Overview

overview

10

Static

static

10

1D61E62339...89.exe

windows7-x64

10

1D61E62339...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 11:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1D61E62339D38CA2A129710265C26A89.exe

  • Size

    1.9MB

  • MD5

    1d61e62339d38ca2a129710265c26a89

  • SHA1

    185c34e0d555ac3fdf7fefd1732409e65b6aedaf

  • SHA256

    d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

  • SHA512

    0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

  • SSDEEP

    49152:RSRQ8nF3T6S2cvvSiHWxuvF3VPL5/zKAG:RS+AlTK/G9VPBe

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe
    "C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3192
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.cmdline"
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4560
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3EBE.tmp" "c:\Windows\System32\CSC244E8E2C8ED347779993E9DAD0E29C26.TMP"
        3⤵
          PID:4808
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3152
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2132
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4376
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3804
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4968
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3180
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\sysmon.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4240
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4052
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\csrss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:3236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious use of AdjustPrivilegeToken
        PID:2424
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rxl6rc7r3I.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4828
        • C:\Windows\system32\chcp.com
          chcp 65001
          3⤵
            PID:6000
          • C:\Windows\system32\w32tm.exe
            w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
            3⤵
              PID:5220
            • C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe
              "C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:6016
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1628
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4172
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\sysmon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2140
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3640
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3568
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2680
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\microsoft shared\MSInfo\uk-UA\sihost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3308
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\smss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1056
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1084
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:4944
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3120
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A89" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:436
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "1D61E62339D38CA2A129710265C26A891" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\1D61E62339D38CA2A129710265C26A89.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:5000

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Windows Mail\sysmon.exe
          Filesize

          1.9MB

          MD5

          1d61e62339d38ca2a129710265c26a89

          SHA1

          185c34e0d555ac3fdf7fefd1732409e65b6aedaf

          SHA256

          d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

          SHA512

          0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
          Filesize

          2KB

          MD5

          d85ba6ff808d9e5444a4b369f5bc2730

          SHA1

          31aa9d96590fff6981b315e0b391b575e4c0804a

          SHA256

          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

          SHA512

          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          d28a889fd956d5cb3accfbaf1143eb6f

          SHA1

          157ba54b365341f8ff06707d996b3635da8446f7

          SHA256

          21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

          SHA512

          0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          6c47b3f4e68eebd47e9332eebfd2dd4e

          SHA1

          67f0b143336d7db7b281ed3de5e877fa87261834

          SHA256

          8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

          SHA512

          0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          28d4235aa2e6d782751f980ceb6e5021

          SHA1

          f5d82d56acd642b9fc4b963f684fd6b78f25a140

          SHA256

          8c66720f953e82cfbd8f00543c42c0cf77c3d97787ec09cb3e1e2ba5819bd638

          SHA512

          dba1bd6600f5affcfdc33a59e7ac853ee5fdfafb8d1407a1768728bd4f66ef6b49437214716b7e33e3de91d7ce95709050a3dab4354dd62acaf1de28107017a2

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e243a38635ff9a06c87c2a61a2200656

          SHA1

          ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

          SHA256

          af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

          SHA512

          4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e448fe0d240184c6597a31d3be2ced58

          SHA1

          372b8d8c19246d3e38cd3ba123cc0f56070f03cd

          SHA256

          c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

          SHA512

          0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          aaaac7c68d2b7997ed502c26fd9f65c2

          SHA1

          7c5a3731300d672bf53c43e2f9e951c745f7fbdf

          SHA256

          8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

          SHA512

          c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          5f0ddc7f3691c81ee14d17b419ba220d

          SHA1

          f0ef5fde8bab9d17c0b47137e014c91be888ee53

          SHA256

          a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

          SHA512

          2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          Filesize

          944B

          MD5

          e8ce785f8ccc6d202d56fefc59764945

          SHA1

          ca032c62ddc5e0f26d84eff9895eb87f14e15960

          SHA256

          d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

          SHA512

          66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES3EBE.tmp
          Filesize

          1KB

          MD5

          f9ad91cad5e216a7066406f2f0184326

          SHA1

          9ea17f3d52943ae098e45cb88918901f000d3bce

          SHA256

          e7ce531dcc62d9ce391a78d9fc67a7a438132481989b668b5a9936f263d57db8

          SHA512

          686fa3cd107c1d14a9f7feb129cee2d422490f42bc84f52c8a751f8ae016ae6e73cf77a2dbd79485d3a4660ec63024c9b0aa50b0a2e8026c1145eebd8e0f880c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qmse2ayc.5ns.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\rxl6rc7r3I.bat
          Filesize

          246B

          MD5

          00f77851b39ca6f946191532cdfca479

          SHA1

          1bfd82378ac76e7bb79e102c63d18ca61b61aac7

          SHA256

          d2db49d4b726bfba693cecea24cd79cf7fb5ac6867aa14278c0b10671500ba0b

          SHA512

          534bd5f6203ca10c8925100ad5655567927a949dd2bff4b5c78baf5471e08fc69e8d55788ac5755af59ed1fcb1548d72490093000d440f90c1739ec22a24d895

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.0.cs
          Filesize

          378B

          MD5

          834ce75afb92b61b41a55c9a78d6593d

          SHA1

          8a896ca8410431715180439c80c79da16565c7e9

          SHA256

          10a5a6bec248364bd975db43b8c7d9718e07922f9357ebd43e8cec6214c51294

          SHA512

          c4206b1a33d8475f7fc25e5afabd6c24c64e757597efec75aa32b5d29914b7eecd19ca401d3b999574820a63dfdd2d6a098051b0fa420b2fffcf4e5cd674d31d

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\4teyiwdn\4teyiwdn.cmdline
          Filesize

          235B

          MD5

          be9074070df4b2f40a7bdff3c2adc7fc

          SHA1

          845890f030fa71144ba22fa037c22e75a0bbfdca

          SHA256

          ce3b84a3a680ca3fb0f08188e588e470513563ca0020ac65e8d7dc59e1d2b12a

          SHA512

          e4cbb3f6409c8e4430593e1f78a15046108c4f5ca2db6f548d225807fa8624e017e0478b51c527ac69092e69d7624949d249fcfce528607094745c05f4135a9e

          Download Submit

        • \??\c:\Windows\System32\CSC244E8E2C8ED347779993E9DAD0E29C26.TMP
          Filesize

          1KB

          MD5

          1698af2b79b4ffd499309c965169ae30

          SHA1

          e54beb6e91f1272ec2989800895d6e1d8a6332b4

          SHA256

          98b74452ccce9477030c647d3a662619a85f9160e1a2b35e7ad9c08021035d9e

          SHA512

          b52057d6526f676e61ab07f7c25d2ff4fe969e7462d037fdc757a62ac6e91ed55df485cc28c135799378c90f257aec1767b43e3bf328a0340c63e678d781a8f0

          Download Submit

        • memory/2424-58-0x0000019E80030000-0x0000019E80052000-memory.dmp

          Filesize

          136KB

          Download

        • memory/3192-28-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-8-0x000000001B590000-0x000000001B5AC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/3192-32-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-31-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-37-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-33-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-15-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-12-0x000000001B9C0000-0x000000001B9D8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3192-10-0x000000001BA10000-0x000000001BA60000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3192-52-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-6-0x0000000001250000-0x000000000125E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3192-1-0x0000000000770000-0x0000000000956000-memory.dmp

          Filesize

          1.9MB

          Download

        • memory/3192-18-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-17-0x000000001B580000-0x000000001B58C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/3192-14-0x000000001B570000-0x000000001B57E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/3192-9-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-4-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-3-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-2-0x00007FFB5AE70000-0x00007FFB5B931000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3192-0-0x00007FFB5AE73000-0x00007FFB5AE75000-memory.dmp

          Filesize

          8KB

          Download