Overview

overview

10

Static

static

10

d5d17c328f...8a.exe

windows7-x64

10

d5d17c328f...8a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

  • Size

    1.9MB

  • MD5

    1d61e62339d38ca2a129710265c26a89

  • SHA1

    185c34e0d555ac3fdf7fefd1732409e65b6aedaf

  • SHA256

    d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

  • SHA512

    0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

  • SSDEEP

    49152:RSRQ8nF3T6S2cvvSiHWxuvF3VPL5/zKAG:RS+AlTK/G9VPBe

Score
10/10
zgratexecutionpersistenceratspywarestealer

Malware Config

Signatures

  • Detect ZGRat V1 2 IoCs
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
    persistence
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks computer location settings
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.cmdline"
      2⤵
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC21A2CD3B4268444EAE253384FE9B0E7.TMP"
        3⤵
          PID:2632
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.cmdline"
        2⤵
        • Drops file in System32 directory
        • Suspicious use of WriteProcessMemory
        PID:4404
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF107.tmp" "c:\Windows\System32\CSCA09DAC8CC6AA49DDA5763341A02982CF.TMP"
          3⤵
            PID:4588
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4816
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1064
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3024
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1576
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4856
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4844
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3668
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:3948
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4840
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4684
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:2768
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:920
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:1248
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\services.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4028
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4244
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of AdjustPrivilegeToken
          PID:4460
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A0BkazGqVh.bat"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4716
          • C:\Windows\system32\chcp.com
            chcp 65001
            3⤵
              PID:6068
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              3⤵
                PID:5616
              • C:\Program Files\7-Zip\Lang\dwm.exe
                "C:\Program Files\7-Zip\Lang\dwm.exe"
                3⤵
                • Executes dropped EXE
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:6080
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4860
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:5068
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2900
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4248
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:396
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:2156
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3728
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\services.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3460
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3624
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\ShellExperiences\services.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3652
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3516
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1936
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\Registry.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:1796
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:3408
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:636
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
            1⤵
            • Process spawned unexpected child process
            • Creates scheduled task(s)
            PID:4400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4016,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8
            1⤵
            • Executes dropped EXE
            PID:5372

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            Filesize

            4KB

            MD5

            1bd78f0a0af82769f6fc1c996573538f

            SHA1

            639f1d920d25381f5f230f50c8f73e918ab6bb6a

            SHA256

            e11149b8c7f71fbea49edde0d7ab6900b5e1db6a3250748cdd9b13200b88794b

            SHA512

            5fbba7e148730ac2bd63a086f167f93f246ccddbfdd03269182eb5e20b1494fe266fb2a84a3d40d19913242ffacace8ed7979f207b49ee09be265d42caa27424

            Download Submit

          • C:\Program Files\Windows NT\Accessories\backgroundTaskHost.exe
            Filesize

            1.9MB

            MD5

            1d61e62339d38ca2a129710265c26a89

            SHA1

            185c34e0d555ac3fdf7fefd1732409e65b6aedaf

            SHA256

            d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

            SHA512

            0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            d28a889fd956d5cb3accfbaf1143eb6f

            SHA1

            157ba54b365341f8ff06707d996b3635da8446f7

            SHA256

            21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

            SHA512

            0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            6c47b3f4e68eebd47e9332eebfd2dd4e

            SHA1

            67f0b143336d7db7b281ed3de5e877fa87261834

            SHA256

            8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

            SHA512

            0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            bd5940f08d0be56e65e5f2aaf47c538e

            SHA1

            d7e31b87866e5e383ab5499da64aba50f03e8443

            SHA256

            2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

            SHA512

            c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            cadef9abd087803c630df65264a6c81c

            SHA1

            babbf3636c347c8727c35f3eef2ee643dbcc4bd2

            SHA256

            cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

            SHA512

            7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            59d97011e091004eaffb9816aa0b9abd

            SHA1

            1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

            SHA256

            18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

            SHA512

            d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            3a6bad9528f8e23fb5c77fbd81fa28e8

            SHA1

            f127317c3bc6407f536c0f0600dcbcf1aabfba36

            SHA256

            986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

            SHA512

            846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\A0BkazGqVh.bat
            Filesize

            211B

            MD5

            d8ffe0dfa9a1e2c7b24afc89dcdbfc42

            SHA1

            c43d2c8bf4fc94b48df4d846ee4017b4274fdab6

            SHA256

            91a0204666218de7c3a9391927cc45f64e1fbec86f9b0919bf339ec5091e4faa

            SHA512

            72a5b3ac0bf13ad43f182049e18ea797c1d4bdfe6ec257e4746eb43725af91c96b6e0de42cca944b90f10433d537a6d98ba53cbef4c3041baf1ab38ffc2d1a60

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESF09A.tmp
            Filesize

            1KB

            MD5

            5f0a4d757269048af60bdb7054568d5e

            SHA1

            0e8f815bde12d82528c3aa35fcb195eace4a395e

            SHA256

            0e7104239bea483b76e44a9f9b3f50cab920ac777e248ae68056f6a6452e8b62

            SHA512

            8426bc715ae4be121044cda5cb9c41406167fc850066e6e57f8ca39cb27b792588d7c9b842acbcce75a34416ae20bcb6f0ba465f53f561a7d52f89c18033ab11

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RESF107.tmp
            Filesize

            1KB

            MD5

            ed70c8b4e225b3da41f58fc37c256c1c

            SHA1

            2df462f4482ae45f9d2f13ffe1e8563634c333ce

            SHA256

            9907cac8700cc60788493241fcc72f0754860372396c69ccf97b872754d20a16

            SHA512

            edeca50d97791acbe28fe069c086c2e35dd52d19203e00bfc5ebc36ed4607f52f314fc27c7d5100f4ebc1de569a61e30c711bcc274620d836888af858eea5114

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eym1l5c4.xwf.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • \??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC21A2CD3B4268444EAE253384FE9B0E7.TMP
            Filesize

            1KB

            MD5

            b5189fb271be514bec128e0d0809c04e

            SHA1

            5dd625d27ed30fca234ec097ad66f6c13a7edcbe

            SHA256

            e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

            SHA512

            f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.0.cs
            Filesize

            394B

            MD5

            5006f84a007ef910f7b177140b92c459

            SHA1

            e7c759424f8136b134119eb816e024db63b1e61b

            SHA256

            6860aa6d2a222628b151063a1d860653c9946a9181ee9bbd0429425e538a13ce

            SHA512

            0e512b523e3844a455f966f561475a3453da33ebf8f4da2bd55b17db25a5561248e5344f9f50ff178a8a8ceeb15627934e9b47bc2f36d575ef15481da76fc602

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\ouu42bpv\ouu42bpv.cmdline
            Filesize

            235B

            MD5

            e0d2da3193f1192fd7ae3859651856bb

            SHA1

            227e0f13d1e9537008f1b3b7bff861ab924f7a1c

            SHA256

            7682c5908781a4d0df630ccf37e55b74ece21bc8e52432d62040b8de431f89f8

            SHA512

            bbbc9942be77a540e8c0bd710e6e92ae8ab14b8bafc74c612a9b58606e5739f78ba3e86a100a98514718da50c8b5428239f680a3001c3735d709e747569d3950

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.0.cs
            Filesize

            424B

            MD5

            26288caec42fbc99b21b59b0ee75a248

            SHA1

            5c4eb0b637933643e4cf7658fa432bd54f8405fd

            SHA256

            3046aa03c92c5e6f30ebb2c65c81178f66ee3b22d6584c99dc0cee22d20b5969

            SHA512

            2766d63710e714b0cc31d0b93b8ae97fa4adc43900bc56a99fbdcf14a09b08fdccd694580845f1fedd526d4f5627dd169f08fb9795292ecadaa02dfdeb2bc1d4

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\utdo2mok\utdo2mok.cmdline
            Filesize

            265B

            MD5

            0fc1ec48c35d83c61aa2bee098da0a1c

            SHA1

            bc9de30af0cd1f95fb2a4494559fac30a081cae3

            SHA256

            c8897fb9080489767559aeb96ab43858971fe8b641369f5a6542670a56065721

            SHA512

            741ff9194570bf1477916e00b8bd3a04639ecd63dcf92a78e6ff98fb72277ab93e2673884779e34c780d567484cec77d055d0341e6bdc4945316dc9266b27f5e

            Download Submit

          • \??\c:\Windows\System32\CSCA09DAC8CC6AA49DDA5763341A02982CF.TMP
            Filesize

            1KB

            MD5

            01dc60b32f9121b11b30ff8d8e3ed9bd

            SHA1

            d4c7beabbb4b96239ff85348a9cd1957a10c27ab

            SHA256

            bbedf7b9680a97b0ebd09540310951791296334e7d8a3056b73ad564c55556ea

            SHA512

            0bc2dfe0549f8f0fc70c68df1fc61abf21f0c05954220ab1df7375d15f9a4d332cdccb5aefdef705a88f801c9e5e792815287f27674263db7dcb6a2f086429be

            Download Submit

          • memory/4856-61-0x000001666C700000-0x000001666C722000-memory.dmp

            Filesize

            136KB

            Download

          • memory/4924-60-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-13-0x000000001B230000-0x000000001B23E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4924-0-0x00007FF8AE5C3000-0x00007FF8AE5C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4924-15-0x000000001B240000-0x000000001B24C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/4924-19-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-30-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-16-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-17-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-11-0x000000001B3D0000-0x000000001B3E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4924-9-0x000000001B760000-0x000000001B7B0000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4924-8-0x000000001B3B0000-0x000000001B3CC000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4924-6-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-5-0x000000001B220000-0x000000001B22E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4924-3-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-2-0x00007FF8AE5C0000-0x00007FF8AF081000-memory.dmp

            Filesize

            10.8MB

            Download

          • memory/4924-1-0x0000000000580000-0x0000000000766000-memory.dmp

            Filesize

            1.9MB

            Download