zgrat | b4d51a794626e778a1c7364fd763f8136cfe93502fc04de96b76e4fe3af386ec

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
26/11/2023, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8ee79ff487d9196d01d94f35a3bb420.exe
Size

3.7MB
MD5

a8ee79ff487d9196d01d94f35a3bb420
SHA1

19e2f9ef03baa9cdffc9f72aed2cb4bb7c13844a
SHA256

b4d51a794626e778a1c7364fd763f8136cfe93502fc04de96b76e4fe3af386ec
SHA512

abbc0d10f540ab76a6c61e8e9e7d76f625c168a8f3b4d1936f9eb3dafacf4d9e9e28daaabd08e130e1b626b43cb828ae2c6aea645a66f01d9bdc283bb8f33b80
SSDEEP

98304:0Pe6m3FEPSC/9VC2OKPOizhto9Lf8vhmlZu:0Pe6KF4S8fC2vO4tIfQ

Score

10^/10

zgrat persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral1/memory/2280-0-0x00000000010B0000-0x0000000001464000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000016064-86.dat	family_zgrat_v1
behavioral1/files/0x002f000000015c74-257.dat	family_zgrat_v1
behavioral1/files/0x002f000000015c74-258.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\fr-FR\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\fr-FR\\csrss.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\explorer.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Portable Devices\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\", \"C:\\Program Files\\Internet Explorer\\fr-FR\\csrss.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	312	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2400	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2400	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Executes dropped EXE 1 IoCs

pid	Process
1948	wininit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Portable Devices\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\fr-FR\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\wininit.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Internet Explorer\\fr-FR\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\explorer.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\explorer.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	a8ee79ff487d9196d01d94f35a3bb420.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCCCF97DCCCD64E9098A2DA4FA324B6CF.TMP	csc.exe
File created	\??\c:\Windows\System32\gkfxbh.exe	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	a8ee79ff487d9196d01d94f35a3bb420.exe
File created	C:\Program Files\Internet Explorer\fr-FR\csrss.exe	a8ee79ff487d9196d01d94f35a3bb420.exe
File created	C:\Program Files\Internet Explorer\fr-FR\886983d96e3d3e	a8ee79ff487d9196d01d94f35a3bb420.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	a8ee79ff487d9196d01d94f35a3bb420.exe
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	a8ee79ff487d9196d01d94f35a3bb420.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1212	schtasks.exe
1680	schtasks.exe
1428	schtasks.exe
1096	schtasks.exe
2756	schtasks.exe
1704	schtasks.exe
2292	schtasks.exe
1984	schtasks.exe
2784	schtasks.exe
2804	schtasks.exe
1424	schtasks.exe
572	schtasks.exe
312	schtasks.exe
1160	schtasks.exe
272	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1712	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe
2280	a8ee79ff487d9196d01d94f35a3bb420.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1948	wininit.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	a8ee79ff487d9196d01d94f35a3bb420.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1948	wininit.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2932	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	32
PID 2280 wrote to memory of 2932	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	32
PID 2280 wrote to memory of 2932	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	32
PID 2932 wrote to memory of 580	2932	csc.exe	34
PID 2932 wrote to memory of 580	2932	csc.exe	34
PID 2932 wrote to memory of 580	2932	csc.exe	34
PID 2280 wrote to memory of 2564	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	50
PID 2280 wrote to memory of 2564	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	50
PID 2280 wrote to memory of 2564	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	50
PID 2280 wrote to memory of 2636	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	49
PID 2280 wrote to memory of 2636	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	49
PID 2280 wrote to memory of 2636	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	49
PID 2280 wrote to memory of 576	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	47
PID 2280 wrote to memory of 576	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	47
PID 2280 wrote to memory of 576	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	47
PID 2280 wrote to memory of 340	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	48
PID 2280 wrote to memory of 340	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	48
PID 2280 wrote to memory of 340	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	48
PID 2280 wrote to memory of 1556	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	51
PID 2280 wrote to memory of 1556	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	51
PID 2280 wrote to memory of 1556	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	51
PID 2280 wrote to memory of 1548	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	52
PID 2280 wrote to memory of 1548	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	52
PID 2280 wrote to memory of 1548	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	52
PID 2280 wrote to memory of 1568	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	53
PID 2280 wrote to memory of 1568	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	53
PID 2280 wrote to memory of 1568	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	53
PID 2280 wrote to memory of 1644	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	56
PID 2280 wrote to memory of 1644	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	56
PID 2280 wrote to memory of 1644	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	56
PID 2280 wrote to memory of 1552	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	55
PID 2280 wrote to memory of 1552	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	55
PID 2280 wrote to memory of 1552	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	55
PID 2280 wrote to memory of 1300	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	60
PID 2280 wrote to memory of 1300	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	60
PID 2280 wrote to memory of 1300	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	60
PID 2280 wrote to memory of 2100	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	61
PID 2280 wrote to memory of 2100	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	61
PID 2280 wrote to memory of 2100	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	61
PID 2280 wrote to memory of 2260	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	62
PID 2280 wrote to memory of 2260	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	62
PID 2280 wrote to memory of 2260	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	62
PID 2280 wrote to memory of 2384	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	63
PID 2280 wrote to memory of 2384	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	63
PID 2280 wrote to memory of 2384	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	63
PID 2280 wrote to memory of 2364	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	64
PID 2280 wrote to memory of 2364	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	64
PID 2280 wrote to memory of 2364	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	64
PID 2280 wrote to memory of 832	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	65
PID 2280 wrote to memory of 832	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	65
PID 2280 wrote to memory of 832	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	65
PID 2280 wrote to memory of 2984	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	66
PID 2280 wrote to memory of 2984	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	66
PID 2280 wrote to memory of 2984	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	66
PID 2280 wrote to memory of 3004	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	67
PID 2280 wrote to memory of 3004	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	67
PID 2280 wrote to memory of 3004	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	67
PID 2280 wrote to memory of 2268	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	74
PID 2280 wrote to memory of 2268	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	74
PID 2280 wrote to memory of 2268	2280	a8ee79ff487d9196d01d94f35a3bb420.exe	74
PID 2268 wrote to memory of 1764	2268	cmd.exe	83
PID 2268 wrote to memory of 1764	2268	cmd.exe	83
PID 2268 wrote to memory of 1764	2268	cmd.exe	83
PID 2268 wrote to memory of 1712	2268	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a8ee79ff487d9196d01d94f35a3bb420.exe
"C:\Users\Admin\AppData\Local\Temp\a8ee79ff487d9196d01d94f35a3bb420.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mdsinnbc\mdsinnbc.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES60F4.tmp" "c:\Windows\System32\CSCCCF97DCCCD64E9098A2DA4FA324B6CF.TMP"
    3⤵
    PID:580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZlQcSuu44V.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1764
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:1712
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
3.7MB

MD5
a8ee79ff487d9196d01d94f35a3bb420

SHA1
19e2f9ef03baa9cdffc9f72aed2cb4bb7c13844a

SHA256
b4d51a794626e778a1c7364fd763f8136cfe93502fc04de96b76e4fe3af386ec

SHA512
abbc0d10f540ab76a6c61e8e9e7d76f625c168a8f3b4d1936f9eb3dafacf4d9e9e28daaabd08e130e1b626b43cb828ae2c6aea645a66f01d9bdc283bb8f33b80

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
3.7MB

MD5
a8ee79ff487d9196d01d94f35a3bb420

SHA1
19e2f9ef03baa9cdffc9f72aed2cb4bb7c13844a

SHA256
b4d51a794626e778a1c7364fd763f8136cfe93502fc04de96b76e4fe3af386ec

SHA512
abbc0d10f540ab76a6c61e8e9e7d76f625c168a8f3b4d1936f9eb3dafacf4d9e9e28daaabd08e130e1b626b43cb828ae2c6aea645a66f01d9bdc283bb8f33b80

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
3.7MB

MD5
a8ee79ff487d9196d01d94f35a3bb420

SHA1
19e2f9ef03baa9cdffc9f72aed2cb4bb7c13844a

SHA256
b4d51a794626e778a1c7364fd763f8136cfe93502fc04de96b76e4fe3af386ec

SHA512
abbc0d10f540ab76a6c61e8e9e7d76f625c168a8f3b4d1936f9eb3dafacf4d9e9e28daaabd08e130e1b626b43cb828ae2c6aea645a66f01d9bdc283bb8f33b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES60F4.tmp

Filesize
1KB

MD5
878fb0e05656f4564e2d8ed9fb91ba9b

SHA1
fc2b647de077fa29cc3f0f9a3b79772802bf9f9d

SHA256
29f101f38f31f788c04d62f80f498871dedc773f7e6cc902f95ffc5c7d92deb3

SHA512
0457b734fbbd3fefd363b9b3ed6ba4cc38636321276e745734faf6baedc85213bf737ed9705cc93e37006f10cc991ff65bc3f208b0ce2bba5564e4c36b61eed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZlQcSuu44V.bat

Filesize
202B

MD5
c4d790db24d7321fe60b5d5ef2d41eae

SHA1
12f4139fe381befb600a0e199320cae78330ad01

SHA256
9eb267ca4fcc3c69f6714aff7206f66347b5e30111c9247897d7db83130c8168

SHA512
5aadba269dc0d30faf3c25180e4c496f354005b1b1651887a9fda77bba2f27a1f0c628278139bb2e516cc786157783b9f1bf574127cf827f4dc934e28780c7db

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HMK686HFYVJGGFOP3KIA.temp

Filesize
7KB

MD5
a9d84632b16f291a44be05ad14650cd0

SHA1
2262f48746a5b8c33f7b486c89e5f7d2d196ccc5

SHA256
43076d027f152a79815769df3512c589145a502e47f33eaa7ea87fd23aa04d9a

SHA512
da3e302f203b5a3cc17b2b00a53f0f79dba1d9e5dcd70867cbec0783d4e93b5cc69aeea12d90eb6a40d53120a1e31c69180b4f32bd9866c05bb28dacab5fd302

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdsinnbc\mdsinnbc.0.cs

Filesize
383B

MD5
97b8118d4816ad55a4815488459570df

SHA1
21eed580e947062f853ea6092a239fb4c880481a

SHA256
54b06ac82d0a4e72dd129dcb103194714ea48b46f18abb60be9b194c6634f603

SHA512
03bff9977d8ae59737ec0f4456d03154f0f76150c13880130f3f5b87691eab3a13f793a90902d96677b8532407e67ac644a11278e795eda1a3bb9f9a87e8adfe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\mdsinnbc\mdsinnbc.cmdline

Filesize
235B

MD5
d0dd68c5eab26e5da7fb645a93be681b

SHA1
70ac642369102fb490a4d306e073bff4c7cf9ec1

SHA256
3e07efca34648708a42827a7238ab1f4169e2b1219f0494ed369340cedd82398

SHA512
e2f0b9548e22f99014f015184fe396850d72f248d6264658e900fcf0480998cd7502f205a39d952e9dbe98b25568a43398fba710e70fb7f0da108c25f9732058

Download Submit
\??\c:\Windows\System32\CSCCCF97DCCCD64E9098A2DA4FA324B6CF.TMP

Filesize
1KB

MD5
9117c8934ef04a26a825f6184bf1a6d7

SHA1
e84833b68b5eb9cd8a416a34fc9d97a12828f3f5

SHA256
2f3a83d43d550435a8b7dde8e9013b457814196259e8046e9f4e8dbb6c4ef0e6

SHA512
c99e90b4b86b68530a5e0e794ab07c506b0ff64fbb7bd416ba63ba4468fd575874cb60775f96864c31a80f7c1825faa4f50f1a2d0a64e7bbfa76fbdecba7af4f

Download Submit
memory/340-189-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1552-188-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/1552-187-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/1552-192-0x000007FEEBEC0000-0x000007FEEC85D000-memory.dmp

Filesize
9.6MB

Download
memory/1556-126-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/1556-185-0x00000000027D4000-0x00000000027D7000-memory.dmp

Filesize
12KB

Download
memory/1556-186-0x00000000027DB000-0x0000000002842000-memory.dmp

Filesize
412KB

Download
memory/1556-191-0x000007FEEBEC0000-0x000007FEEC85D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-193-0x000007FEEBEC0000-0x000007FEEC85D000-memory.dmp

Filesize
9.6MB

Download
memory/2280-27-0x0000000000A60000-0x0000000000A6E000-memory.dmp

Filesize
56KB

Download
memory/2280-34-0x0000000000A70000-0x0000000000A7E000-memory.dmp

Filesize
56KB

Download
memory/2280-39-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-43-0x00000000769F0000-0x00000000769F1000-memory.dmp

Filesize
4KB

Download
memory/2280-45-0x0000000000AC0000-0x0000000000AD2000-memory.dmp

Filesize
72KB

Download
memory/2280-46-0x00000000769E0000-0x00000000769E1000-memory.dmp

Filesize
4KB

Download
memory/2280-48-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2280-50-0x0000000000AB0000-0x0000000000AC0000-memory.dmp

Filesize
64KB

Download
memory/2280-52-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2280-54-0x0000000000CB0000-0x0000000000CC2000-memory.dmp

Filesize
72KB

Download
memory/2280-55-0x00000000769A0000-0x00000000769A1000-memory.dmp

Filesize
4KB

Download
memory/2280-57-0x0000000000C70000-0x0000000000C7E000-memory.dmp

Filesize
56KB

Download
memory/2280-58-0x0000000076990000-0x0000000076991000-memory.dmp

Filesize
4KB

Download
memory/2280-60-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/2280-62-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2280-64-0x0000000001000000-0x000000000105A000-memory.dmp

Filesize
360KB

Download
memory/2280-66-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2280-67-0x0000000076950000-0x0000000076951000-memory.dmp

Filesize
4KB

Download
memory/2280-69-0x0000000000D70000-0x0000000000D80000-memory.dmp

Filesize
64KB

Download
memory/2280-71-0x0000000000E80000-0x0000000000E8E000-memory.dmp

Filesize
56KB

Download
memory/2280-73-0x0000000000FC0000-0x0000000000FD8000-memory.dmp

Filesize
96KB

Download
memory/2280-75-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2280-77-0x000000001ABF0000-0x000000001AC3E000-memory.dmp

Filesize
312KB

Download
memory/2280-42-0x0000000000A90000-0x0000000000A9E000-memory.dmp

Filesize
56KB

Download
memory/2280-38-0x0000000000A80000-0x0000000000A8C000-memory.dmp

Filesize
48KB

Download
memory/2280-36-0x0000000076A10000-0x0000000076A11000-memory.dmp

Filesize
4KB

Download
memory/2280-35-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-40-0x0000000076A00000-0x0000000076A01000-memory.dmp

Filesize
4KB

Download
memory/2280-32-0x0000000076A20000-0x0000000076A21000-memory.dmp

Filesize
4KB

Download
memory/2280-31-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-30-0x0000000076A30000-0x0000000076A31000-memory.dmp

Filesize
4KB

Download
memory/2280-124-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-1-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-0-0x00000000010B0000-0x0000000001464000-memory.dmp

Filesize
3.7MB

Download
memory/2280-29-0x0000000076A40000-0x0000000076A41000-memory.dmp

Filesize
4KB

Download
memory/2280-28-0x000007FEF5000000-0x000007FEF59EC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-25-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2280-23-0x0000000076A50000-0x0000000076A51000-memory.dmp

Filesize
4KB

Download
memory/2280-22-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/2280-20-0x0000000000610000-0x0000000000628000-memory.dmp

Filesize
96KB

Download
memory/2280-18-0x0000000076A60000-0x0000000076A61000-memory.dmp

Filesize
4KB

Download
memory/2280-16-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2280-17-0x0000000076A70000-0x0000000076A71000-memory.dmp

Filesize
4KB

Download
memory/2280-13-0x00000000005F0000-0x000000000060C000-memory.dmp

Filesize
112KB

Download
memory/2280-14-0x0000000076A80000-0x0000000076A81000-memory.dmp

Filesize
4KB

Download
memory/2280-10-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2280-11-0x0000000076A90000-0x0000000076A91000-memory.dmp

Filesize
4KB

Download
memory/2280-7-0x0000000000490000-0x00000000004B6000-memory.dmp

Filesize
152KB

Download
memory/2280-8-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-2-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-5-0x0000000076AA0000-0x0000000076AA1000-memory.dmp

Filesize
4KB

Download
memory/2280-4-0x000000001B660000-0x000000001B6E0000-memory.dmp

Filesize
512KB

Download
memory/2280-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2636-190-0x0000000002674000-0x0000000002677000-memory.dmp

Filesize
12KB

Download
memory/2636-125-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download