arrowrat | 98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a

Analysis

max time kernel
1s
max time network
40s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/12/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

T.T_Copy.12.18.2024.exe
Size

1.2MB
MD5

4542c9e57e9d955244262c035aaffe94
SHA1

3dfade02ec7892ebdfa977c25354a352e0c55f56
SHA256

98c70efff4675dd2ef3f9a90afb155c4fdbee2aa1f0f2e1641f9c0b8f432407a
SHA512

ac1a22980f414a1b81700c88cd298ad039fd66e563067d14f5a8ea979e0cb2004d63b1246d1a0378ec883d9c3432789b2e3bcff963358e81010c55ee562e2ad9
SSDEEP

24576:INA3R5drXPU/S9abXnZZKBlxr89Wvz4csbmDEbOBVXLzR6t2oE+Lyjx:h52LGBlxRJsiDV7V60onud

Score

10^/10

arrowrat client01 discovery rat

Malware Config

Extracted

Family

arrowrat

Botnet

Client01

127.0.0.1:1338

Mutex

OSHPAW

Signatures

ArrowRat
Remote access tool with various capabilities first seen in late 2021.
rat arrowrat
Arrowrat family
arrowrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	dfbzdfb.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	T.T_Copy.12.18.2024.exe

Executes dropped EXE 2 IoCs

pid	Process
3692	dfbzdfb.sfx.exe
440	dfbzdfb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4936	4856	WerFault.exe	93

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfbzdfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	T.T_Copy.12.18.2024.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3084	1560	T.T_Copy.12.18.2024.exe	83
PID 1560 wrote to memory of 3084	1560	T.T_Copy.12.18.2024.exe	83
PID 1560 wrote to memory of 3084	1560	T.T_Copy.12.18.2024.exe	83
PID 3084 wrote to memory of 3692	3084	cmd.exe	86
PID 3084 wrote to memory of 3692	3084	cmd.exe	86
PID 3084 wrote to memory of 3692	3084	cmd.exe	86
PID 3692 wrote to memory of 440	3692	dfbzdfb.sfx.exe	129
PID 3692 wrote to memory of 440	3692	dfbzdfb.sfx.exe	129
PID 3692 wrote to memory of 440	3692	dfbzdfb.sfx.exe	129

C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe
"C:\Users\Admin\AppData\Local\Temp\T.T_Copy.12.18.2024.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3084
- - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe
    dfbzdfb.sfx.exe -dC:\Users\Admin\AppData\Local\Temp -pepouidalfszfugyRhvqxsdfHbgnmeUtyadfhmxvfofnglfyjfodyehal
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe
      "C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\zdsthsxu.bat" "
        5⤵
        
        PID:816
      - C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe
        
        zdfhrgzd.sfx.exe -dC:\Users\Admin\AppData\Roaming -pesgujhbotoqxqegtpsadelifsujhmwxgthutjkdewsqwngjMiczafugybsbBbsdhdqbqeku
        6⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        "C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe"
        7⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 80
        9⤵
        Program crash
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        
        C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe
        8⤵
        
        PID:4348
        
        C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        9⤵
        
        PID:1320
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" Client01 127.0.0.1 1338 OSHPAW
        9⤵
        
        PID:2060
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\mts103wift.pdf"
        5⤵
        
        PID:2456
      - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
        6⤵
        
        PID:4804
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4FAE37C3798C1FF3D58811FCD0F33DA1 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:1720
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=3DEA5ED784D3C9CD8A2B43D31502A0A4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=3DEA5ED784D3C9CD8A2B43D31502A0A4 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:552
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6FE4501DDE1D7EC95394AA3CC3D5B775 --mojo-platform-channel-handle=2312 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:5032
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=142EE232BC9410F3FB0C821495BC8A07 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:4796
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CE27E7DC7458C701DCD7E2A4D7F5C5F1 --mojo-platform-channel-handle=2360 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        7⤵
        
        PID:2292
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E144DBAF2C5062C942AB34689272E41E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E144DBAF2C5062C942AB34689272E41E --renderer-client-id=8 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job /prefetch:1
        7⤵
        
        PID:688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856
1⤵
PID:1400

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4428

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e74f6c668bd67fb238e56f4773cd6bb8

SHA1
839112027fc2050471f5d5a550ab6ae843fe5329

SHA256
f63065c8046fac88dd6e67c5668d8c6c8e0640bd59c38fe0e0accb8a66bf628c

SHA512
67c2f8ef575413a7d38fc6dfcfb595f9681c86a897adbf394ba551ce6f7119f84e826be9a71d88a7889e3d75a65d9c0058279eb02f958e0dee1e6b34caafcc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zdfhrgzd.exe.log

Filesize
522B

MD5
0f39d6b9afc039d81ff31f65cbf76826

SHA1
8356d04fe7bba2695d59b6caf5c59f58f3e1a6d8

SHA256
ea16b63ffd431ebf658b903710b6b3a9b8a2eb6814eee3a53b707a342780315d

SHA512
5bad54adb2e32717ef6275f49e2f101dd7e2011c9be14a32e5c29051e8a3f608cbd0b44ac4855ab21e790cb7a5d84c5f69de087074fd01b35259d34d07f5aaf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133790728198550352.txt

Filesize
75KB

MD5
d77bd544e3a1f2abb093fa891a504415

SHA1
10b9984ae21a93d9f43af349f3f3f21aa35a995c

SHA256
3b647cf8fd072f97397af9d2352a139e8304734e57634149700e3f303879952d

SHA512
17c35a4800e6985e5dde0217bfa51c4148ba46fe79b6aa32722fde4a040830c28a3cffb6659268150a245db6ae644210e0bf714fe6a36f733257c5d49fc9e8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfbzdfb.exe

Filesize
778KB

MD5
06eb0777fca570612c196d90f0499213

SHA1
047a0a9434594cf652559d0813c5f5c93b58240f

SHA256
4802023516756de90b9bf7cf9987eb139bde5a6fa74197096261781584927caf

SHA512
43ae3398acdb406102b0f8178fb4eccbe48938601657da626bb89db5a4406c76a2269bd48121b0983e4e0c3e7aa9ca6d87621e7a508a16ace10781e4e2bee155

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfbzdfb.sfx.exe

Filesize
923KB

MD5
3181c79bfcb07a0b43a020f22641f2b2

SHA1
a68ad92a42a1ccd8fd48737050a3e5fd459ccd08

SHA256
b932bc36f90d2fba9841cdb8bcaff7a0b7ccfecfe41f1d13ac5bfb6dbd241a04

SHA512
3ef8c85f12815523dabb865e32ea493f57d5e227aaabcccf96ca1c54eaf09e5bb81fafd18daa9d54121cf7ee20f6f5604e7ecf623c42f3c48df27e60cebe4bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxfhxtr.cmd

Filesize
18KB

MD5
dabe7144df4dfbd438fc298b12fe4c36

SHA1
317542f096111dade642f3037cc315f156502b6c

SHA256
341d002e13527d35797fb578b00f936c0dc7160c42bab945d0c8a26ee769f0d3

SHA512
f402f5ad42034a9fe8cf846ceb7c0b254b73408d3fb3b54358d37a2591b0ab1be5f236856518e74370ef623eac08f36636253334724b3fa34282f18109c6ac1a

Download Submit
C:\Users\Admin\AppData\Roaming\mts103wift.pdf

Filesize
43KB

MD5
f10334c1dc5e4aec8fffd10387397af2

SHA1
a520e2e581be33181af241dab80799813bda5785

SHA256
307dd5cbcabfcbfd86b65b45f70fb5fc349b861593b74f36ff6416dd5aa44d1e

SHA512
2da918d25e6c50ac2423951b161b9c84833e1d06a978043c7a2ca88952ee625e4a0d3886135d112c846159c80e4ab59862ed95e14d8de9dd3930c6232bd6aecc

Download Submit
C:\Users\Admin\AppData\Roaming\zdfhrgzd.exe

Filesize
503KB

MD5
ec0967a3e53d490e8e1ce811ce53d003

SHA1
8330c2aad5c238a5bdfd07a63349f071d9117e41

SHA256
af31317870dc15d70a14de5a05ad945b4b0920738c0c00e9b3d0c06d2b808275

SHA512
2d663cab58b3adb893514cec91862f7819390f79e3c83e2a194c0ac7a28fd72efcfe6afe81aad88734180119550128888e918ac5e0290d460f06771fde909a51

Download Submit
C:\Users\Admin\AppData\Roaming\zdfhrgzd.sfx.exe

Filesize
609KB

MD5
f59872e2fcc71ef9eb742e3792c37a76

SHA1
8d1fc98643fae35a3f81a18e20fbfa708f04eca4

SHA256
f483a26d822aa187a37651ceb7ac83cb87ae827501add4cb43001a6b84538380

SHA512
156c64dcadc098902c0bb238a5f969aec9110ec1f83f6677204e49172461ab1f1fbd57e3b5b19b2f53ed4fd3c9e7568d7dd15dbb961b6c6f5f62b6b16d47eae2

Download Submit
C:\Users\Admin\AppData\Roaming\zdsthsxu.bat

Filesize
16KB

MD5
8fc1f8bb8306146a314528098c110ee3

SHA1
2330121e717650009b311a2605c68d62e39ca1e2

SHA256
ae520ec2cf0a324d9b23b14a9c8c6cc28348f8edd17d7b515d5ee07fea0237f9

SHA512
8f233fff9b11738e10dfffd87d1de5905b4c7f4ddf04f8ae5e28d1d6f6265be6898ef31a7ef94f42a38974d4add496dfeb8e0920597140fe0886f5e95fdb6e13

Download Submit
memory/1320-90-0x0000000003550000-0x0000000003551000-memory.dmp

Filesize
4KB

Download
memory/1620-45-0x0000000000140000-0x00000000001C4000-memory.dmp

Filesize
528KB

Download
memory/1620-46-0x0000000004BC0000-0x0000000004C5C000-memory.dmp

Filesize
624KB

Download
memory/2060-56-0x00000000053E0000-0x0000000005472000-memory.dmp

Filesize
584KB

Download
memory/2060-60-0x0000000006430000-0x0000000006480000-memory.dmp

Filesize
320KB

Download
memory/2060-57-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/2060-53-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4348-52-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4348-49-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4428-96-0x0000025485540000-0x0000025485560000-memory.dmp

Filesize
128KB

Download
memory/4428-91-0x0000025484620000-0x0000025484720000-memory.dmp

Filesize
1024KB

Download
memory/4428-105-0x0000025485500000-0x0000025485520000-memory.dmp

Filesize
128KB

Download
memory/4428-127-0x0000025485910000-0x0000025485930000-memory.dmp

Filesize
128KB

Download