zgrat | 21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ce10fcd4e165a82a76f77d1f661fa36.exe
Size

2.3MB
MD5

2ce10fcd4e165a82a76f77d1f661fa36
SHA1

a3ffe8a330d9e2128172b74dd76f0a31060c0e1e
SHA256

21015dd4a12034f48c1432acbf1149131a3dd1412f4b8426ec7273d95dc19da6
SHA512

f2ed5af0ba9173d483943d7a3761ae2419232ec52980597dfc7ef9c79516297fd2df63970528faeed14f642fb1dbc00114d659068c33cc619ff70583da0bc818
SSDEEP

49152:eOtTYNB84W4Vjms6VSSiht/zAKq4uhL61/I+C62w3/MLfQyTIUhlLY/EDZ50R:eOtTYzfVv6VSSEt/z7qfL6e+HaIez0Ee

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe	family_zgrat_v1
C:\comDriverinto\HyperPortsavesmonitor.exe	family_zgrat_v1
behavioral2/memory/1212-40-0x0000000000170000-0x0000000000378000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4108	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4532	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	400	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3788	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3792	3788	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeHyperPortsavesmonitor.exe2ce10fcd4e165a82a76f77d1f661fa36.exetzidRecG.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	HyperPortsavesmonitor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2ce10fcd4e165a82a76f77d1f661fa36.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	tzidRecG.exe

Executes dropped EXE 4 IoCs

Processes:

Cheat.sfx.exetzidRecG.exeHyperPortsavesmonitor.exeSystem.exe

pid process

1304 Cheat.sfx.exe
4932 tzidRecG.exe
1212 HyperPortsavesmonitor.exe
4008 System.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1304	Cheat.sfx.exe
4932	tzidRecG.exe
1212	HyperPortsavesmonitor.exe
4008	System.exe

Drops file in Program Files directory 7 IoCs

Processes:

HyperPortsavesmonitor.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe	HyperPortsavesmonitor.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5940a34987c991	HyperPortsavesmonitor.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe	HyperPortsavesmonitor.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe	HyperPortsavesmonitor.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0a1fd5f707cd16	HyperPortsavesmonitor.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe	HyperPortsavesmonitor.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\cc11b995f2a76d	HyperPortsavesmonitor.exe

Drops file in Windows directory 2 IoCs

Processes:

HyperPortsavesmonitor.exe

description	ioc	process
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe	HyperPortsavesmonitor.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\27d1bcfc3c54e0	HyperPortsavesmonitor.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4736 1304 WerFault.exe Cheat.sfx.exe

pid	pid_target	process	target process
4736	1304	WerFault.exe	Cheat.sfx.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
4532	schtasks.exe
4540	schtasks.exe
632	schtasks.exe
4376	schtasks.exe
4900	schtasks.exe
1604	schtasks.exe
3792	schtasks.exe
2720	schtasks.exe
3628	schtasks.exe
3064	schtasks.exe
3908	schtasks.exe
4108	schtasks.exe
220	schtasks.exe
400	schtasks.exe
4280	schtasks.exe
2248	schtasks.exe
4392	schtasks.exe
3164	schtasks.exe

Modifies registry class 2 IoCs

Processes:

tzidRecG.exeHyperPortsavesmonitor.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	tzidRecG.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	HyperPortsavesmonitor.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4664 PING.EXE

pid	process
4664	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

HyperPortsavesmonitor.exe

pid	process
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe
1212	HyperPortsavesmonitor.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HyperPortsavesmonitor.exeSystem.exe

description pid process

Token: SeDebugPrivilege 1212 HyperPortsavesmonitor.exe
Token: SeDebugPrivilege 4008 System.exe

description	pid	process
Token: SeDebugPrivilege	1212	HyperPortsavesmonitor.exe
Token: SeDebugPrivilege	4008	System.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

2ce10fcd4e165a82a76f77d1f661fa36.exetzidRecG.exeWScript.execmd.exeHyperPortsavesmonitor.execmd.exe

description	pid	process	target process
PID 748 wrote to memory of 1304	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	Cheat.sfx.exe
PID 748 wrote to memory of 1304	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	Cheat.sfx.exe
PID 748 wrote to memory of 1304	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	Cheat.sfx.exe
PID 748 wrote to memory of 4932	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	tzidRecG.exe
PID 748 wrote to memory of 4932	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	tzidRecG.exe
PID 748 wrote to memory of 4932	748	2ce10fcd4e165a82a76f77d1f661fa36.exe	tzidRecG.exe
PID 4932 wrote to memory of 2456	4932	tzidRecG.exe	WScript.exe
PID 4932 wrote to memory of 2456	4932	tzidRecG.exe	WScript.exe
PID 4932 wrote to memory of 2456	4932	tzidRecG.exe	WScript.exe
PID 2456 wrote to memory of 1608	2456	WScript.exe	cmd.exe
PID 2456 wrote to memory of 1608	2456	WScript.exe	cmd.exe
PID 2456 wrote to memory of 1608	2456	WScript.exe	cmd.exe
PID 1608 wrote to memory of 1212	1608	cmd.exe	HyperPortsavesmonitor.exe
PID 1608 wrote to memory of 1212	1608	cmd.exe	HyperPortsavesmonitor.exe
PID 1212 wrote to memory of 4204	1212	HyperPortsavesmonitor.exe	cmd.exe
PID 1212 wrote to memory of 4204	1212	HyperPortsavesmonitor.exe	cmd.exe
PID 4204 wrote to memory of 864	4204	cmd.exe	chcp.com
PID 4204 wrote to memory of 864	4204	cmd.exe	chcp.com
PID 4204 wrote to memory of 4664	4204	cmd.exe	PING.EXE
PID 4204 wrote to memory of 4664	4204	cmd.exe	PING.EXE
PID 4204 wrote to memory of 4008	4204	cmd.exe	System.exe
PID 4204 wrote to memory of 4008	4204	cmd.exe	System.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe
"C:\Users\Admin\AppData\Local\Temp\2ce10fcd4e165a82a76f77d1f661fa36.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
"C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe"
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 988
3⤵
- Program crash
PID:4736

C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe
"C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4932

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\comDriverinto\HyperPortsavesmonitor.exe
"C:\comDriverinto/HyperPortsavesmonitor.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ReXi8YFQXF.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:864

C:\Windows\system32\PING.EXE
ping -n 10 localhost
7⤵
- Runs ping.exe
PID:4664

C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe
"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe"
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1304 -ip 1304
1⤵
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\SoftwareDistribution\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 11 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitor" /sc ONLOGON /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "HyperPortsavesmonitorH" /sc MINUTE /mo 14 /tr "'C:\comDriverinto\HyperPortsavesmonitor.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3792

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cheat.sfx.exe
Filesize
368KB

MD5
e56343f2eb88fef62d4cf5df0a2c7734

SHA1
21f1b3a3dcbc29388bb72bc7aa7fc4ce654c6135

SHA256
d3e4275fe34ac20bb9d3c53e9971d2a21ba8f7ec5dc8b943c1a52edb2aa0f1ea

SHA512
b56053c8f0f86ee235cce13601000ed31622b87a5b5b6ed7e723b94bc4a9281918feccbab1f99d827187982ad4d5de2eafb02dd8d6dd179b49e2e029eeef4f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\ReXi8YFQXF.bat
Filesize
185B

MD5
fdc7ea9bc7767087bfa15a1c12b2a7ea

SHA1
4a805efb0a154dd5b8a0ab7c339b4f3254538409

SHA256
1ba2b5158add31c8099def39972afbb145d18d6de34822055c62c26c9fafb9cc

SHA512
a338ae77d3063957c0858374c42d6da2249932a8efc582fbecef5257591d0799197b1ddb1c85cff224f43a816f2e39c40e2cae2c9756fb2346373fecaa92a689

Download Submit
C:\Users\Admin\AppData\Local\Temp\tzidRecG.exe
Filesize
2.3MB

MD5
92a0909017b45d6498197b1b817e9303

SHA1
bc8a0aad4e4f3e6ddbd816a98873b24ba22bf502

SHA256
71fcb54017a98fe981d8b725891371518878e684acc63ca9c81f284f5e4b6e23

SHA512
b59ae5bd68f1ef934dbba306312c288f1e81b744cf717cff4a529f7b2ed779cd4f85d85e77b0589d1971d42896b8523b495ae1d81921d75cb7df43308940a021

Download Submit
C:\comDriverinto\HyperPortsavesmonitor.exe
Filesize
2.0MB

MD5
75da1def0cb2b50f387441c2ebed4120

SHA1
7eca930b9afe2bf57ab9a3e546cc9969d4e5dce7

SHA256
2edf5f9fc75dc5cc293db94f337b66524386b0a4d1fd6e56f3d7ad30963cc790

SHA512
adc14364c6e6d614f2a92b7094cced4ca247f96a27844c6601b3f2519de72d3215bb3335eae095363dd82edc2a3ff31b631c61df272c8cf023f72f8bcce737e1

Download Submit
C:\comDriverinto\ucUiAXPN2zx9bZrTcu4WHQVTQZueYbZneVkQGpMslSdQ.bat
Filesize
85B

MD5
97f25de6d41811f5f69377a04cfa76c7

SHA1
e1ff3b69aa65bbf38b49bf3972f739c0af5f6805

SHA256
caf5baa2d2e1705ecae3aa9e95212d2cde2141161defa5e19b7aa9fda05575f4

SHA512
d4af223a7e438d596655cdb1e4189792cf685b9c02f8e5ae0290eabbe29972d1182daaa98d39abf803d1e41b6eefa671d2ae3f051568cfba6adaaa77b8ad74eb

Download Submit
C:\comDriverinto\yqpI0X0JgApYgtlSsocRWTSVHRK.vbe
Filesize
236B

MD5
4ef5f91cd4fabd32da27992dacfc6ad6

SHA1
e6aae689706c107b9b6ff58e474df1d3fe1f16ff

SHA256
fc9b4a6b7b877ee52d56c5b1440de893d1b2bce5fbdf96c6233274af24a2cea7

SHA512
bc1698dc036031250e9dcb9c0d7b87271b1dc15fdaf63ef991aab195cdf9fe4056b2a4a164f46346cb9bfe63aa6c458555de43c9c96945f0f5752d983b1536b6

Download Submit
memory/1212-49-0x000000001AEF0000-0x000000001AF08000-memory.dmp

Filesize
96KB

Download
memory/1212-45-0x000000001B460000-0x000000001B4B0000-memory.dmp

Filesize
320KB

Download
memory/1212-55-0x000000001AEA0000-0x000000001AEAC000-memory.dmp

Filesize
48KB

Download
memory/1212-53-0x000000001AF10000-0x000000001AF28000-memory.dmp

Filesize
96KB

Download
memory/1212-40-0x0000000000170000-0x0000000000378000-memory.dmp

Filesize
2.0MB

Download
memory/1212-42-0x0000000002620000-0x000000000262E000-memory.dmp

Filesize
56KB

Download
memory/1212-44-0x000000001AED0000-0x000000001AEEC000-memory.dmp

Filesize
112KB

Download
memory/1212-51-0x000000001AE90000-0x000000001AE9E000-memory.dmp

Filesize
56KB

Download
memory/1212-47-0x0000000002630000-0x0000000002640000-memory.dmp

Filesize
64KB

Download
memory/1304-30-0x00000000006E0000-0x0000000000742000-memory.dmp

Filesize
392KB

Download
memory/1304-35-0x00000000050C0000-0x0000000005126000-memory.dmp

Filesize
408KB

Download
memory/1304-33-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/1304-34-0x0000000005020000-0x00000000050B2000-memory.dmp

Filesize
584KB

Download
memory/1304-23-0x00000000729AE000-0x00000000729AF000-memory.dmp

Filesize
4KB

Download