ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c

Resubmissions

22/09/2024, 09:23

240922-lcmh6ssclm 9

21/09/2024, 08:10

21/09/2024, 07:38

28/07/2024, 17:11

18/06/2024, 14:08

Analysis

max time kernel
148s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WZAgent.exe
Size

26.2MB
MD5

4cf978f2749291d8d9a722cf8bd9d9ea
SHA1

2580a9be8bc6994987cc4951a4690efd7077ea92
SHA256

ea8779bb436427af92289d75ee7510e1784bf6772729091abcc350cdf773058c
SHA512

d1ba2ea6a06cf5241bd26319b7bd2da7cb3ca0453496703fa66413cc56edf9893414a970dfb67451cfb85ef735305986958ba852287b3dc63b7cf28ab351d61d
SSDEEP

786432:Ov1EWULlsocwpd3XHEquH6rdEePFG/7vG43EY6:Ov1EWusor8j6r714

Score

9^/10

agilenet discovery evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	WZAgent.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WZAgent.exe

Executes dropped EXE 2 IoCs

pid	Process
2560	ZipExtractor.exe
588	WZAgent.exe

Loads dropped DLL 3 IoCs

pid	Process
2288	WZAgent.exe
2560	ZipExtractor.exe
588	WZAgent.exe

Obfuscated with Agile.Net obfuscator 5 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2288-5-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/2288-6-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/2288-45-0x0000000000400000-0x0000000002606000-memory.dmp	agile_net
behavioral1/memory/588-58-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net
behavioral1/memory/588-59-0x0000000000400000-0x00000000027EC000-memory.dmp	agile_net

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2288-5-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/memory/2288-6-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/files/0x0035000000016c3d-13.dat	themida
behavioral1/memory/2288-14-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/2288-17-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/2288-43-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/2288-45-0x0000000000400000-0x0000000002606000-memory.dmp	themida
behavioral1/files/0x000c000000016c4e-50.dat	themida
behavioral1/memory/588-58-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral1/memory/588-59-0x0000000000400000-0x00000000027EC000-memory.dmp	themida
behavioral1/memory/588-67-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-80-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-84-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-86-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-94-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-98-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-100-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida
behavioral1/memory/588-239-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WZAgent.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2288	WZAgent.exe
2288	WZAgent.exe
588	WZAgent.exe
588	WZAgent.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2288	WZAgent.exe
2288	WZAgent.exe
2560	ZipExtractor.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	WZAgent.exe
Token: SeDebugPrivilege	2560	ZipExtractor.exe
Token: SeDebugPrivilege	588	WZAgent.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2560	2288	WZAgent.exe	30
PID 2288 wrote to memory of 2560	2288	WZAgent.exe	30
PID 2288 wrote to memory of 2560	2288	WZAgent.exe	30
PID 2560 wrote to memory of 588	2560	ZipExtractor.exe	31
PID 2560 wrote to memory of 588	2560	ZipExtractor.exe	31
PID 2560 wrote to memory of 588	2560	ZipExtractor.exe	31
PID 2088 wrote to memory of 1204	2088	chrome.exe	34
PID 2088 wrote to memory of 1204	2088	chrome.exe	34
PID 2088 wrote to memory of 1204	2088	chrome.exe	34
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 1784	2088	chrome.exe	36
PID 2088 wrote to memory of 448	2088	chrome.exe	37
PID 2088 wrote to memory of 448	2088	chrome.exe	37
PID 2088 wrote to memory of 448	2088	chrome.exe	37
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38
PID 2088 wrote to memory of 1892	2088	chrome.exe	38

C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
"C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe
  "C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe" --input C:\Users\Admin\AppData\Local\Temp\WZAgent.zip --output C:\Users\Admin\AppData\Local\Temp --current-exe C:\Users\Admin\AppData\Local\Temp\WZAgent.exe --updated-exe WZAgent.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2560
- - C:\Users\Admin\AppData\Local\Temp\WZAgent.exe
    "C:\Users\Admin\AppData\Local\Temp\WZAgent.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef57e9758,0x7fef57e9768,0x7fef57e9778
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:8
  2⤵
  PID:448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1608 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2284 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:1
  2⤵
  PID:660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:2
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3228 --field-trial-handle=1288,i,6514054172490452407,2683596228284745400,131072 /prefetch:1
  2⤵
  PID:2688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba8be3fca96a397a34c9f9b2bbb623ac

SHA1
cdd9969a42782a0d0631c3beb2bab57b88fa2a23

SHA256
97cda5f7b181d4c377ae36d12e011db6415ca0545c6ce7b9ba3a4eb51fd717ec

SHA512
ca6fdb58dfb7706e5510311748f4c7e5d2558d80444edc8b95ff208f178716a57b2474494f6975f4c2791cd9a3b67fa091810380adc733fc80fc964093c46103

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3dd37ba0-8bcc-4b4c-a868-641dc9b0dac6.tmp

Filesize
341KB

MD5
5e5677e4906e1159d6473f3257e38542

SHA1
87c6761c4687a878c1f923efc5291e137468bf32

SHA256
8daeaf6b08c590b6f43efb399b1443b7cafbd6607e52d9840fa5a694fb531e05

SHA512
1ac276652e8744ed196590b4f2f68c6b478cc0dec7076e8b28a5e03bd92ad13f16453869f23bffa0473b738f170cc2aa07b77fb7e71a28c739db4287bcf1a52e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\883e7960-a7ed-4b7f-b414-8446eabbb7d5\AgileDotNetRT64.dll

Filesize
4.0MB

MD5
8e839b26c5efed6f41d6e854e5e97f5b

SHA1
5cb71374f72bf6a63ff65a6cda57ff66c3e54836

SHA256
1f2489fcd11f85db723f977f068988e81ed28581a4aec352ba4a2dc31419a011

SHA512
92446d7c2ccf41408d0a6be604b9aba3050192b40be887c2cee8f9aea0bd855503d6b827a8bdd554addd8d7c8ec947033f49060db493f756c3b2b70c04a17093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7F8C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZAgent.zip

Filesize
28.1MB

MD5
7908d2ae983310b8d30bd332c00189b4

SHA1
874b30d386ba1f6644ff1287e2eeb782d9a9e759

SHA256
15d8b52eb4181b1c4ab1b2ba78898f9eb50de78d1c22d5d6281cb07e6f6f91b8

SHA512
a6f9d4dd82c97afc6238c9408fa9c27dcaffca36f5dbf60efd8a32918a0e2ff42eb21fe0feb2c5de480bd8a9996d4ba21a9e47643faea0c41de3277a4d8d4b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZipExtractor.exe

Filesize
99KB

MD5
6c8a405b8243837682378cfbefa92001

SHA1
21a120c6fcca8aff536cb896586131376497bc86

SHA256
a76c4d20c78a6b0e563567a215e14a05525c316bf4eb92e7d11de7e24ae0b7c2

SHA512
12a75d7c4f9af4209a673c994609a15f464368e24eb61e8251a3f8c32a371825809f8197ea47428a150bc0c8ca7b5278c88c63cf9c20a7e60a95f4f98eea3de7

Download Submit
\Users\Admin\AppData\Local\Temp\WZAgent.exe

Filesize
28.3MB

MD5
1b31864d1dd63f9ebb768da2cd340e9c

SHA1
2d56fff3f73bc880e614467341fdeab9474ffae7

SHA256
4b91eb1c4d27fee6d634c73e0d550024c144ca8eff9f64d03f87011fe35cd3eb

SHA512
4c9423460476835d15ec57d0571e35ad7551f11181063b1730d5f0ad88c841ad22aeda1f1311089335892e52456f322cf0ac5d1df86209cd9e6b6f004fe9b856

Download Submit
memory/588-80-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-86-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-239-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-100-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-98-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-94-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-84-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-78-0x0000000004A50000-0x0000000004AC6000-memory.dmp

Filesize
472KB

Download
memory/588-77-0x0000000020080000-0x00000000210E0000-memory.dmp

Filesize
16.4MB

Download
memory/588-76-0x000007FEF5E90000-0x000007FEF5FBC000-memory.dmp

Filesize
1.2MB

Download
memory/588-67-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/588-59-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/588-58-0x0000000000400000-0x00000000027EC000-memory.dmp

Filesize
35.9MB

Download
memory/2288-0-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2288-27-0x000007FEF63B0000-0x000007FEF64DC000-memory.dmp

Filesize
1.2MB

Download
memory/2288-17-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/2288-45-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2288-41-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2288-15-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2288-7-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2288-43-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/2288-44-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2288-29-0x0000000002D20000-0x0000000002D96000-memory.dmp

Filesize
472KB

Download
memory/2288-1-0x000007FEFD1D3000-0x000007FEFD1D4000-memory.dmp

Filesize
4KB

Download
memory/2288-28-0x000000001FDE0000-0x0000000020C38000-memory.dmp

Filesize
14.3MB

Download
memory/2288-14-0x000007FEEDF50000-0x000007FEEEA79000-memory.dmp

Filesize
11.2MB

Download
memory/2288-32-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2288-31-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2288-30-0x0000000020C40000-0x0000000020E32000-memory.dmp

Filesize
1.9MB

Download
memory/2288-6-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2288-5-0x0000000000400000-0x0000000002606000-memory.dmp

Filesize
34.0MB

Download
memory/2288-2-0x000007FEFD1C0000-0x000007FEFD22C000-memory.dmp

Filesize
432KB

Download
memory/2560-54-0x000000001CEC0000-0x000000001F2AC000-memory.dmp

Filesize
35.9MB

Download
memory/2560-40-0x0000000000130000-0x000000000014E000-memory.dmp

Filesize
120KB

Download