xmrig | fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905

Resubmissions

14-05-2024 11:56

240514-n323naef94 3

14-05-2024 11:35

240514-nqfc5adg51 10

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

353KB
MD5

da4a981460566d93b7c25f1527c5d321
SHA1

ad0dc4e6192057d2f80b080741cdfea83c399a0b
SHA256

fbfa20ca6337fbe8f71ebab5e3328af667b9e9f4ad56ec7669e502f19e4f6905
SHA512

06d57ca29fb36c3c17f275485a69e58d3bb51a543f7dc96945122ad2108967a7995373ead8ce86eb9efc8131e1ae41dd2ac62cd02acb1933eac494e1ba1c6c93
SSDEEP

6144:ujwCtJxxb+fFgfWNIQudUChHCDomqrnBTcqRVhh69NhSzN+9Im:ujwC/xxpONIFFHCDVqpcqpc9zZO

Score

10^/10

xmrig zgrat evasion execution miner persistence rat spyware stealer upx

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Checker.exe	family_zgrat_v1
C:\blockcontainerWincrtdll\Sessionperf.exe	family_zgrat_v1
behavioral2/memory/2332-32-0x00000000012C0000-0x0000000001662000-memory.dmp	family_zgrat_v1
behavioral2/memory/2264-136-0x0000000001200000-0x00000000015A2000-memory.dmp	family_zgrat_v1

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Sessionperf.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Sessionperf.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Sessionperf.exe\", \"C:\\MSOCache\\All Users\\sppsvc.exe\", \"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\""	Sessionperf.exe

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2148	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2148	schtasks.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2996-192-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-195-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-194-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-196-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-193-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-190-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-189-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-197-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/2996-198-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2876 powershell.exe
836 powershell.exe
1188 powershell.exe
2280 powershell.exe
1868 powershell.exe
1864 powershell.exe
2328 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 6 IoCs

Processes:

Checker.exeUtility.exeSessionperf.exesppsvc.exelhhsgwktkatl.exe

pid process

3040 Checker.exe
2580 Utility.exe
2332 Sessionperf.exe
2264 sppsvc.exe
484
2672 lhhsgwktkatl.exe
Loads dropped DLL 5 IoCs

Processes:

Loader.execmd.exe

pid process

2836 Loader.exe
2836 Loader.exe
2500 cmd.exe
2500 cmd.exe
484
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2876	powershell.exe
836	powershell.exe
1188	powershell.exe
2280	powershell.exe
1868	powershell.exe
1864	powershell.exe
2328	powershell.exe

pid	process
3040	Checker.exe
2580	Utility.exe
2332	Sessionperf.exe
2264	sppsvc.exe
484
2672	lhhsgwktkatl.exe

pid	process
2836	Loader.exe
2836	Loader.exe
2500	cmd.exe
2500	cmd.exe
484

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2996-186-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-188-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-184-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-185-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-196-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-190-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-187-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-197-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/2996-198-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Sessionperf.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Windows Photo Viewer\\ja-JP\\csrss.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sessionperf = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Sessionperf.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\sppsvc.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\3e6c2342-cc12-11ee-878b-7662d560f583\\winlogon.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\AppData\\LocalLow\\Sun\\Idle.exe\""	Sessionperf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sessionperf = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Sessionperf.exe\""	Sessionperf.exe

Drops file in System32 directory 6 IoCs

Processes:

lhhsgwktkatl.execsc.exepowershell.exeUtility.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	lhhsgwktkatl.exe
File created	\??\c:\Windows\System32\CSC790CB13E2FDD44DCBBF44A39CFA75D73.TMP	csc.exe
File created	\??\c:\Windows\System32\oin92z.exe	csc.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Utility.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

lhhsgwktkatl.exe

description	pid	process	target process
PID 2672 set thread context of 2204	2672	lhhsgwktkatl.exe	conhost.exe
PID 2672 set thread context of 2996	2672	lhhsgwktkatl.exe	conhost.exe

Drops file in Program Files directory 3 IoCs

Processes:

Sessionperf.exe

description	ioc	process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	Sessionperf.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe	Sessionperf.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\886983d96e3d3e	Sessionperf.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2684 sc.exe
1568 sc.exe
1716 sc.exe
1752 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
2684	sc.exe
1568	sc.exe
1716	sc.exe
1752	sc.exe

Creates scheduled task(s) 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
908	schtasks.exe
2012	schtasks.exe
576	schtasks.exe
2504	schtasks.exe
2044	schtasks.exe
528	schtasks.exe
2312	schtasks.exe
536	schtasks.exe
2892	schtasks.exe
3024	schtasks.exe
1508	schtasks.exe
1264	schtasks.exe
1804	schtasks.exe
1732	schtasks.exe
2300	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0d10df4f2a5da01	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2380 reg.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

sppsvc.exe

pid process

2264 sppsvc.exe

pid	process
2380	reg.exe

pid	process
2264	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Sessionperf.exe

pid	process
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe
2332	Sessionperf.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sppsvc.exe

pid process

2264 sppsvc.exe

pid	process
2264	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Loader.exeSessionperf.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.execonhost.exe

description	pid	process
Token: SeDebugPrivilege	2836	Loader.exe
Token: SeDebugPrivilege	2332	Sessionperf.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2264	sppsvc.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeShutdownPrivilege	2668	powercfg.exe
Token: SeShutdownPrivilege	2704	powercfg.exe
Token: SeShutdownPrivilege	2632	powercfg.exe
Token: SeShutdownPrivilege	2708	powercfg.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2212	powercfg.exe
Token: SeShutdownPrivilege	1740	powercfg.exe
Token: SeShutdownPrivilege	1260	powercfg.exe
Token: SeShutdownPrivilege	3000	powercfg.exe
Token: SeLockMemoryPrivilege	2996	conhost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

sppsvc.exe

pid process

2264 sppsvc.exe

pid	process
2264	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Loader.exeChecker.exeWScript.execmd.exeSessionperf.execsc.execmd.execmd.exelhhsgwktkatl.exe

description	pid	process	target process
PID 2836 wrote to memory of 3040	2836	Loader.exe	Checker.exe
PID 2836 wrote to memory of 3040	2836	Loader.exe	Checker.exe
PID 2836 wrote to memory of 3040	2836	Loader.exe	Checker.exe
PID 2836 wrote to memory of 3040	2836	Loader.exe	Checker.exe
PID 3040 wrote to memory of 2596	3040	Checker.exe	WScript.exe
PID 3040 wrote to memory of 2596	3040	Checker.exe	WScript.exe
PID 3040 wrote to memory of 2596	3040	Checker.exe	WScript.exe
PID 3040 wrote to memory of 2596	3040	Checker.exe	WScript.exe
PID 2836 wrote to memory of 2580	2836	Loader.exe	Utility.exe
PID 2836 wrote to memory of 2580	2836	Loader.exe	Utility.exe
PID 2836 wrote to memory of 2580	2836	Loader.exe	Utility.exe
PID 2596 wrote to memory of 2500	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 2500	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 2500	2596	WScript.exe	cmd.exe
PID 2596 wrote to memory of 2500	2596	WScript.exe	cmd.exe
PID 2500 wrote to memory of 2380	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 2380	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 2380	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 2380	2500	cmd.exe	reg.exe
PID 2500 wrote to memory of 2332	2500	cmd.exe	Sessionperf.exe
PID 2500 wrote to memory of 2332	2500	cmd.exe	Sessionperf.exe
PID 2500 wrote to memory of 2332	2500	cmd.exe	Sessionperf.exe
PID 2500 wrote to memory of 2332	2500	cmd.exe	Sessionperf.exe
PID 2332 wrote to memory of 2612	2332	Sessionperf.exe	csc.exe
PID 2332 wrote to memory of 2612	2332	Sessionperf.exe	csc.exe
PID 2332 wrote to memory of 2612	2332	Sessionperf.exe	csc.exe
PID 2612 wrote to memory of 1452	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 1452	2612	csc.exe	cvtres.exe
PID 2612 wrote to memory of 1452	2612	csc.exe	cvtres.exe
PID 2332 wrote to memory of 1864	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1864	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1864	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 836	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 836	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 836	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1868	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1868	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1868	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 2280	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 2280	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 2280	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1188	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1188	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1188	2332	Sessionperf.exe	powershell.exe
PID 2332 wrote to memory of 1544	2332	Sessionperf.exe	cmd.exe
PID 2332 wrote to memory of 1544	2332	Sessionperf.exe	cmd.exe
PID 2332 wrote to memory of 1544	2332	Sessionperf.exe	cmd.exe
PID 1544 wrote to memory of 1952	1544	cmd.exe	chcp.com
PID 1544 wrote to memory of 1952	1544	cmd.exe	chcp.com
PID 1544 wrote to memory of 1952	1544	cmd.exe	chcp.com
PID 1544 wrote to memory of 2788	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 2788	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 2788	1544	cmd.exe	w32tm.exe
PID 1544 wrote to memory of 2264	1544	cmd.exe	sppsvc.exe
PID 1544 wrote to memory of 2264	1544	cmd.exe	sppsvc.exe
PID 1544 wrote to memory of 2264	1544	cmd.exe	sppsvc.exe
PID 1544 wrote to memory of 2264	1544	cmd.exe	sppsvc.exe
PID 1544 wrote to memory of 2264	1544	cmd.exe	sppsvc.exe
PID 2660 wrote to memory of 2880	2660	cmd.exe	wusa.exe
PID 2660 wrote to memory of 2880	2660	cmd.exe	wusa.exe
PID 2660 wrote to memory of 2880	2660	cmd.exe	wusa.exe
PID 2672 wrote to memory of 2204	2672	lhhsgwktkatl.exe	conhost.exe
PID 2672 wrote to memory of 2204	2672	lhhsgwktkatl.exe	conhost.exe
PID 2672 wrote to memory of 2204	2672	lhhsgwktkatl.exe	conhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836

C:\Users\Admin\AppData\Local\Temp\Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Checker.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2596

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat" "
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
5⤵
- Modifies registry key
PID:2380

C:\blockcontainerWincrtdll\Sessionperf.exe
"C:\blockcontainerWincrtdll/Sessionperf.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zsdpzco1\zsdpzco1.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F90.tmp" "c:\Windows\System32\CSC790CB13E2FDD44DCBBF44A39CFA75D73.TMP"
7⤵
PID:1452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\LocalLow\Sun\Idle.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Sessionperf.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\winlogon.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2I5Rqlqdos.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1952

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:2788

C:\MSOCache\All Users\sppsvc.exe
"C:\MSOCache\All Users\sppsvc.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2264

C:\Users\Admin\AppData\Local\Temp\Utility.exe
"C:\Users\Admin\AppData\Local\Temp\Utility.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:2880

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "QHRAJGDI"
3⤵
- Launches sc.exe
PID:2684

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "QHRAJGDI" binpath= "C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1568

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "QHRAJGDI"
3⤵
- Launches sc.exe
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SessionperfS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Sessionperf.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Sessionperf" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Sessionperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SessionperfS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Sessionperf.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
C:\ProgramData\nalfdgwigwyg\lhhsgwktkatl.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:1712

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:1628

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2204

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2I5Rqlqdos.bat
Filesize
208B

MD5
6275c3c3b7e84e0b6705168f3087ecc4

SHA1
b786ae47a8c492b80c9545520090464b6ca1fec3

SHA256
32533ed0f9fe1e44814c958f068998744d0a459ba0ace8dbff2f5e3038173dd2

SHA512
dc3d3ed71671befff05c026f7b45f2f86b1700a09478901bff0cbe9f05552d57bb05b377c26238fed15477ac2446ee249e0823356c5e29246c8b8dfc89d1b93f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Checker.exe
Filesize
3.9MB

MD5
1003b37d9d942d41a38a83670eaa285c

SHA1
a4ee7ef69fc681caf1116d59578667abb9080ad6

SHA256
d822b616ee7e10b00fead9be9eb0cf9780fdb0b3fec3001ff31c9ce0cb7255ae

SHA512
0c6f4e063cc22ee3c076c95bf5ea1cb593e5b6f40e4f2b8d3723a5c18c14eeecf568dad2a16599967c56588f4918cecd996e475fd20615b07c99de4800309f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3F90.tmp
Filesize
1KB

MD5
5341dd35e10a3bea45a5c99015077030

SHA1
232cdacbd3d201f1b204b0e960d3968142128902

SHA256
0b573525f38fc343f6f5df6d7df7415362380d62fb48158e6b1b71290ce16fcd

SHA512
d47a13fc05edf14aad5719c09080a26633270d80973b4137aad3c8a9d00690072bdbf0f2fc103cd9b2f78b8444e6b4a8d189f33baab0255b10b8da29cbb63226

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utility.exe
Filesize
5.0MB

MD5
b1ac2ea973651a70ea72597e13a10f0a

SHA1
07e7cdedc54067a46b1d42cdf8a2c9050c3d3419

SHA256
e2cb500c902da55ac07cbfbe30b8d1cef8781e55f0439ed601672636c3ab8c47

SHA512
02b0dbc8a31ca440027a6c07d618a92bb520567ccd338c28dfcb86faa5b56c866564cf1a05b1754dcfeb252d12d76da57fd2de87804454f0ef1097431764c1f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
047a318715969a67640389a2ac4865b3

SHA1
e943f2991c9a354d206f79969edaf671e936480b

SHA256
bcacc19efd87a3c914f3fb3ed3b3960e2025911f8f65f68fd0427862366d93e4

SHA512
d8f0bfa9a43167edec6d86be839b9a100242331dd0ca0836cf2144762cb6d324ba554bbd6004072a9727df5cd8d0607fdf47f097f8ded5526117ca4271339a9d

Download Submit
C:\blockcontainerWincrtdll\SFUqxLlNpV20NJ9uCnUYCbrkrl1WOe98n.vbe
Filesize
228B

MD5
4f702b152f4098393712e3fe99b04fbd

SHA1
fec2f913e1fac5053127e175f1ba048c9d8dd25c

SHA256
f0e2bfb22d22aed8ac10eff5a010fad081a5798706b3a6fd7764798cab716eb2

SHA512
7c0844d6591b694d77ecf3d070eb3f70fd99427e41d62167aa58c98c1966a8065d90beb82ab0aa0a42bb80edb3c205dd07bb1d4fc03d989a0cb4df8993635fbf

Download Submit
C:\blockcontainerWincrtdll\Sessionperf.exe
Filesize
3.6MB

MD5
bf0f63bb48eb95aaec6fc6a001c974ce

SHA1
19baab2b0c129ecbd6a1aa21bada3e2e5cdd1136

SHA256
bbb080aed81b8f4d0f5d590c7cb0e56e68da5a27d32d964c32e50e1cb2015edc

SHA512
130f08a7c4901ef47e7d21effe83c19fa442f2ade97967c11e646f949a9e8c2c46e8272a31a5b75f6c279009530cd101a562f1ab31a28fe410273cd69bf6c28c

Download Submit
C:\blockcontainerWincrtdll\TudTneFnbF0PE5UTQ8BUoLqStO6.bat
Filesize
201B

MD5
159297f9e35114bf97d74622097780d8

SHA1
2aaaf993b9ecb9bae43ccd41585734512ff08355

SHA256
650c37c1afde471e40f77d7aec8603382214e9ec318b7f08ab7653f9c4e87f81

SHA512
a82faa2f64caf669d44eac03705e34bea213c9a74ed73950bd8d2158d1c256ca290b7ffece866c3a03c36a091be70d92157353782061e184e5d44ac937949f69

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zsdpzco1\zsdpzco1.0.cs
Filesize
385B

MD5
08fc57d31514ba3975b30cf2a60d16c3

SHA1
44d1fc6cbf6654345c254ad3c96651c85bf03923

SHA256
582fa4802e33141ae82d9831e2059c4c6d2a30e767a341dbbbdfccd204240db0

SHA512
dbb90ee79fa5a69d23d2e627baddbcbb2e44cac066d1b0f3f3e95b2a1dcf8e8bf5667c9a5642ee3790fe46c338d397b6112ac34baa6f8fa250da37ce6c411fce

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zsdpzco1\zsdpzco1.cmdline
Filesize
235B

MD5
51e10e4d0b59484b543ac7cb72531d5c

SHA1
d0c488be9ea22099eb249b8720a0acd30d4200e1

SHA256
7f6a9340b014d6da83c7a835070dbacad3757461fc2f5db97b7cb6ebe50caa3d

SHA512
4d3e61e1cd97b3d07b48adb5ac6018aee02ea067e4ddb8358ff4989a154affa0e063acc4627bb27720fe00bfc16e5bb07a424056238e79abf49b6e22cd4cac11

Download Submit
\??\c:\Windows\System32\CSC790CB13E2FDD44DCBBF44A39CFA75D73.TMP
Filesize
1KB

MD5
1c0f7844f7e250162f11df610012cc1f

SHA1
2ee0b2ac51be783b0d196868edc6a1fe7a0af068

SHA256
988d255e5988f6b4de58f1eb852279c5974974d18d47af4dccb89cacff4cc020

SHA512
3b323f3a51f44e5dc73f7f54cecb39de91fdb6ea64965fb2e84764297e2856e86c9751c71bb5d549f322547c9b383a13f16775d32e8c9333a66a11739d5e3f6d

Download Submit
memory/836-110-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/836-112-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2204-182-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-179-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-178-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-177-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-176-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2204-175-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2264-136-0x0000000001200000-0x00000000015A2000-memory.dmp

Filesize
3.6MB

Download
memory/2328-167-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2328-168-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2332-48-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2332-36-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/2332-62-0x0000000000BB0000-0x0000000000BBE000-memory.dmp

Filesize
56KB

Download
memory/2332-66-0x0000000000BF0000-0x0000000000C00000-memory.dmp

Filesize
64KB

Download
memory/2332-68-0x000000001B770000-0x000000001B7CA000-memory.dmp

Filesize
360KB

Download
memory/2332-64-0x0000000000BE0000-0x0000000000BF0000-memory.dmp

Filesize
64KB

Download
memory/2332-70-0x00000000012B0000-0x00000000012BE000-memory.dmp

Filesize
56KB

Download
memory/2332-72-0x000000001AA90000-0x000000001AAA0000-memory.dmp

Filesize
64KB

Download
memory/2332-74-0x000000001AAA0000-0x000000001AAAE000-memory.dmp

Filesize
56KB

Download
memory/2332-76-0x000000001AAD0000-0x000000001AAE8000-memory.dmp

Filesize
96KB

Download
memory/2332-80-0x000000001BB60000-0x000000001BBAE000-memory.dmp

Filesize
312KB

Download
memory/2332-78-0x000000001AAB0000-0x000000001AABC000-memory.dmp

Filesize
48KB

Download
memory/2332-58-0x0000000001190000-0x00000000011A6000-memory.dmp

Filesize
88KB

Download
memory/2332-60-0x000000001AA70000-0x000000001AA82000-memory.dmp

Filesize
72KB

Download
memory/2332-56-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

Filesize
64KB

Download
memory/2332-44-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2332-52-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2332-50-0x0000000000B60000-0x0000000000B6E000-memory.dmp

Filesize
56KB

Download
memory/2332-32-0x00000000012C0000-0x0000000001662000-memory.dmp

Filesize
3.6MB

Download
memory/2332-46-0x0000000000820000-0x0000000000830000-memory.dmp

Filesize
64KB

Download
memory/2332-40-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2332-42-0x0000000000B80000-0x0000000000B98000-memory.dmp

Filesize
96KB

Download
memory/2332-38-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/2332-54-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2332-34-0x00000000007D0000-0x00000000007F6000-memory.dmp

Filesize
152KB

Download
memory/2836-0-0x000007FEF5F43000-0x000007FEF5F44000-memory.dmp

Filesize
4KB

Download
memory/2836-26-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-3-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-2-0x000007FEF5F40000-0x000007FEF692C000-memory.dmp

Filesize
9.9MB

Download
memory/2836-1-0x00000000002E0000-0x000000000033E000-memory.dmp

Filesize
376KB

Download
memory/2876-174-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2996-185-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-184-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-186-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-191-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2996-195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-188-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-196-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-190-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-187-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2996-198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download