zgrat | d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

Analysis

max time kernel
132s
max time network
146s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Size

1.9MB
MD5

1d61e62339d38ca2a129710265c26a89
SHA1

185c34e0d555ac3fdf7fefd1732409e65b6aedaf
SHA256

d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a
SHA512

0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b
SSDEEP

49152:RSRQ8nF3T6S2cvvSiHWxuvF3VPL5/zKAG:RS+AlTK/G9VPBe

Score

10^/10

zgrat execution persistence rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral1/memory/1968-1-0x0000000000060000-0x0000000000246000-memory.dmp	family_zgrat_v1
behavioral1/files/0x0006000000016d79-30.dat	family_zgrat_v1
behavioral1/memory/1940-140-0x0000000001210000-0x00000000013F6000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\", \"C:\\Users\\Default User\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\wininit.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2504	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2504	schtasks.exe	28

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detects executables packed with unregistered version of .NET Reactor 3 IoCs

resource	yara_rule
behavioral1/memory/1968-1-0x0000000000060000-0x0000000000246000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/files/0x0006000000016d79-30.dat	INDICATOR_EXE_Packed_DotNetReactor
behavioral1/memory/1940-140-0x0000000001210000-0x00000000013F6000-memory.dmp	INDICATOR_EXE_Packed_DotNetReactor

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
536	powershell.exe
2888	powershell.exe
548	powershell.exe
2240	powershell.exe
1848	powershell.exe
2572	powershell.exe
2416	powershell.exe
1164	powershell.exe
576	powershell.exe
1328	powershell.exe
696	powershell.exe
2260	powershell.exe
2224	powershell.exe
2228	powershell.exe
680	powershell.exe
2232	powershell.exe
2448	powershell.exe
2812	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\wininit.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\audiodg.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\PolicyDefinitions\\es-ES\\services.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\07daf2c2-fe8f-11ee-804d-f636db4e28e7\\wininit.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe\""	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC3A4523CDDC6E49DAB5EE2AF83EAF99D5.TMP	csc.exe
File created	\??\c:\Windows\System32\wx6deg.exe	csc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\index\dllhost.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Windows\PolicyDefinitions\es-ES\services.exe	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
File created	C:\Windows\PolicyDefinitions\es-ES\c5b4cb5e9653cc	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2720	schtasks.exe
1808	schtasks.exe
1528	schtasks.exe
2532	schtasks.exe
2776	schtasks.exe
1260	schtasks.exe
3028	schtasks.exe
2736	schtasks.exe
2512	schtasks.exe
236	schtasks.exe
1384	schtasks.exe
2784	schtasks.exe
2384	schtasks.exe
2392	schtasks.exe
2280	schtasks.exe
352	schtasks.exe
872	schtasks.exe
2800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	1940	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 2548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 1968 wrote to memory of 2548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 1968 wrote to memory of 2548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	32
PID 2548 wrote to memory of 2928	2548	csc.exe	34
PID 2548 wrote to memory of 2928	2548	csc.exe	34
PID 2548 wrote to memory of 2928	2548	csc.exe	34
PID 1968 wrote to memory of 2888	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 1968 wrote to memory of 2888	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 1968 wrote to memory of 2888	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	50
PID 1968 wrote to memory of 2812	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 1968 wrote to memory of 2812	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 1968 wrote to memory of 2812	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	51
PID 1968 wrote to memory of 2228	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	52
PID 1968 wrote to memory of 2228	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	52
PID 1968 wrote to memory of 2228	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	52
PID 1968 wrote to memory of 2416	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 1968 wrote to memory of 2416	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 1968 wrote to memory of 2416	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	54
PID 1968 wrote to memory of 2224	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 1968 wrote to memory of 2224	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 1968 wrote to memory of 2224	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	55
PID 1968 wrote to memory of 2572	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 1968 wrote to memory of 2572	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 1968 wrote to memory of 2572	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	57
PID 1968 wrote to memory of 2448	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	58
PID 1968 wrote to memory of 2448	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	58
PID 1968 wrote to memory of 2448	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	58
PID 1968 wrote to memory of 1848	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 1968 wrote to memory of 1848	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 1968 wrote to memory of 1848	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	60
PID 1968 wrote to memory of 2240	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 1968 wrote to memory of 2240	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 1968 wrote to memory of 2240	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	61
PID 1968 wrote to memory of 2232	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 1968 wrote to memory of 2232	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 1968 wrote to memory of 2232	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	62
PID 1968 wrote to memory of 2260	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	63
PID 1968 wrote to memory of 2260	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	63
PID 1968 wrote to memory of 2260	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	63
PID 1968 wrote to memory of 536	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	64
PID 1968 wrote to memory of 536	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	64
PID 1968 wrote to memory of 536	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	64
PID 1968 wrote to memory of 696	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 1968 wrote to memory of 696	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 1968 wrote to memory of 696	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	65
PID 1968 wrote to memory of 680	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 1968 wrote to memory of 680	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 1968 wrote to memory of 680	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	66
PID 1968 wrote to memory of 548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 1968 wrote to memory of 548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 1968 wrote to memory of 548	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	67
PID 1968 wrote to memory of 1164	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 1968 wrote to memory of 1164	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 1968 wrote to memory of 1164	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	69
PID 1968 wrote to memory of 1328	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 1968 wrote to memory of 1328	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 1968 wrote to memory of 1328	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	70
PID 1968 wrote to memory of 576	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 1968 wrote to memory of 576	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 1968 wrote to memory of 576	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	72
PID 1968 wrote to memory of 292	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 1968 wrote to memory of 292	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 1968 wrote to memory of 292	1968	d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe	86
PID 292 wrote to memory of 920	292	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
"C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lovz1ym0\lovz1ym0.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2DB5.tmp" "c:\Windows\System32\CSC3A4523CDDC6E49DAB5EE2AF83EAF99D5.TMP"
    3⤵
    PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6087CiVe2e.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:920
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2404
- - C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe
    "C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8ad" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\audiodg.exe

Filesize
1.9MB

MD5
1d61e62339d38ca2a129710265c26a89

SHA1
185c34e0d555ac3fdf7fefd1732409e65b6aedaf

SHA256
d5d17c328fca15ef8495872ec20670848ce876673630d286a436a589dcc36f8a

SHA512
0b8a081cadf7f8edb64ef2293a0f6df02526904082ae282888dbec5497874ed1e4435f8e61751720345d155a452ba0d55fdd3b1dac66ed8e6e6887e2e6a62f9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6087CiVe2e.bat

Filesize
278B

MD5
780f3edf0735b39f85e4c2cebb41a12f

SHA1
bbcd6be7cb25d9cb2fcc57750b03e246789b213e

SHA256
0bb71d85e16e12e24a793e9b230f32d4d415252c5569d30f56872fc9642c2cc3

SHA512
5648b59ca1f608ca40121b68c49255c7024f1112821973eadaf8b41f67c53705ec902c91d5c15f9ddb477d684fd53a7c8f2490e79ed24917bde440b64e166f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2DB5.tmp

Filesize
1KB

MD5
3011b701b071d6e55e66c0a14d13170f

SHA1
5635d8816a93e5b404855c0592ac193530c7d479

SHA256
f856283ab4a7353a6dd47462d814ff3af08ab0d4abea5bd0cda6cdf7ffc65e21

SHA512
0a29bc21044b0111dd8ffe3473a4b460d89f4219048abb496756af6428ce9c1f67c7f866b98b75b9fb03efacbd670159e811bc2c3442295f1cae4c5a21e168a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4bd9a11ed88104f5c55f667bfd122b93

SHA1
eb4ce7a5ab1528e04e7ec9c40ace49e39415a3a5

SHA256
5dc9b85711134004772a24afebc4728ee722b577367ba0f87d1764a2064cc4bd

SHA512
5b8b72c7287dd385d166634801d67ac913bc64af2f19eea296c44c84171b610771e34131c718f6ceca4e1c9fc4db76eda1f27d03095727c8bc31bb65f32d2abb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lovz1ym0\lovz1ym0.0.cs

Filesize
365B

MD5
4bbbe4dd903f37f03cf1186c498ca3b4

SHA1
a020ee897d99166a9736b99df4c2cc07999d37bf

SHA256
53827b7e9a61c2bddb9e129241affefcbada0f1be6b8e7ae105b8e72f664d38c

SHA512
3f694464e12476fb35c932409a71293bf31fdb84a3e0a1b1004e6dca98ca418eefd84d3876297cbec9ecc6debc9caa506e4ed6781b5a76ae55d88651150ff921

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lovz1ym0\lovz1ym0.cmdline

Filesize
235B

MD5
9f5062b187f5493fb5de800882b5706e

SHA1
9e57ddb7478d2bd05e0f1ee9687fe7b59a18b292

SHA256
245888bea3c6ecc480641ce13cf250f8d3636d402b309e15f1812614308fdda5

SHA512
231283394f284dd8c43e4f7903b5d7685702f9fee55889a5367813e154e1632965d70ac9f8affd9ad878b59883f8fb84ab6cd18fafbb734c4a369b3e7108e8db

Download Submit
\??\c:\Windows\System32\CSC3A4523CDDC6E49DAB5EE2AF83EAF99D5.TMP

Filesize
1KB

MD5
81f176b5da6f2f0e6b33c353995a2d09

SHA1
50fd7cc1c2c859d60f71fc36b122f70509f735e8

SHA256
003098fe5fd83cb4346dded8d55b9b673e4238d8dc810b59e22bc14eb7238478

SHA512
f40f10fe04872ed873774be305461262ce4e6416ca38561c4d74efd2a8a3ebbc58e9529de22e3fccd7413531f34fa56dc1cc2a7412b349fb7917d499d63835d8

Download Submit
memory/1940-140-0x0000000001210000-0x00000000013F6000-memory.dmp

Filesize
1.9MB

Download
memory/1968-9-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-8-0x0000000002070000-0x000000000208C000-memory.dmp

Filesize
112KB

Download
memory/1968-16-0x0000000002050000-0x000000000205C000-memory.dmp

Filesize
48KB

Download
memory/1968-14-0x0000000001FC0000-0x0000000001FCE000-memory.dmp

Filesize
56KB

Download
memory/1968-20-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-19-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-12-0x0000000002110000-0x0000000002128000-memory.dmp

Filesize
96KB

Download
memory/1968-10-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-17-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-18-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-0-0x000007FEF5B33000-0x000007FEF5B34000-memory.dmp

Filesize
4KB

Download
memory/1968-6-0x00000000004F0000-0x00000000004FE000-memory.dmp

Filesize
56KB

Download
memory/1968-4-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-3-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-1-0x0000000000060000-0x0000000000246000-memory.dmp

Filesize
1.9MB

Download
memory/1968-2-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/1968-108-0x000007FEF5B30000-0x000007FEF651C000-memory.dmp

Filesize
9.9MB

Download
memory/2812-63-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2888-69-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download