zgrat | 22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-05-2024 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Size

1.9MB
MD5

17eb4c4e58353a5db52602d0ae321fbd
SHA1

791e65e864b8831b86149c079b09d04cac894e59
SHA256

22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1
SHA512

a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14
SSDEEP

24576:kGcK2o1bNcsQSVR7z/7VlQR/Ys6Yy0RbZEd3oJ30mJrqTgOEOkm6GNBO0mQP:7l777HagqbZoaEoki5m6G/FmQ

Score

10^/10

zgrat execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

resource	yara_rule
behavioral2/memory/4948-1-0x0000000000860000-0x0000000000A4A000-memory.dmp	family_zgrat_v1
behavioral2/files/0x000700000002323e-33.dat	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default\\Cookies\\sihost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default\\Cookies\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default\\Cookies\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\", \"C:\\Windows\\ShellComponents\\StartMenuExperienceHost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default\\Cookies\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\", \"C:\\Windows\\ShellComponents\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Default\\Cookies\\sihost.exe\", \"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\", \"C:\\Windows\\ShellComponents\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\msedge.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3628	powershell.exe
4212	powershell.exe
4964	powershell.exe
2460	powershell.exe
3308	powershell.exe
4820	powershell.exe
2488	powershell.exe
2644	powershell.exe
1248	powershell.exe
1988	powershell.exe
1928	powershell.exe
3972	powershell.exe
1920	powershell.exe
748	powershell.exe
5068	powershell.exe
2288	powershell.exe
2164	powershell.exe
2604	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Executes dropped EXE 1 IoCs

pid	Process
4144	msedge.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Recovery\\WindowsRE\\msedge.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Cookies\\sihost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Common Files\\System\\winlogon.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\ShellComponents\\StartMenuExperienceHost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Windows\\ShellComponents\\StartMenuExperienceHost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Users\\Default\\Cookies\\sihost.exe\""	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
44	ipinfo.io
45	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC815DFC59BD1C40B38645E35E3AB7544F.TMP	csc.exe
File created	\??\c:\Windows\System32\_iyiwy.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\winlogon.exe	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
File created	C:\Program Files (x86)\Common Files\System\cc11b995f2a76d	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC28667D592A054CAB95A6A8605178985C.TMP	csc.exe
File created	\??\c:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ShellComponents\55b276f4edf653	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
File created	C:\Windows\WaaS\services\sppsvc.exe	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
File created	C:\Windows\ShellComponents\StartMenuExperienceHost.exe	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5676	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
Token: SeDebugPrivilege	4820	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	4964	powershell.exe
Token: SeDebugPrivilege	3972	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	748	powershell.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	2468	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 4948 wrote to memory of 2912	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	90
PID 4948 wrote to memory of 2912	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	90
PID 2912 wrote to memory of 1256	2912	csc.exe	92
PID 2912 wrote to memory of 1256	2912	csc.exe	92
PID 4948 wrote to memory of 4828	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	93
PID 4948 wrote to memory of 4828	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	93
PID 4828 wrote to memory of 4472	4828	csc.exe	95
PID 4828 wrote to memory of 4472	4828	csc.exe	95
PID 4948 wrote to memory of 3308	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	96
PID 4948 wrote to memory of 3308	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	96
PID 4948 wrote to memory of 4820	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	97
PID 4948 wrote to memory of 4820	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	97
PID 4948 wrote to memory of 4212	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	98
PID 4948 wrote to memory of 4212	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	98
PID 4948 wrote to memory of 2288	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	99
PID 4948 wrote to memory of 2288	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	99
PID 4948 wrote to memory of 5068	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	100
PID 4948 wrote to memory of 5068	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	100
PID 4948 wrote to memory of 1988	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	101
PID 4948 wrote to memory of 1988	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	101
PID 4948 wrote to memory of 1248	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	102
PID 4948 wrote to memory of 1248	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	102
PID 4948 wrote to memory of 2644	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	103
PID 4948 wrote to memory of 2644	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	103
PID 4948 wrote to memory of 3972	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	105
PID 4948 wrote to memory of 3972	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	105
PID 4948 wrote to memory of 3628	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	106
PID 4948 wrote to memory of 3628	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	106
PID 4948 wrote to memory of 1928	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	108
PID 4948 wrote to memory of 1928	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	108
PID 4948 wrote to memory of 2488	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	110
PID 4948 wrote to memory of 2488	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	110
PID 4948 wrote to memory of 748	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	113
PID 4948 wrote to memory of 748	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	113
PID 4948 wrote to memory of 4964	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	114
PID 4948 wrote to memory of 4964	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	114
PID 4948 wrote to memory of 2604	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	115
PID 4948 wrote to memory of 2604	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	115
PID 4948 wrote to memory of 2460	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	116
PID 4948 wrote to memory of 2460	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	116
PID 4948 wrote to memory of 1920	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	117
PID 4948 wrote to memory of 1920	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	117
PID 4948 wrote to memory of 2164	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	118
PID 4948 wrote to memory of 2164	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	118
PID 4948 wrote to memory of 4492	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	132
PID 4948 wrote to memory of 4492	4948	22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe	132
PID 4492 wrote to memory of 5964	4492	cmd.exe	134
PID 4492 wrote to memory of 5964	4492	cmd.exe	134
PID 4492 wrote to memory of 5676	4492	cmd.exe	135
PID 4492 wrote to memory of 5676	4492	cmd.exe	135
PID 4492 wrote to memory of 2468	4492	cmd.exe	136
PID 4492 wrote to memory of 2468	4492	cmd.exe	136

C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
"C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dzkfqrrj\dzkfqrrj.cmdline"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES460.tmp" "c:\Program Files (x86)\Microsoft\Edge\Application\CSC28667D592A054CAB95A6A8605178985C.TMP"
    3⤵
    PID:1256
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\czv4yvkh\czv4yvkh.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80A.tmp" "c:\Windows\System32\CSC815DFC59BD1C40B38645E35E3AB7544F.TMP"
    3⤵
    PID:4472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\sihost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellComponents\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msedge.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cmDFbQQIZ6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5964
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - Runs ping.exe
    PID:5676
- - C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe
    "C:\Users\Admin\AppData\Local\Temp\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5076 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
- Executes dropped EXE
PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
4KB

MD5
32ab4b601a2fb45b7ec5cd3d1229222c

SHA1
93687b9a64d5646c855d91cee43325f12684a179

SHA256
33ea2f46d2818cf6f3cf1d21007ea034cf26055a803a6e4c0efd19d96872c8dd

SHA512
7e2990227f829fba607ed2d2f925caf7c376fa75455f04e53a3043c87c503733f8e4e8d033a8f4223a6772c4837f39f91ecc31f9c5f848e226ec6895958a9c7d

Download Submit
C:\Recovery\WindowsRE\msedge.exe

Filesize
1.9MB

MD5
17eb4c4e58353a5db52602d0ae321fbd

SHA1
791e65e864b8831b86149c079b09d04cac894e59

SHA256
22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1

SHA512
a93540c9b59a5000ef53834ff920d8fafa3e1d25da92ead4d523dc684d3824a6e3ccefda736194c0ec1a2e27229ea4096afd65be3ff462fd2e4f22c6058d8d14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\22ed346e6e5849b9a4ddc0f372382b062fe50145a4425562976531eb2b0819e1.exe.log

Filesize
1KB

MD5
18da49c97c362515aa00f9d0b966f403

SHA1
1974d473a06114342e171ca707c86c8303ab168a

SHA256
1747424c1eba45d3539d08f84a8f02149ea969ef380a6c6d13a5cc3fe963e684

SHA512
d1ca8005f1f5ac652696ae1b03d5c27b243300525e2dbd6db89da1f1c43cc55553982f3edc5501261e461aa9e8063418c1760f070366d1dddec4e6dc159a6d87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
85502ce8813f7174d5989a982a473094

SHA1
767982aed807f5f28ad7037139db874adebae5ed

SHA256
df0b71db6a6f78fcea4a935928560506f0c099e75aba717fd04cc9226d720ec6

SHA512
224ba8f3fc1d9a04bceb006af989f2838f4253074ba58b9082c7761daa1067e9d742ae51212d9116c89bda346538e8806790121deacf67a1c7b4a81bc95e6f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
293a5e452e148112857e22e746feff34

SHA1
7a5018bf98a3e38970809531288a7e3efb979532

SHA256
05e48657fb5340817f522c955b379cfb639977480af3ab1414682e9bf6616551

SHA512
7332f2b22f4ab64bb67c1a493f7cf2b378e311d5be6c6c99339210d4e9022c17f01a698333cd679a0776cca23460e28ec88c2ccfcf50c732ee218ef25ab19049

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES460.tmp

Filesize
1KB

MD5
d5e1713b21e9fc37c531178f2f15c2ce

SHA1
b63116cfcb57b92dd707d6cea0b8a63d22543019

SHA256
fbb1a873d289fad7318c2968d38ce9a045ac3880610c4914591481918af5e6c6

SHA512
7422a1589db44815709720fb22dc84562ac06910bc3e56496e54968115dc2b074ba454f4dc253f537a60588fdfd7ea7f220a016596932ac7d2ff0244a19c1856

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80A.tmp

Filesize
1KB

MD5
7306f0b5a2ea81af0b184f74a810bb75

SHA1
7c2cd74b64565eec471f945038f253f5a69d607f

SHA256
a564a30e5a0fc59bb9e1ddab82364bfeae5814255e091cc53f4c4ea16a1ffb08

SHA512
acdd442e6c710bc7dfb40ec9722b7dc63bed14b52f7167eded25440a6c395e3192f40678dea883a9a2057e3383c9d40343bd384caed9ce2d3c43ba5f155ab98a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3xb5cmi.14c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmDFbQQIZ6.bat

Filesize
230B

MD5
b1fec322a8259ea4a70e623f2f4f5191

SHA1
c21f6c8f2152429535d1bbc20dde5e0e2366becc

SHA256
c738d0ae9d6364774b8e76326ea1416e087de7475b6b2f6b7a2155b714cba504

SHA512
a639013ed1fc68325c19253ac751e8516b986e93a25a09cfdf886373a640e91a91afb16a58e5233dbc8db6c17a444db045434f8cebc7aaf59e57f03c19aa96de

Download Submit
\??\c:\Program Files (x86)\Microsoft\Edge\Application\CSC28667D592A054CAB95A6A8605178985C.TMP

Filesize
1KB

MD5
b5189fb271be514bec128e0d0809c04e

SHA1
5dd625d27ed30fca234ec097ad66f6c13a7edcbe

SHA256
e1984ba1e3ff8b071f7a320a6f1f18e1d5f4f337d31dc30d5bdfb021df39060f

SHA512
f0fcb8f97279579beb59f58ea89527ee0d86a64c9de28300f14460bec6c32dda72f0e6466573b6654a1e992421d6fe81ae7cce50f27059f54cf9fdca6953602e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\czv4yvkh\czv4yvkh.0.cs

Filesize
364B

MD5
46f192a29fdc7e0c8415f3a3102dcce3

SHA1
de061e12b5a28225b609f9a9727a68d50b61ccbe

SHA256
9d96f00aad2b2aa6d6bf34283076520bb0ebd89167aea02dd11da7a264bcea89

SHA512
58b74b1f19acd899b2639d93c665b3894b9c4e820d10759968dda7fef161955d9889621050e2d228cddff74070d9984460431b0564a4a7a2ece6200578c97da6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\czv4yvkh\czv4yvkh.cmdline

Filesize
235B

MD5
05a219bfc9c35f0a6056549a2a02fd57

SHA1
5a3144d4d022048a39948a3a98bce1f49b3ad947

SHA256
4565687fdb5323b6254c13936918490267c6dc96ee508c4468ae71853dfaa038

SHA512
750e7cdbed90e9b578b0bf422c9cc0e864528d398b4fbea641e1e85031e4685ff928381cb656d416f646fe217cbbb949b69f70a0ec4306a997e8a62eba0ac092

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzkfqrrj\dzkfqrrj.0.cs

Filesize
394B

MD5
fe67d87c95ccb9afd0640aeabb4bc6fe

SHA1
4073a215c74748778bbe22bd54e3deb2c0387c6d

SHA256
7b5878332ad2feb1321841cfacc09b631dcbb15fbde894f7d674b2e440b7f3ed

SHA512
35dcf55da34690a7696485607beb07ab7f31fb203c1ab57c401697706bbe7b55a9250d21ca5e85f14c22f4e4c95d9c2d930662c31163b490afd350ac0c3ab7ee

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dzkfqrrj\dzkfqrrj.cmdline

Filesize
265B

MD5
97402ed6270ba261838f351dba183971

SHA1
6955124ad03a9b0c7d24d8f339454798ee1f6eee

SHA256
c3da8fae61d044eed0542dce42be69a678a0c9e132a07a2d53919dd10909d1cc

SHA512
9de7f67f0a420da6f5e83ce1b70c9aba9352b3ad6c1103795160b5c1e892fc294ff6dfb8dce3a3ead6c7adf607613ad70fd9e841068e7d74076bdb2fadd1e44e

Download Submit
\??\c:\Windows\System32\CSC815DFC59BD1C40B38645E35E3AB7544F.TMP

Filesize
1KB

MD5
188249e3f31caa0264351fc374794895

SHA1
323a707d1a37ac8cbae6d6e502cc850f69ae2e15

SHA256
1bf68148c555d0e84720c497dcf3ad708da300ee7472df12c9307a3acd4abde1

SHA512
28a0d97e83b6b6d10c0114166e8f23845663a34c8f262aa5a31ffb885abe232badb6f95bba99b8688559cac81f8ff93c3609ac363d8903d35f535d7c5e1e02d5

Download Submit
memory/748-272-0x0000028ABEBB0000-0x0000028ABED1A000-memory.dmp

Filesize
1.4MB

Download
memory/1248-238-0x000001EEFBB60000-0x000001EEFBCCA000-memory.dmp

Filesize
1.4MB

Download
memory/1920-271-0x0000017ADCD20000-0x0000017ADCE8A000-memory.dmp

Filesize
1.4MB

Download
memory/1928-283-0x0000014D6F030000-0x0000014D6F19A000-memory.dmp

Filesize
1.4MB

Download
memory/1988-240-0x000002CCC74F0000-0x000002CCC765A000-memory.dmp

Filesize
1.4MB

Download
memory/2164-274-0x000002A2EDF50000-0x000002A2EE0BA000-memory.dmp

Filesize
1.4MB

Download
memory/2288-246-0x0000023640620000-0x000002364078A000-memory.dmp

Filesize
1.4MB

Download
memory/2460-251-0x0000019ED4A20000-0x0000019ED4B8A000-memory.dmp

Filesize
1.4MB

Download
memory/2488-259-0x00000201F2E50000-0x00000201F2FBA000-memory.dmp

Filesize
1.4MB

Download
memory/2604-261-0x0000026862440000-0x00000268625AA000-memory.dmp

Filesize
1.4MB

Download
memory/2644-245-0x0000024731DE0000-0x0000024731F4A000-memory.dmp

Filesize
1.4MB

Download
memory/3308-280-0x000001E9C26F0000-0x000001E9C285A000-memory.dmp

Filesize
1.4MB

Download
memory/3628-277-0x000001C6B4130000-0x000001C6B429A000-memory.dmp

Filesize
1.4MB

Download
memory/3972-256-0x0000025F56FF0000-0x0000025F5715A000-memory.dmp

Filesize
1.4MB

Download
memory/4212-260-0x0000026C46260000-0x0000026C463CA000-memory.dmp

Filesize
1.4MB

Download
memory/4820-76-0x0000014E9D6F0000-0x0000014E9D712000-memory.dmp

Filesize
136KB

Download
memory/4820-239-0x0000014E9D8B0000-0x0000014E9DA1A000-memory.dmp

Filesize
1.4MB

Download
memory/4948-12-0x000000001B680000-0x000000001B69C000-memory.dmp

Filesize
112KB

Download
memory/4948-1-0x0000000000860000-0x0000000000A4A000-memory.dmp

Filesize
1.9MB

Download
memory/4948-13-0x000000001BA30000-0x000000001BA80000-memory.dmp

Filesize
320KB

Download
memory/4948-35-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-23-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-22-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-21-0x000000001B6C0000-0x000000001B6CC000-memory.dmp

Filesize
48KB

Download
memory/4948-19-0x0000000002B90000-0x0000000002B98000-memory.dmp

Filesize
32KB

Download
memory/4948-17-0x0000000002B80000-0x0000000002B8E000-memory.dmp

Filesize
56KB

Download
memory/4948-10-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-36-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-66-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-15-0x000000001B6A0000-0x000000001B6B8000-memory.dmp

Filesize
96KB

Download
memory/4948-9-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-0-0x00007FF9EA913000-0x00007FF9EA915000-memory.dmp

Filesize
8KB

Download
memory/4948-8-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-2-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-7-0x0000000002B70000-0x0000000002B7E000-memory.dmp

Filesize
56KB

Download
memory/4948-5-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-4-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4948-3-0x00007FF9EA910000-0x00007FF9EB3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4964-273-0x000001E4FFAE0000-0x000001E4FFC4A000-memory.dmp

Filesize
1.4MB

Download
memory/5068-266-0x00000232E1760000-0x00000232E18CA000-memory.dmp

Filesize
1.4MB

Download