memory of 2432	2164	AttributeString.exe	41
PID 2164 wrote to memory of 2032	2164	AttributeString.exe	42
PID 2164 wrote to memory of 2032	2164	AttributeString.exe	42
PID 2164 wrote to memory of 2032	2164	AttributeString.exe	42
PID 2164 wrote to memory of 2032	2164	AttributeString.exe	42
PID 2164 wrote to memory of 2916	2164	AttributeString.exe	43
PID 2164 wrote to memory of 2916	2164	AttributeString.exe	43
PID 2164 wrote to memory of 2916	2164	AttributeString.exe	43
PID 2164 wrote to memory of 2916	2164	AttributeString.exe	43
PID 2164 wrote to memory of 2420	2164	AttributeString.exe	44
PID 2164 wrote to memory of 2420	2164	AttributeString.exe	44
PID 2164 wrote to memory of 2420	2164	AttributeString.exe	44
PID 2164 wrote to memory of 2420	2164	AttributeString.exe	44
PID 2164 wrote to memory of 3048	2164	AttributeString.exe	45
PID 2164 wrote to memory of 3048	2164	AttributeString.exe	45
PID 2164 wrote to memory of 3048	2164	AttributeString.exe	45
PID 2164 wrote to memory of 3048	2164	AttributeString.exe	45
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46
PID 2164 wrote to memory of 1744	2164	AttributeString.exe	46

C:\Users\Admin\AppData\Local\Temp\native.exe
"C:\Users\Admin\AppData\Local\Temp\native.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\BBLb.exe
  "C:\Users\Admin\AppData\Local\Temp\BBLb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    C:\Users\Admin\AppData\Local\Temp\BBLb.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:812
- C:\Users\Admin\AppData\Local\Temp\native.exe
  C:\Users\Admin\AppData\Local\Temp\native.exe
  2⤵
  PID:1736

C:\Windows\system32\taskeng.exe
taskeng.exe {2E3F7352-05EC-42E6-B66B-19EF4E2F5D26} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABBAHQAdAByAGkAYgB1AHQAZQBTAHQAcgBpAG4AZwAuAGUAeABlADsA
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808

C:\Windows\system32\taskeng.exe
taskeng.exe {2E2CE141-7637-478B-9EDD-A9668864FD35} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
  C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:2432
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:2032
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:2420
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1744
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:2352
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
960KB

MD5
7d39ed562f31bc9ec78b6351d1f4bfcc

SHA1
ddbc9603f16b789162384c39beb2ba8d96add42f

SHA256
d48db5906b8ecebd49e5ce98c5bf5343932667dfc9f283a6baae721d753a75b9

SHA512
09f7b3b086add2d5537dac652abdd9df9bfc49308fd71a2ac59ffca6f8d8a7c4436c526c0c8f62f41dcec347609e91f1feb4422802f9c6a13aabfc43e6438645

Download Submit
C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe

Filesize
1.2MB

MD5
852359f21734789508b5e453d1baef18

SHA1
6ca0af51f51ce280322b57e89dc69d712054246c

SHA256
797e3af2149d46f62d949ac28be06e63a8f971114f3bfd8d8db3f0da85244c5c

SHA512
4bfa18f3a732b52e1ea7a624786d169a862bcac512413a65925075b4870a8303486a71677de8eab95a99d8bd4b768e3a50c1ebcbde5bff9f719849ca55882d75

Download Submit
C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe

Filesize
1.1MB

MD5
c43f9e71adc553cfd066fff8faa951fc

SHA1
b42ed3117d59c78a9aae1f3808239c8396478cd7

SHA256
067522f8c4d0832c9c7495fb46638aa41e0387994284fab89e0ac6885f6a76a8

SHA512
d1822bc87a5bbbd34e2c374cd4eb384f5b965671215e6e70a6f59b07b5fcacbcfcfcd678d8894ffe818861a6694a32b9414d57d45143a5a6908431b77f4b2748

Download Submit
C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe

Filesize
896KB

MD5
5c63556492a51966ce4b579921036096

SHA1
569dfe00f01ef7d5e6f5e866fccb1cf970d1ef2c

SHA256
2a7a91637a26c351ef8f8e6d5033bb667c82208c602731c1dda70a5e6436a837

SHA512
48a00f6343475398ab3478e19dfa279b8cb3e39f436713c5ec0ae9eb03a3960c2152b675212690d3cfb62049d5dbe569a9a30411fc4c983abebf1289dd622b89

Download Submit
C:\Users\Admin\AppData\Local\TypeId\rgsyr\AttributeString.exe

Filesize
230KB

MD5
87562c705053a6b70bfa990c2e82d14d

SHA1
911bc4bc8d9f4be5e7113497e76bfbfc08709bb9

SHA256
3cbe270387b4648efcf8818bc11c5085e43b11f40d3773704b70903179bb8f4d

SHA512
b3e2c5d00e303ee2d89e34bc8dcc5105f3677b3e493d4ccf02d12e67917d8279716010684897f848fdad711e82ce868be0f029dadd5f2f06c035dd6f2bb950b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
713fbf1c04f0bdfde1e550df75625815

SHA1
253f48068fb71b230158fc57e01e9ff2bdc55a9d

SHA256
2e2e80fe9160b794d30361246044712fde8b90fbb6b7dfe3931cb1e6a24870aa

SHA512
06a59f5611e6ab0cdc85e3c1e788c545c312cd186780d171d1721d27234732bd14c67cc83c9fbe2c6d20c7609c9a0ac31098b11df5deced3c1c3d029fb554498

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\USA9CE9BMQ3QZGC7IDBD.temp

Filesize
7KB

MD5
5ae0c4b4d2b092c59f4169fe00aa6e6e

SHA1
5175cc8d6cc983bf6d61a18e14dea0767f0dabdd

SHA256
afe16931ad73242b4ec053d1fc131f3e3b8ff9a45845cbdc580f5a4f2fa957b4

SHA512
7bf4efe1171ea3b9f8cc6f4f46d57720145ce15ffbfb83340a6a1ffab8165756de5d00b05bdc1c5f200d0f4ece2a11cc4dbf28505cb01da5ff39349edc6dfc3a

Download Submit
\Users\Admin\AppData\Local\Temp\BBLb.exe

Filesize
1.2MB

MD5
71eb1bc6e6da380c1cb552d78b391b2a

SHA1
df3278e6e26d8c0bc878fe0a8c8a91b28c5a652d

SHA256
cefa92ee6cc2fad86c49dd37d57ff8afcb9b9abef0a110689e6d771394256bd6

SHA512
d6fab2c469924b8202f7964e864f66d6b6151937c8d134fb40e1f1d3787cf22328892c3f7209786e0b42e1abd5ca71a61f40538ef1e93534d2a98bf6d4448e90

Download Submit
memory/812-1925-0x00000000011B0000-0x0000000001298000-memory.dmp

Filesize
928KB

Download
memory/812-1923-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/812-1922-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/812-1924-0x0000000000DA0000-0x0000000000DE0000-memory.dmp

Filesize
256KB

Download
memory/812-4126-0x0000000000CF0000-0x0000000000D46000-memory.dmp

Filesize
344KB

Download
memory/812-4127-0x0000000000F00000-0x0000000000F54000-memory.dmp

Filesize
336KB

Download
memory/812-4129-0x0000000074C70000-0x000000007535E000-memory.dmp

Filesize
6.9MB

Download
memory/928-8285-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/928-10488-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/928-10489-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/1736-1097-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1736-986-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1744-7319-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-7304-0x0000000004970000-0x00000000049C4000-memory.dmp

Filesize
336KB

Download
memory/1744-5100-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/1744-5101-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-5102-0x00000000049C0000-0x0000000004A00000-memory.dmp

Filesize
256KB

Download
memory/2136-46-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-4-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-50-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-52-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-54-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-56-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-58-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-60-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-62-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-64-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-66-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-935-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2136-936-0x0000000000430000-0x0000000000431000-memory.dmp

Filesize
4KB

Download
memory/2136-937-0x0000000005130000-0x00000000052D0000-memory.dmp

Filesize
1.6MB

Download
memory/2136-938-0x0000000002020000-0x000000000206C000-memory.dmp

Filesize
304KB

Download
memory/2136-0-0x00000000000B0000-0x00000000002D8000-memory.dmp

Filesize
2.2MB

Download
memory/2136-44-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-1-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-2-0x0000000004BB0000-0x0000000004DB8000-memory.dmp

Filesize
2.0MB

Download
memory/2136-3-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-18-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-20-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-42-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-984-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/2136-40-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-16-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-6-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-22-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-38-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-36-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-34-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-32-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-30-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-28-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-26-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-24-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-14-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-48-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-8-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-10-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2136-12-0x0000000004BB0000-0x0000000004DB3000-memory.dmp

Filesize
2.0MB

Download
memory/2164-4143-0x00000000001D0000-0x0000000000310000-memory.dmp

Filesize
1.2MB

Download
memory/2164-4144-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2164-4145-0x0000000004A80000-0x0000000004AC0000-memory.dmp

Filesize
256KB

Download
memory/2164-5078-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2164-5099-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-7320-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/2352-7340-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2352-7344-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/2352-8267-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2352-8281-0x0000000074CA0000-0x000000007538E000-memory.dmp

Filesize
6.9MB

Download
memory/2408-4136-0x0000000001430000-0x00000000014B0000-memory.dmp

Filesize
512KB

Download
memory/2408-4140-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2408-4139-0x0000000001430000-0x00000000014B0000-memory.dmp

Filesize
512KB

Download
memory/2408-4138-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download
memory/2408-4137-0x0000000019FB0000-0x000000001A292000-memory.dmp

Filesize
2.9MB

Download
memory/2408-4135-0x0000000001430000-0x00000000014B0000-memory.dmp

Filesize
512KB

Download
memory/2408-4134-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/2760-949-0x0000000004800000-0x0000000004928000-memory.dmp

Filesize
1.2MB

Download
memory/2760-951-0x0000000004D50000-0x0000000004E7A000-memory.dmp

Filesize
1.2MB

Download
memory/2760-1903-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2760-946-0x00000000012C0000-0x0000000001400000-memory.dmp

Filesize
1.2MB

Download
memory/2760-947-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-1904-0x00000000051B0000-0x0000000005270000-memory.dmp

Filesize
768KB

Download
memory/2760-948-0x0000000000C10000-0x0000000000C50000-memory.dmp

Filesize
256KB

Download
memory/2760-1918-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/2808-8140-0x0000000001760000-0x00000000017E0000-memory.dmp

Filesize
512KB

Download
memory/2808-8266-0x0000000000F80000-0x0000000000F88000-memory.dmp

Filesize
32KB

Download
memory/2808-8260-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-8271-0x0000000001760000-0x00000000017E0000-memory.dmp

Filesize
512KB

Download
memory/2808-8202-0x0000000001760000-0x00000000017E0000-memory.dmp

Filesize
512KB

Download
memory/2808-8141-0x0000000001760000-0x00000000017E0000-memory.dmp

Filesize
512KB

Download
memory/2808-10219-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-10487-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download
memory/2808-8138-0x0000000019EB0000-0x000000001A192000-memory.dmp

Filesize
2.9MB

Download
memory/2808-8139-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp

Filesize
9.6MB

Download