arrowrat | 98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/12/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T.T_Copy.12.18.2024.exe
Size

1.2MB
MD5

4542c9e57e9d955244262c035aaffe94
SHA1

3dfade02ec7892ebdfa977c25354a352e0c55f56
SHA256

98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
SHA512

ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9
SSDEEP

24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

Score

10^/10

arrowrat client01 discovery persistence rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client01

127.0.0.1:1338

Mutex

OSHPAW

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\AppData\\Roaming\\ZO5WB9\\I4R41F.exe"	zdfhrgzd.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Executes dropped EXE 6 IoCs

pid	Process
2764	dfbzdfb.sfx.exe
2452	dfbzdfb.exe
2284	zdfhrgzd.sfx.exe
2716	zdfhrgzd.exe
840	zdfhrgzd.exe
1656	zdfhrgzd.exe

Loads dropped DLL 9 IoCs

pid	Process
2056	cmd.exe
2764	dfbzdfb.sfx.exe
2764	dfbzdfb.sfx.exe
2764	dfbzdfb.sfx.exe
1252	cmd.exe
2284	zdfhrgzd.sfx.exe
2284	zdfhrgzd.sfx.exe
2284	zdfhrgzd.sfx.exe
2284	zdfhrgzd.sfx.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 840	2716	zdfhrgzd.exe	39
PID 2716 set thread context of 1656	2716	zdfhrgzd.exe	40
PID 1656 set thread context of 108	1656	zdfhrgzd.exe	44
PID 840 set thread context of 328	840	zdfhrgzd.exe	43

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.T_Copy.12.18.2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdfhrgzd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
840	zdfhrgzd.exe
1656	zdfhrgzd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2716	zdfhrgzd.exe
Token: SeDebugPrivilege	840	zdfhrgzd.exe
Token: SeDebugPrivilege	1656	zdfhrgzd.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe
Token: SeShutdownPrivilege	1644	explorer.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe
1644	explorer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2320	AcroRd32.exe
2320	AcroRd32.exe
2320	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2056	2336	T.T_Copy.12.18.2024.exe	30
PID 2336 wrote to memory of 2056	2336	T.T_Copy.12.18.2024.exe	30
PID 2336 wrote to memory of 2056	2336	T.T_Copy.12.18.2024.exe	30
PID 2336 wrote to memory of 2056	2336	T.T_Copy.12.18.2024.exe	30
PID 2056 wrote to memory of 2764	2056	cmd.exe	32
PID 2056 wrote to memory of 2764	2056	cmd.exe	32
PID 2056 wrote to memory of 2764	2056	cmd.exe	32
PID 2056 wrote to memory of 2764	2056	cmd.exe	32
PID 2764 wrote to memory of 2452	2764	dfbzdfb.sfx.exe	33
PID 2764 wrote to memory of 2452	2764	dfbzdfb.sfx.exe	33
PID 2764 wrote to memory of 2452	2764	dfbzdfb.sfx.exe	33
PID 2764 wrote to memory of 2452	2764	dfbzdfb.sfx.exe	33
PID 2452 wrote to memory of 1252	2452	dfbzdfb.exe	34
PID 2452 wrote to memory of 1252	2452	dfbzdfb.exe	34
PID 2452 wrote to memory of 1252	2452	dfbzdfb.exe	34
PID 2452 wrote to memory of 1252	2452	dfbzdfb.exe	34
PID 2452 wrote to memory of 2320	2452	dfbzdfb.exe	36
PID 2452 wrote to memory of 2320	2452	dfbzdfb.exe	36
PID 2452 wrote to memory of 2320	2452	dfbzdfb.exe	36
PID 2452 wrote to memory of 2320	2452	dfbzdfb.exe	36
PID 1252 wrote to memory of 2284	1252	cmd.exe	37
PID 1252 wrote to memory of 2284	1252	cmd.exe	37
PID 1252 wrote to memory of 2284	1252	cmd.exe	37
PID 1252 wrote to memory of 2284	1252	cmd.exe	37
PID 2284 wrote to memory of 2716	2284	zdfhrgzd.sfx.exe	38
PID 2284 wrote to memory of 2716	2284	zdfhrgzd.sfx.exe	38
PID 2284 wrote to memory of 2716	2284	zdfhrgzd.sfx.exe	38
PID 2284 wrote to memory of 2716	2284	zdfhrgzd.sfx.exe	38
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 840	2716	zdfhrgzd.exe	39
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 2716 wrote to memory of 1656	2716	zdfhrgzd.exe	40
PID 1656 wrote to memory of 1644	1656	zdfhrgzd.exe	41
PID 1656 wrote to memory of 1644	1656	zdfhrgzd.exe	41
PID 1656 wrote to memory of 1644	1656	zdfhrgzd.exe	41
PID 1656 wrote to memory of 1644	1656	zdfhrgzd.exe	41
PID 840 wrote to memory of 2188	840	zdfhrgzd.exe	42
PID 840 wrote to memory of 2188	840	zdfhrgzd.exe	42
PID 840 wrote to memory of 2188	840	zdfhrgzd.exe	42
PID 840 wrote to memory of 2188	840	zdfhrgzd.exe	42
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 1656 wrote to memory of 108	1656	zdfhrgzd.exe	44
PID 840 wrote to memory of 328	840	zdfhrgzd.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe
"C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe
    dfbzdfb.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe
      "C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\zdsthsxu.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe
        
        zdfhrgzd.sfx.exe -dC:\Users\Admin\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        "C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        
        PID:2188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1644
        
        C:\Windows\system32\ctfmon.exe
        
        ctfmon.exe
        10⤵
        
        PID:2224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:108
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103wift.pdf"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe

Filesize
778KB

MD5
06eb0777fca570612c196d90f0499213

SHA1
047a0a9434594cf652559d0813c5f5c93b58240f

SHA256
4802023516756de90b9bf7cf9987eb139bde5a6fa74197096261781584927caf

SHA512
43ae3398acdb406102b0f8178fb4eccbe48938601657da626bb89db5a4406c76a2269bd48121b0983e4e0c3e7aa9ca6d87621e7a508a16ace10781e4e2bee155

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd

Filesize
18KB

MD5
dabe7144df4dfbd438fc298b12fe4c36

SHA1
317542f096111dade642f3037cc315f156502b6c

SHA256
341d002e13527d35797fb578b00f936c0dc7160c42bab945d0c8a26ee769f0d3

SHA512
f402f5ad42034a9fe8cf846ceb7c0b254b73408d3fb3b54358d37a2591b0ab1be5f236856518e74370ef623eac08f36636253334724b3fa34282f18109c6ac1a

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
5af808f6b49df05bac8e525200076105

SHA1
6332b04902aa4806dd5e65c52f2595fee13ccb75

SHA256
1621ec06f35233d99f8f9bb39b8e7199489e750ff99a08fb61ba89525e44fd23

SHA512
a85bbda7004b3ff67fe3b36f96403265dea9490e27e4d29e289f2f71908236ee03fcf22643b83b6540bf9fb9cbc1fdd811da7ba971a1b284de2f39c6a83fc6e5

Download Submit
C:\Users\Admin\AppData\Roaming\mts103wift.pdf

Filesize
43KB

MD5
f10334c1dc5e4aec8fffd10387397af2

SHA1
a520e2e581be33181af241dab80799813bda5785

SHA256
307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e

SHA512
2da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc

Download Submit
C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe

Filesize
609KB

MD5
f59872e2fcc71ef9eb742e3792c37a76

SHA1
8d1fc98643fae35a3f81a18e20fbfa708f04eca4

SHA256
f483a26d822aa187a37651ceb7ac83cb87ae827501add4cb43001a6b84538380

SHA512
156c64dcadc098902c0bb238a5f969aec9110ec1f83f6677204e49172461ab1f1fbd57e3b5b19b2f53ed4fd3c9e7568d7dd15dbb961b6c6f5f62b6b16d47eae2

Download Submit
C:\Users\Admin\AppData\Roaming\zdsthsxu.bat

Filesize
16KB

MD5
8fc1f8bb8306146a314528098c110ee3

SHA1
2330121e717650009b311a2605c68d62e39ca1e2

SHA256
ae520ec2cf0a324d9b23b14a9c8c6cc28348f8edd17d7b515d5ee07fea0237f9

SHA512
8f233fff9b11738e10dfffd87d1de5905b4c7f4ddf04f8ae5e28d1d6f6265be6898ef31a7ef94f42a38974d4add496dfeb8e0920597140fe0886f5e95fdb6e13

Download Submit
\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe

Filesize
923KB

MD5
3181c79bfcb07a0b43a020f22641f2b2

SHA1
a68ad92a42a1ccd8fd48737050a3e5fd459ccd08

SHA256
b932bc36f90d2fba9841cdb8bcaff7a0b7ccfecfe41f1d13ac5bfb6dbd241a04

SHA512
3ef8c85f12815523dabb865e32ea493f57d5e227aaabcccf96ca1c54eaf09e5bb81fafd18daa9d54121cf7ee20f6f5604e7ecf623c42f3c48df27e60cebe4bc8

Download Submit
\Users\Admin\AppData\Roaming\zdfhrgzd.exe

Filesize
503KB

MD5
ec0967a3e53d490e8e1ce811ce53d003

SHA1
8330c2aad5c238a5bdfd07a63349f071d9117e41

SHA256
af31317870dc15d70a14de5a05ad945b4b0920738c0c00e9b3d0c06d2b808275

SHA512
2d663cab58b3adb893514cec91862f7819390f79e3c83e2a194c0ac7a28fd72efcfe6afe81aad88734180119550128888e918ac5e0290d460f06771fde909a51

Download Submit
memory/108-87-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/108-93-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/108-94-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/108-91-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/108-89-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/108-85-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/328-109-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/328-108-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/840-76-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/840-84-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1644-116-0x0000000004160000-0x0000000004170000-memory.dmp

Filesize
64KB

Download
memory/1656-82-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2716-75-0x0000000000B80000-0x0000000000C04000-memory.dmp

Filesize
528KB

Download