zgrat | d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 02:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
Size

3.5MB
MD5

1b386f1c6ccf7750b146172492951092
SHA1

fa4ebd833978504374bbf60ce568b5937ee60ed7
SHA256

d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca
SHA512

0ea7a2560ba07013f37230a35695eacb72dbdfc85fbcacfda49a6cd71e10e2835f2670f70017f00942f329f86ae5a17433b8d4ea51a94ae9cbc983eed7cc356d
SSDEEP

98304:g1tWjfqEY30GmmBJgTnOgXO3DxtRQUFwX:g1tWjyETaJgTnOgXIxtqQw

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/memory/2940-0-0x00000000009F0000-0x0000000000D78000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0009000000014b41-77.dat	family_zgrat_v1
behavioral1/files/0x0009000000014b41-85.dat	family_zgrat_v1
behavioral1/files/0x0009000000014b41-86.dat	family_zgrat_v1
behavioral1/memory/1072-87-0x0000000000310000-0x0000000000698000-memory.dmp	family_zgrat_v1

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2136	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2136	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 5 IoCs

resource	yara_rule
behavioral1/memory/2940-0-0x00000000009F0000-0x0000000000D78000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0009000000014b41-77.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0009000000014b41-85.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0009000000014b41-86.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1072-87-0x0000000000310000-0x0000000000698000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Executes dropped EXE 1 IoCs

pid	Process
1072	audiodg.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System.exe	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\27d1bcfc3c54e0	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\inf\PNRPSvc\0000\audiodg.exe	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
File created	C:\Windows\inf\PNRPSvc\0000\42af1c969fbb7b	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
File created	C:\Windows\Offline Web Pages\winlogon.exe	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
File created	C:\Windows\Offline Web Pages\cc11b995f2a76d	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
856	schtasks.exe
1872	schtasks.exe
1620	schtasks.exe
1912	schtasks.exe
2628	schtasks.exe
1980	schtasks.exe
2816	schtasks.exe
2868	schtasks.exe
1092	schtasks.exe
2788	schtasks.exe
2844	schtasks.exe
2740	schtasks.exe
1612	schtasks.exe
528	schtasks.exe
624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
Token: SeDebugPrivilege	1072	audiodg.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2832	2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe	44
PID 2940 wrote to memory of 2832	2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe	44
PID 2940 wrote to memory of 2832	2940	d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe	44
PID 2832 wrote to memory of 1568	2832	cmd.exe	46
PID 2832 wrote to memory of 1568	2832	cmd.exe	46
PID 2832 wrote to memory of 1568	2832	cmd.exe	46
PID 2832 wrote to memory of 1464	2832	cmd.exe	47
PID 2832 wrote to memory of 1464	2832	cmd.exe	47
PID 2832 wrote to memory of 1464	2832	cmd.exe	47
PID 2832 wrote to memory of 1072	2832	cmd.exe	48
PID 2832 wrote to memory of 1072	2832	cmd.exe	48
PID 2832 wrote to memory of 1072	2832	cmd.exe	48

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe
"C:\Users\Admin\AppData\Local\Temp\d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4A8JyyOcU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1568
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1464
- - C:\Windows\inf\PNRPSvc\0000\audiodg.exe
    "C:\Windows\inf\PNRPSvc\0000\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\05646982-d122-11ee-a512-f8024dee4092\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\PNRPSvc\0000\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\inf\PNRPSvc\0000\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\inf\PNRPSvc\0000\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\U4A8JyyOcU.bat

Filesize
215B

MD5
dee90acaf0167f5996b666911edc93d6

SHA1
b13efa8d0ac427912c395642f1d623de460fbc10

SHA256
3228e7e8f553bd7dbb82962d64ef1209e671930cad3769142f6db82461bb5680

SHA512
83e240a838e5782d9f2e8fd28abaf9d7cfd4ed70c9a4e9f7bcd9f3856f38ebdec5d4f04ae41a5700f9411ba5ea9c5c231489194fc5593d8ba04c46ed84f572e0

Download Submit
C:\Windows\inf\PNRPSvc\0000\audiodg.exe

Filesize
3.5MB

MD5
1b386f1c6ccf7750b146172492951092

SHA1
fa4ebd833978504374bbf60ce568b5937ee60ed7

SHA256
d8a2d92eeedda7214767ae29df6fae9e8793f9207a26db3bd346af2d3d50cbca

SHA512
0ea7a2560ba07013f37230a35695eacb72dbdfc85fbcacfda49a6cd71e10e2835f2670f70017f00942f329f86ae5a17433b8d4ea51a94ae9cbc983eed7cc356d

Download Submit
C:\Windows\inf\PNRPSvc\0000\audiodg.exe

Filesize
1024KB

MD5
265a41e700a91e438b2cfa5a52bc5459

SHA1
52fd7028c17d228b936a8ddf068c82efe6f2da7b

SHA256
17d29a6cc9bf585a6996c40334416886ae3db6a5210d6022ea49f2e6f3702523

SHA512
9dfb89d82bf3889c1182049bc0cf817c85e1c36cf47339ea8eb5e0510b2040b45f6ae87bfede68a463bfed75a86e3d193de7ff870d412caa38da796c3cd1e483

Download Submit
C:\Windows\inf\PNRPSvc\0000\audiodg.exe

Filesize
1.9MB

MD5
5c79cad889f7b2f64c896447b5883fa5

SHA1
345fe1cb85e0fb2ed1bc0b33a6fe4f754a008745

SHA256
17b4c7482a60b6dc6b8c8415aa91c70b1ab53be3c74f600dc307c30706c089cf

SHA512
967df653232408ec057248b7ab481ee688c13aeadf8991e727042060755f91adee31c5b18740765d36a2cb7aa40bfb3ce038d653a7d27ab1668999f6c91ab916

Download Submit
memory/1072-97-0x0000000076BC0000-0x0000000076BC1000-memory.dmp

Filesize
4KB

Download
memory/1072-92-0x0000000076BE0000-0x0000000076BE1000-memory.dmp

Filesize
4KB

Download
memory/1072-100-0x0000000076BA0000-0x0000000076BA1000-memory.dmp

Filesize
4KB

Download
memory/1072-99-0x0000000076BB0000-0x0000000076BB1000-memory.dmp

Filesize
4KB

Download
memory/1072-106-0x000007FEF4A60000-0x000007FEF544C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-95-0x0000000076BD0000-0x0000000076BD1000-memory.dmp

Filesize
4KB

Download
memory/1072-93-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/1072-103-0x0000000076B90000-0x0000000076B91000-memory.dmp

Filesize
4KB

Download
memory/1072-90-0x00000000024E0000-0x0000000002560000-memory.dmp

Filesize
512KB

Download
memory/1072-89-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1072-88-0x000007FEF4A60000-0x000007FEF544C000-memory.dmp

Filesize
9.9MB

Download
memory/1072-87-0x0000000000310000-0x0000000000698000-memory.dmp

Filesize
3.5MB

Download
memory/1072-108-0x0000000076B80000-0x0000000076B81000-memory.dmp

Filesize
4KB

Download
memory/1072-109-0x0000000076B60000-0x0000000076B61000-memory.dmp

Filesize
4KB

Download
memory/1072-111-0x0000000076B70000-0x0000000076B71000-memory.dmp

Filesize
4KB

Download
memory/2940-23-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2940-62-0x00000000022B0000-0x00000000022C0000-memory.dmp

Filesize
64KB

Download
memory/2940-31-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-28-0x0000000076B70000-0x0000000076B71000-memory.dmp

Filesize
4KB

Download
memory/2940-27-0x0000000076B80000-0x0000000076B81000-memory.dmp

Filesize
4KB

Download
memory/2940-32-0x0000000076B60000-0x0000000076B61000-memory.dmp

Filesize
4KB

Download
memory/2940-34-0x0000000000990000-0x00000000009A2000-memory.dmp

Filesize
72KB

Download
memory/2940-35-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-36-0x0000000076B50000-0x0000000076B51000-memory.dmp

Filesize
4KB

Download
memory/2940-38-0x0000000000970000-0x0000000000980000-memory.dmp

Filesize
64KB

Download
memory/2940-39-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-40-0x0000000076B40000-0x0000000076B41000-memory.dmp

Filesize
4KB

Download
memory/2940-42-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/2940-43-0x0000000076B30000-0x0000000076B31000-memory.dmp

Filesize
4KB

Download
memory/2940-45-0x0000000002280000-0x0000000002292000-memory.dmp

Filesize
72KB

Download
memory/2940-46-0x0000000076B20000-0x0000000076B21000-memory.dmp

Filesize
4KB

Download
memory/2940-48-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2940-49-0x0000000076B10000-0x0000000076B11000-memory.dmp

Filesize
4KB

Download
memory/2940-51-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2940-54-0x00000000009C0000-0x00000000009D0000-memory.dmp

Filesize
64KB

Download
memory/2940-52-0x0000000076B00000-0x0000000076B01000-memory.dmp

Filesize
4KB

Download
memory/2940-55-0x0000000076AF0000-0x0000000076AF1000-memory.dmp

Filesize
4KB

Download
memory/2940-57-0x00000000024C0000-0x000000000251A000-memory.dmp

Filesize
360KB

Download
memory/2940-58-0x0000000076AE0000-0x0000000076AE1000-memory.dmp

Filesize
4KB

Download
memory/2940-60-0x00000000022A0000-0x00000000022AE000-memory.dmp

Filesize
56KB

Download
memory/2940-30-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/2940-64-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2940-66-0x00000000022F0000-0x0000000002308000-memory.dmp

Filesize
96KB

Download
memory/2940-68-0x000000001AAB0000-0x000000001AAFE000-memory.dmp

Filesize
312KB

Download
memory/2940-26-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-25-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/2940-84-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2940-0-0x00000000009F0000-0x0000000000D78000-memory.dmp

Filesize
3.5MB

Download
memory/2940-21-0x0000000076B90000-0x0000000076B91000-memory.dmp

Filesize
4KB

Download
memory/2940-20-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/2940-18-0x0000000076BA0000-0x0000000076BA1000-memory.dmp

Filesize
4KB

Download
memory/2940-17-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2940-15-0x0000000076BB0000-0x0000000076BB1000-memory.dmp

Filesize
4KB

Download
memory/2940-14-0x0000000076BC0000-0x0000000076BC1000-memory.dmp

Filesize
4KB

Download
memory/2940-13-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2940-11-0x0000000076BD0000-0x0000000076BD1000-memory.dmp

Filesize
4KB

Download
memory/2940-10-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/2940-8-0x0000000000460000-0x0000000000486000-memory.dmp

Filesize
152KB

Download
memory/2940-6-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-5-0x0000000076BE0000-0x0000000076BE1000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2940-2-0x000000001B4F0000-0x000000001B570000-memory.dmp

Filesize
512KB

Download
memory/2940-1-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download