Overview

overview

10

Static

static

10

22ed346e6e...e1.exe

windows7-x64

10

22ed346e6e...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/05/2024, 01:06

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

  • Size

    1.9MB

  • MD5

    17eb4c4e58353a5db52602d0ae321fbd

  • SHA1

    791e65e864b8831b86149c079b09d04cac894e59

  • SHA256

    22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

  • SHA512

    a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

  • SSDEEP

    24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Detects executables packed with unregistered version of .NET Reactor 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
    "C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4040
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b4uevyzm\b4uevyzm.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2424
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E4F.tmp" "c:\Windows\System32\CSCA820CBC9890146549C221424815EFE4D.TMP"
        3⤵
          PID:688
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4028
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4776
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3616
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4036
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4828
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3164
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3280
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1364
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3468
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\System.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:1196
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\SearchApp.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Containers\serviced\taskhostw.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3472
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\sppsvc.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4732
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:928
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9aRL5bnwi2.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:5976
          • C:\Windows\system32\PING.EXE
            ping -n 10 localhost
            3⤵
            • Runs ping.exe
            PID:5480
          • C:\Windows\debug\SearchApp.exe
            "C:\Windows\debug\SearchApp.exe"
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:5524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\System.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3544
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:2404
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\SearchApp.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1116
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\debug\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\SearchApp.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3596
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 14 /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4172
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3084
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Windows\Containers\serviced\taskhostw.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3512
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4532
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4524
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\StartMenuExperienceHost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:3684
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4896
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4148
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1216
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:728
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:1548
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e12" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Creates scheduled task(s)
        PID:4136

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\System.exe
        Filesize

        1.9MB

        MD5

        17eb4c4e58353a5db52602d0ae321fbd

        SHA1

        791e65e864b8831b86149c079b09d04cac894e59

        SHA256

        22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

        SHA512

        a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        a43e653ffb5ab07940f4bdd9cc8fade4

        SHA1

        af43d04e3427f111b22dc891c5c7ee8a10ac4123

        SHA256

        c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

        SHA512

        62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        6d3e9c29fe44e90aae6ed30ccf799ca8

        SHA1

        c7974ef72264bbdf13a2793ccf1aed11bc565dce

        SHA256

        2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

        SHA512

        60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        2e907f77659a6601fcc408274894da2e

        SHA1

        9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

        SHA256

        385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

        SHA512

        34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        cadef9abd087803c630df65264a6c81c

        SHA1

        babbf3636c347c8727c35f3eef2ee643dbcc4bd2

        SHA256

        cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

        SHA512

        7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        e243a38635ff9a06c87c2a61a2200656

        SHA1

        ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

        SHA256

        af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

        SHA512

        4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\9aRL5bnwi2.bat
        Filesize

        158B

        MD5

        44260f7dd5c1d8e316facdaeff272d13

        SHA1

        23543082eb9e13378cd11808bda2caa602199285

        SHA256

        61cda39455835d811f7e975f75ae87e46396de70d4331492d6ea4a3b445bf5a7

        SHA512

        9c9f6bd9a0139417d41d4cad0ce7894c8f0fa303e95c07f83ebf08d9443705f7cc9ffba174a186cb19fe75700beaeea7e9319e12a91ff2b2b8c8b12cd04daaa6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES4E4F.tmp
        Filesize

        1KB

        MD5

        ae76b31102e7148b177832df3459c814

        SHA1

        d63a3563fe5699f4fcb4d93446f34734045268bc

        SHA256

        c3754e1ed858e926ffc71dcecc8be493d7286e3064429fe9e5c05ea9fedec1b1

        SHA512

        6aa01c7fa8aa816762b90c4b7b04c029ea8da082c5751e5fe888ec34ba15a87c6d6f9ba7b2372f0362bb3217901aa840a83a592e3f7e4cfb0a3c797b83c60f27

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oho444ji.q01.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\b4uevyzm\b4uevyzm.0.cs
        Filesize

        361B

        MD5

        52c0aa5ad85d3edf3af714ff92d77510

        SHA1

        006f533286e7d0abcef8cfe710f0daed448ed01f

        SHA256

        0914f78627eb9e2493f070293a79ea6db55e0172790b9f5c027f85170d513f1e

        SHA512

        b66039a48eabfb518178c347011b498fd9494adc7f1a743c84659ecbbfcacaa132fb979edfcae72a264e29a862a71713f4375ebddaaa92ad096acb60a1a92e2a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\b4uevyzm\b4uevyzm.cmdline
        Filesize

        235B

        MD5

        0f4e1b72ff46c54ca8b95769a85b8631

        SHA1

        8f4b552cce1761dc5ea6670ddb3aad97ed947a86

        SHA256

        c51674bd3d1ccbc3b3cbd5a6258e1053a60df59f307f0226c04a169cb63c0e0f

        SHA512

        3652aafdcd3983f9294eef04daac15123569579ea8fab8546824f5b00e65e66e436dbdb2dc092352e3c4a543ae0a89f8ddcf584b4bc5b4e2c152a15fd3707aca

        Download Submit

      • \??\c:\Windows\System32\CSCA820CBC9890146549C221424815EFE4D.TMP
        Filesize

        1KB

        MD5

        c39f312a5cba8a420c1a93bbab328edc

        SHA1

        20dabcad44082ed54949c50dd2e8a4178a046340

        SHA256

        2077b880e475632b0638001558cbdff81982b820fcfd7bcde8d688730f432e9e

        SHA512

        8818d4fe55a0ee022100fa73b6a2248c35ab775cf14292353f3d1a0c3c3f91021b00c56c7787184373aaf595b4833b1963fe9814e85b65cba6c989bbe2d29038

        Download Submit

      • memory/4040-34-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-14-0x000000001B200000-0x000000001B20E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4040-21-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-23-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-17-0x000000001B210000-0x000000001B218000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4040-0-0x00007FF93B9E3000-0x00007FF93B9E5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4040-35-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-36-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-40-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-18-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-10-0x000000001B5D0000-0x000000001B620000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4040-20-0x000000001B260000-0x000000001B26C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4040-15-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-55-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-1-0x0000000000400000-0x00000000005EA000-memory.dmp

        Filesize

        1.9MB

        Download

      • memory/4040-12-0x000000001B240000-0x000000001B258000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4040-9-0x000000001B220000-0x000000001B23C000-memory.dmp

        Filesize

        112KB

        Download

      • memory/4040-7-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-6-0x000000001B060000-0x000000001B06E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4040-4-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-3-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4040-2-0x00007FF93B9E0000-0x00007FF93C4A1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4828-56-0x000001EEC42A0000-0x000001EEC42C2000-memory.dmp

        Filesize

        136KB

        Download