Overview

overview

10

Static

static

3

T.T_Copy.1...24.exe

windows7-x64

7

T.T_Copy.1...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 07:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    T.T_Copy.12.18.2024.exe

  • Size

    1.2MB

  • MD5

    4542c9e57e9d955244262c035aaffe94

  • SHA1

    3dfade02ec7892ebdfa977c25354a352e0c55f56

  • SHA256

    98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

  • SHA512

    ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9

  • SSDEEP

    24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

Score
10/10
arrowratclient01discoverypersistencerat

Malware Config

Extracted

Family

arrowrat

Botnet

Client01

C2

127.0.0.1:1338

Mutex

OSHPAW

Signatures

  • ArrowRat

    Remote access tool with various capabilities first seen in late 2021.

    ratarrowrat
  • Arrowrat family
    arrowrat
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 22 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 7 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of FindShellTrayWindow 50 IoCs
  • Suspicious use of SendNotifyMessage 21 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe
    "C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd" "
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4332
      • C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe
        dfbzdfb.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:404
        • C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe
          "C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3092
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\zdsthsxu.bat" "
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4272
            • C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe
              zdfhrgzd.sfx.exe -dC:\Users\Admin\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
              6⤵
              • Checks computer location settings
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3420
              • C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
                "C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4940
                • C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
                  C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
                  8⤵
                  • Modifies WinLogon for persistence
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2528
                  • C:\Windows\explorer.exe
                    "C:\Windows\explorer.exe"
                    9⤵
                    • Boot or Logon Autostart Execution: Active Setup
                    • Enumerates connected drives
                    • Checks SCSI registry key(s)
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of SetWindowsHookEx
                    PID:3880
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                    9⤵
                      PID:2616
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                      9⤵
                      • System Location Discovery: System Language Discovery
                      PID:2312
                  • C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
                    C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
                    8⤵
                    • Modifies WinLogon for persistence
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:2608
                    • C:\Windows\explorer.exe
                      "C:\Windows\explorer.exe"
                      9⤵
                        PID:1140
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
                        9⤵
                        • System Location Discovery: System Language Discovery
                        PID:3256
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103wift.pdf"
                5⤵
                • System Location Discovery: System Language Discovery
                • Checks processor information in registry
                • Modifies Internet Explorer settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4236
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4012
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=671FA703AB917BD5CB6608AF4FCB0538 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:1464
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1FFF7C2DD446CF72EB13EE58CD1ADE42 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1FFF7C2DD446CF72EB13EE58CD1ADE42 --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:4636
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=095E91E6A9AD4533DB2E1B28990B493A --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:548
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=52DF20546FD8AC2EBDED76F35947151B --mojo-platform-channel-handle=2404 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:2128
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=21A3EA0B75B42BC6CDED8CBDFFBA6F42 --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:3080
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7CCCE0DD5F1A66C60B997434921198D5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7CCCE0DD5F1A66C60B997434921198D5 --renderer-client-id=7 --mojo-platform-channel-handle=2284 --allow-no-sandbox-job /prefetch:1
                    7⤵
                    • System Location Discovery: System Language Discovery
                    PID:1772
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
        • Suspicious use of SetWindowsHookEx
        PID:5052
      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4820
      • C:\Windows\System32\mobsync.exe
        C:\Windows\System32\mobsync.exe -Embedding
        1⤵
          PID:3080

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          36KB

          MD5

          b30d3becc8731792523d599d949e63f5

          SHA1

          19350257e42d7aee17fb3bf139a9d3adb330fad4

          SHA256

          b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

          SHA512

          523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          56KB

          MD5

          752a1f26b18748311b691c7d8fc20633

          SHA1

          c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

          SHA256

          111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

          SHA512

          a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
          Filesize

          64KB

          MD5

          dff7b55e02975ecaa0773ec84bb84524

          SHA1

          4fa4fc8874cab86907f0a97da1eaacb8339d4c3f

          SHA256

          ac65164eb5c86bd36dd8223fcb71fae009118f31822717b96287abdc824d30df

          SHA512

          a42601f670633ff9dabac4175849ccdafd8b24364087ca94d9859025081e1b43df641f7ebbbb9fad0db13e34de2f54d4ffc8baa4741b6f5ab85a223f9798f7f4

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zdfhrgzd.exe.log
          Filesize

          522B

          MD5

          0f39d6b9afc039d81ff31f65cbf76826

          SHA1

          8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

          SHA256

          ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

          SHA512

          5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133790680406609211.txt
          Filesize

          75KB

          MD5

          cfb4800efae80dbc0a5cde817503639a

          SHA1

          0e64d179a428d2e79e2f5c0f0220909d8a32b35e

          SHA256

          54b48a91cb505e7d1fddd115028cf1a3b3b080acbf826c5101cb21dc0ebf899d

          SHA512

          061206775e3dc09592957160284e69663ad98982c8b35bed275ba553e7884a0ab2bbf906bda5d61c96371eb7bf6dbd1a3c644cd3f6ccbeed652f25b40f31d471

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TMP_pass
          Filesize

          40KB

          MD5

          a182561a527f929489bf4b8f74f65cd7

          SHA1

          8cd6866594759711ea1836e86a5b7ca64ee8911f

          SHA256

          42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

          SHA512

          9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe
          Filesize

          778KB

          MD5

          06eb0777fca570612c196d90f0499213

          SHA1

          047a0a9434594cf652559d0813c5f5c93b58240f

          SHA256

          4802023516756de90b9bf7cf9987eb139bde5a6fa74197096261781584927caf

          SHA512

          43ae3398acdb406102b0f8178fb4eccbe48938601657da626bb89db5a4406c76a2269bd48121b0983e4e0c3e7aa9ca6d87621e7a508a16ace10781e4e2bee155

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe
          Filesize

          923KB

          MD5

          3181c79bfcb07a0b43a020f22641f2b2

          SHA1

          a68ad92a42a1ccd8fd48737050a3e5fd459ccd08

          SHA256

          b932bc36f90d2fba9841cdb8bcaff7a0b7ccfecfe41f1d13ac5bfb6dbd241a04

          SHA512

          3ef8c85f12815523dabb865e32ea493f57d5e227aaabcccf96ca1c54eaf09e5bb81fafd18daa9d54121cf7ee20f6f5604e7ecf623c42f3c48df27e60cebe4bc8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd
          Filesize

          18KB

          MD5

          dabe7144df4dfbd438fc298b12fe4c36

          SHA1

          317542f096111dade642f3037cc315f156502b6c

          SHA256

          341d002e13527d35797fb578b00f936c0dc7160c42bab945d0c8a26ee769f0d3

          SHA512

          f402f5ad42034a9fe8cf846ceb7c0b254b73408d3fb3b54358d37a2591b0ab1be5f236856518e74370ef623eac08f36636253334724b3fa34282f18109c6ac1a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mts103wift.pdf
          Filesize

          43KB

          MD5

          f10334c1dc5e4aec8fffd10387397af2

          SHA1

          a520e2e581be33181af241dab80799813bda5785

          SHA256

          307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e

          SHA512

          2da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
          Filesize

          503KB

          MD5

          ec0967a3e53d490e8e1ce811ce53d003

          SHA1

          8330c2aad5c238a5bdfd07a63349f071d9117e41

          SHA256

          af31317870dc15d70a14de5a05ad945b4b0920738c0c00e9b3d0c06d2b808275

          SHA512

          2d663cab58b3adb893514cec91862f7819390f79e3c83e2a194c0ac7a28fd72efcfe6afe81aad88734180119550128888e918ac5e0290d460f06771fde909a51

          Download Submit

        • C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe
          Filesize

          609KB

          MD5

          f59872e2fcc71ef9eb742e3792c37a76

          SHA1

          8d1fc98643fae35a3f81a18e20fbfa708f04eca4

          SHA256

          f483a26d822aa187a37651ceb7ac83cb87ae827501add4cb43001a6b84538380

          SHA512

          156c64dcadc098902c0bb238a5f969aec9110ec1f83f6677204e49172461ab1f1fbd57e3b5b19b2f53ed4fd3c9e7568d7dd15dbb961b6c6f5f62b6b16d47eae2

          Download Submit

        • C:\Users\Admin\AppData\Roaming\zdsthsxu.bat
          Filesize

          16KB

          MD5

          8fc1f8bb8306146a314528098c110ee3

          SHA1

          2330121e717650009b311a2605c68d62e39ca1e2

          SHA256

          ae520ec2cf0a324d9b23b14a9c8c6cc28348f8edd17d7b515d5ee07fea0237f9

          SHA512

          8f233fff9b11738e10dfffd87d1de5905b4c7f4ddf04f8ae5e28d1d6f6265be6898ef31a7ef94f42a38974d4add496dfeb8e0920597140fe0886f5e95fdb6e13

          Download Submit

        • memory/2312-60-0x0000000005560000-0x00000000055F2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2528-52-0x0000000005B70000-0x0000000006114000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2528-49-0x0000000000400000-0x0000000000428000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3256-64-0x0000000006020000-0x0000000006070000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3256-61-0x0000000005E60000-0x0000000005EC6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3256-54-0x0000000000400000-0x0000000000416000-memory.dmp

          Filesize

          88KB

          Download

        • memory/3880-94-0x0000000002C20000-0x0000000002C21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4820-130-0x00000178B8360000-0x00000178B8380000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4820-127-0x00000178B7DD0000-0x00000178B7DF0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4820-100-0x00000178B8020000-0x00000178B8040000-memory.dmp

          Filesize

          128KB

          Download

        • memory/4820-95-0x00000178B6DF0000-0x00000178B6EF0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/4940-46-0x0000000004B60000-0x0000000004BFC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4940-45-0x0000000000040000-0x00000000000C4000-memory.dmp

          Filesize

          528KB

          Download