zgrat | 22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

17eb4c4e58353a5db52602d0ae321fbd.exe
Size

1.9MB
MD5

17eb4c4e58353a5db52602d0ae321fbd
SHA1

791e65e864b8831b86149c079b09d04cac894e59
SHA256

22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1
SHA512

a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14
SSDEEP

24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score

10^/10

zgrat execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/3672-1-0x00000000007A0000-0x000000000098A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000a000000023bc4-31.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Program Files\\Crashpad\\csrss.exe\", \"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\dllhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Program Files\\Crashpad\\csrss.exe\", \"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\fontdrvhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Program Files\\Crashpad\\csrss.exe\", \"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\", \"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\dllhost.exe\", \"C:\\Program Files\\Windows Defender\\fontdrvhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Program Files\\Crashpad\\csrss.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\", \"C:\\Program Files\\Crashpad\\csrss.exe\", \"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4552	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4240	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4140	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	4140	schtasks.exe	85

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1804	powershell.exe
740	powershell.exe
2476	powershell.exe
2312	powershell.exe
4020	powershell.exe
1588	powershell.exe
1816	powershell.exe
1984	powershell.exe
1208	powershell.exe
4572	powershell.exe
4832	powershell.exe
4656	powershell.exe
2404	powershell.exe
2340	powershell.exe
3856	powershell.exe
3880	powershell.exe
2172	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	17eb4c4e58353a5db52602d0ae321fbd.exe

Executes dropped EXE 1 IoCs

pid	Process
5612	dllhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17eb4c4e58353a5db52602d0ae321fbd = "\"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\dllhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender\\fontdrvhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17eb4c4e58353a5db52602d0ae321fbd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Program Files\\Microsoft Office\\PackageManifests\\OfficeClickToRun.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17eb4c4e58353a5db52602d0ae321fbd = "\"C:\\Windows\\ShellExperiences\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows NT\\Accessories\\fr-FR\\dllhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Windows Defender\\fontdrvhost.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\17eb4c4e58353a5db52602d0ae321fbd = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\17eb4c4e58353a5db52602d0ae321fbd.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Crashpad\\csrss.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Crashpad\\csrss.exe\""	17eb4c4e58353a5db52602d0ae321fbd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ipinfo.io
41	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF144794B4A3484D808ACB696596FDCA.TMP	csc.exe
File created	\??\c:\Windows\System32\jku2h8.exe	csc.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\e6c9b481da804f	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Windows Defender\fontdrvhost.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Windows Defender\5b884080fd4f94	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Crashpad\csrss.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Crashpad\886983d96e3d3e	17eb4c4e58353a5db52602d0ae321fbd.exe
File opened for modification	C:\Program Files\Windows Defender\fontdrvhost.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\5940a34987c991	17eb4c4e58353a5db52602d0ae321fbd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ShellExperiences\17eb4c4e58353a5db52602d0ae321fbd.exe	17eb4c4e58353a5db52602d0ae321fbd.exe
File created	C:\Windows\ShellExperiences\f478e8e30ee7e8	17eb4c4e58353a5db52602d0ae321fbd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4460	schtasks.exe
1132	schtasks.exe
4792	schtasks.exe
1252	schtasks.exe
4552	schtasks.exe
4240	schtasks.exe
4836	schtasks.exe
2376	schtasks.exe
3548	schtasks.exe
2136	schtasks.exe
4928	schtasks.exe
1812	schtasks.exe
1988	schtasks.exe
2132	schtasks.exe
2856	schtasks.exe
3764	schtasks.exe
532	schtasks.exe
3280	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings	17eb4c4e58353a5db52602d0ae321fbd.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5152	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe
3672	17eb4c4e58353a5db52602d0ae321fbd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5612	dllhost.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	17eb4c4e58353a5db52602d0ae321fbd.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	3856	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	3880	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	4832	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	5612	dllhost.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 332	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	89
PID 3672 wrote to memory of 332	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	89
PID 332 wrote to memory of 8	332	csc.exe	92
PID 332 wrote to memory of 8	332	csc.exe	92
PID 3672 wrote to memory of 2476	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	108
PID 3672 wrote to memory of 2476	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	108
PID 3672 wrote to memory of 3880	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	109
PID 3672 wrote to memory of 3880	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	109
PID 3672 wrote to memory of 740	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	110
PID 3672 wrote to memory of 740	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	110
PID 3672 wrote to memory of 4656	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	111
PID 3672 wrote to memory of 4656	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	111
PID 3672 wrote to memory of 3856	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	112
PID 3672 wrote to memory of 3856	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	112
PID 3672 wrote to memory of 4832	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	113
PID 3672 wrote to memory of 4832	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	113
PID 3672 wrote to memory of 2312	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	114
PID 3672 wrote to memory of 2312	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	114
PID 3672 wrote to memory of 2404	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	115
PID 3672 wrote to memory of 2404	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	115
PID 3672 wrote to memory of 4020	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	116
PID 3672 wrote to memory of 4020	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	116
PID 3672 wrote to memory of 1804	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	117
PID 3672 wrote to memory of 1804	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	117
PID 3672 wrote to memory of 1588	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	118
PID 3672 wrote to memory of 1588	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	118
PID 3672 wrote to memory of 2340	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	119
PID 3672 wrote to memory of 2340	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	119
PID 3672 wrote to memory of 1816	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	120
PID 3672 wrote to memory of 1816	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	120
PID 3672 wrote to memory of 1984	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	121
PID 3672 wrote to memory of 1984	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	121
PID 3672 wrote to memory of 1208	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	122
PID 3672 wrote to memory of 1208	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	122
PID 3672 wrote to memory of 4572	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	123
PID 3672 wrote to memory of 4572	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	123
PID 3672 wrote to memory of 2172	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	124
PID 3672 wrote to memory of 2172	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	124
PID 3672 wrote to memory of 1448	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	141
PID 3672 wrote to memory of 1448	3672	17eb4c4e58353a5db52602d0ae321fbd.exe	141
PID 1448 wrote to memory of 5784	1448	cmd.exe	144
PID 1448 wrote to memory of 5784	1448	cmd.exe	144
PID 1448 wrote to memory of 5152	1448	cmd.exe	145
PID 1448 wrote to memory of 5152	1448	cmd.exe	145
PID 1448 wrote to memory of 5612	1448	cmd.exe	152
PID 1448 wrote to memory of 5612	1448	cmd.exe	152

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe
"C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yccodgqn\yccodgqn.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:332
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5EC9.tmp" "c:\Windows\System32\CSCF144794B4A3484D808ACB696596FDCA.TMP"
    3⤵
    PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Crashpad\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellExperiences\17eb4c4e58353a5db52602d0ae321fbd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\awomzeslkW.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5784
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5152
- - C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe
    "C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:5612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Crashpad\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Crashpad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Crashpad\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\17eb4c4e58353a5db52602d0ae321fbd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd" /sc ONLOGON /tr "'C:\Windows\ShellExperiences\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellExperiences\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "17eb4c4e58353a5db52602d0ae321fbd1" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\17eb4c4e58353a5db52602d0ae321fbd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\PackageManifests\OfficeClickToRun.exe

Filesize
1.9MB

MD5
17eb4c4e58353a5db52602d0ae321fbd

SHA1
791e65e864b8831b86149c079b09d04cac894e59

SHA256
22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

SHA512
a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e448fe0d240184c6597a31d3be2ced58

SHA1
372b8d8c19246d3e38cd3ba123cc0f56070f03cd

SHA256
c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

SHA512
0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ecceac16628651c18879d836acfcb062

SHA1
420502b3e5220a01586c59504e94aa1ee11982c9

SHA256
58238de09a8817ed9f894ed8e5bf06a897fd08e0b0bd77e508d37b2598edd2a9

SHA512
be3c7cb529cafb00f58790a6f8b35c4ff6db9f7f43a507d2218fd80cebc88413e46f71b1bc35b8afcc36b68f9409c946470d1e74a4fe225400eeb6f3f898f5b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5EC9.tmp

Filesize
1KB

MD5
16601342c9a210227849c3fc96349e8c

SHA1
cb0afebee86d4478576e0df5011f04a02c326a21

SHA256
088c76ab29a6751ac4f22b80f208b8bb58888b24e75459dbc043b278ba5b677b

SHA512
95c8dc3ce9dc4d5564a6465616fbf799cd52733d3a08097e5bc5506b5fb2dac101fc70f685a1748c89458a591010a92a02ccb0babbd5be5d866724baab1fb0f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_medklcq1.mzw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\awomzeslkW.bat

Filesize
185B

MD5
d9518f9b19c265cd30a002e2fa2b9b18

SHA1
3bf045aa937a39845eed44ae6ca203ef4b0334e2

SHA256
e5d4c51b722be6bde22f409de9fbf7d286fdd058ed9b73fe1a34f5ed542fb287

SHA512
f99ece91554a2aa78455d27b1af1ebc892aba4d162b37344208159c87aae730913b2f6733b4802a3191150d00ed32c63a12aefc3759b70795d04b6cb9ccc6a1c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yccodgqn\yccodgqn.0.cs

Filesize
403B

MD5
9ebfacdb342e63962fc9ac91607e68c4

SHA1
0ca9d349d2fb73c9b43bbeaab44ec08dbfaa6e14

SHA256
bbce345e5e42388bce58e6eb43e24bd06f4edb2888584cf2c49f90697bab492e

SHA512
80f3f78b890bf00dcf27321371ed64adc3581c605415448130ab031914e545979b7f0a80fcf0170224097d41cc69fd612dfa3df83d0514b092d1ef3703a19975

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yccodgqn\yccodgqn.cmdline

Filesize
235B

MD5
d9f6b27c5ffdd4e3a9635c142a9fff30

SHA1
b1f0717c881daa61ccf4c1986d6ca23f946150b8

SHA256
ff8a9a6c0aa91bb2ea9ca1453e7cbd59e18dd3962794d5b24bf6ccb8efadaf9b

SHA512
36684a4d618f40f0168010c3e042c20f3c551865855403ec59b6c4505c0d307752506f0ff41d82151af547a1c41e00d0a7bd14a862449705119597ad6f602491

Download Submit
\??\c:\Windows\System32\CSCF144794B4A3484D808ACB696596FDCA.TMP

Filesize
1KB

MD5
82451524721c270dfa385539663feae2

SHA1
2ae2bdce06f36e04d2810210179b896ed7f36ad9

SHA256
97115a4ea82f33688590c4e34b81d4e693c9040bede50add193dfc981ad1aa2b

SHA512
04906bb948f633ac3f62dab73672edc87ca2696f8ed41487ade84e3d20c3c08a44281762b07becceb7673b5bad3e56ffceccb6c0f94a3d55d9431b51d72e97ce

Download Submit
memory/740-247-0x000001C07BA90000-0x000001C07BCAC000-memory.dmp

Filesize
2.1MB

Download
memory/1208-242-0x000001F2F9490000-0x000001F2F96AC000-memory.dmp

Filesize
2.1MB

Download
memory/1588-220-0x000001B12B2E0000-0x000001B12B4FC000-memory.dmp

Filesize
2.1MB

Download
memory/1804-244-0x000001B0E93C0000-0x000001B0E95DC000-memory.dmp

Filesize
2.1MB

Download
memory/1816-219-0x0000026749940000-0x0000026749B5C000-memory.dmp

Filesize
2.1MB

Download
memory/1984-226-0x00000226ABC90000-0x00000226ABEAC000-memory.dmp

Filesize
2.1MB

Download
memory/2172-235-0x0000029344A30000-0x0000029344C4C000-memory.dmp

Filesize
2.1MB

Download
memory/2312-243-0x000001D6B3CA0000-0x000001D6B3EBC000-memory.dmp

Filesize
2.1MB

Download
memory/2340-256-0x000001A87B840000-0x000001A87BA5C000-memory.dmp

Filesize
2.1MB

Download
memory/2404-225-0x000001102B4F0000-0x000001102B70C000-memory.dmp

Filesize
2.1MB

Download
memory/2476-252-0x00000243A7F10000-0x00000243A812C000-memory.dmp

Filesize
2.1MB

Download
memory/3672-9-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-52-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-23-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-19-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-1-0x00000000007A0000-0x000000000098A000-memory.dmp

Filesize
1.9MB

Download
memory/3672-18-0x000000001B4B0000-0x000000001B4BC000-memory.dmp

Filesize
48KB

Download
memory/3672-16-0x0000000002B80000-0x0000000002B88000-memory.dmp

Filesize
32KB

Download
memory/3672-2-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-14-0x0000000002A60000-0x0000000002A6E000-memory.dmp

Filesize
56KB

Download
memory/3672-12-0x000000001B4F0000-0x000000001B508000-memory.dmp

Filesize
96KB

Download
memory/3672-36-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-10-0x000000001B9B0000-0x000000001BA00000-memory.dmp

Filesize
320KB

Download
memory/3672-3-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-8-0x000000001B4D0000-0x000000001B4EC000-memory.dmp

Filesize
112KB

Download
memory/3672-0-0x00007FFFCCFE3000-0x00007FFFCCFE5000-memory.dmp

Filesize
8KB

Download
memory/3672-4-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-6-0x0000000002A50000-0x0000000002A5E000-memory.dmp

Filesize
56KB

Download
memory/3672-28-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3672-37-0x00007FFFCCFE0000-0x00007FFFCDAA1000-memory.dmp

Filesize
10.8MB

Download
memory/3856-259-0x0000022FBB800000-0x0000022FBBA1C000-memory.dmp

Filesize
2.1MB

Download
memory/3880-253-0x000001C5B47F0000-0x000001C5B4A0C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-213-0x000001C225B70000-0x000001C225D8C000-memory.dmp

Filesize
2.1MB

Download
memory/4572-62-0x000002503B520000-0x000002503B542000-memory.dmp

Filesize
136KB

Download
memory/4572-214-0x000002503B2D0000-0x000002503B4EC000-memory.dmp

Filesize
2.1MB

Download
memory/4656-232-0x000001BC635D0000-0x000001BC637EC000-memory.dmp

Filesize
2.1MB

Download
memory/4832-231-0x0000017D228A0000-0x0000017D22ABC000-memory.dmp

Filesize
2.1MB

Download
memory/5612-269-0x000000001D560000-0x000000001D675000-memory.dmp

Filesize
1.1MB

Download