hxxps://cronusmax[.]com/files/ZenStudio_Setup_v1[.]5[.]0_Build_76[.]exe

Analysis

max time kernel
167s
max time network
169s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
14-07-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cronusmax.com/files/ZenStudio_Setup_v1.5.0_Build_76.exe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
3032	ZenStudio.exe

Loads dropped DLL 11 IoCs

pid	Process
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ZenStudio\ZenStudio.exe	ZenStudio_Setup_v1.5.0_Build_76.exe
File opened for modification	C:\Program Files (x86)\ZenStudio\ZenStudio.exe	ZenStudio_Setup_v1.5.0_Build_76.exe
File created	C:\Program Files (x86)\ZenStudio\uninst.exe	ZenStudio_Setup_v1.5.0_Build_76.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2560	3184	WerFault.exe	93
3964	3184	WerFault.exe	93

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133654697072547976"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\URL Protocol	ZenStudio_Setup_v1.5.0_Build_76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell	ZenStudio_Setup_v1.5.0_Build_76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open	ZenStudio_Setup_v1.5.0_Build_76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open\command	ZenStudio_Setup_v1.5.0_Build_76.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\ = "URL: ZenStudio Protocol"	ZenStudio_Setup_v1.5.0_Build_76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open\	ZenStudio_Setup_v1.5.0_Build_76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\open\command\ = "C:\\Program Files (x86)\\ZenStudio\\ZenStudio.exe \"%1\""	ZenStudio_Setup_v1.5.0_Build_76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio	ZenStudio_Setup_v1.5.0_Build_76.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZenStudio\shell\	ZenStudio_Setup_v1.5.0_Build_76.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe
3032	ZenStudio.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3184	ZenStudio_Setup_v1.5.0_Build_76.exe
1296	ZenStudio_Setup_v1.5.0_Build_76.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 1536	3908	chrome.exe	79
PID 3908 wrote to memory of 1536	3908	chrome.exe	79
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 1176	3908	chrome.exe	80
PID 3908 wrote to memory of 4892	3908	chrome.exe	81
PID 3908 wrote to memory of 4892	3908	chrome.exe	81
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82
PID 3908 wrote to memory of 4848	3908	chrome.exe	82

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cronusmax.com/files/ZenStudio_Setup_v1.5.0_Build_76.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb2a6cc40,0x7fffb2a6cc4c,0x7fffb2a6cc58
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1772,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1548 /prefetch:2
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3040,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3096 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4708,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4848,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4860,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5160,i,6506933931913447992,10138811070215482534,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2544

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3588

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4672

C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe
"C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3184
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1148
  2⤵
  - Program crash
  PID:2560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 1128
  2⤵
  - Program crash
  PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3184 -ip 3184
1⤵
PID:2136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3184 -ip 3184
1⤵
PID:4020

C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe
"C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1296

C:\Program Files (x86)\ZenStudio\ZenStudio.exe
"C:\Program Files (x86)\ZenStudio\ZenStudio.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ZenStudio\ZenStudio.exe

Filesize
19.6MB

MD5
1fae469528fcc28ec48eb939b39f8a69

SHA1
21f3642dbc8a5b7bd60cd285490f119aacdaa1a8

SHA256
49e2e48406ae2b43df1e04c20c2fd13b9b25d7d16eb07bfe268f471ee755208c

SHA512
16eb03db6c71770be6b142949f1eaee6ffd5839543d781b8870455cde089db643538c3ed12c2e03da43ec1e4a71ed0454343e23915a2ead9dcb0ff09432f17c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1983d2ae-bff4-49e2-998d-1fc139dbb5b9.tmp

Filesize
8KB

MD5
0e07ad0a1b409122b0ed6b98700daeb7

SHA1
b7ac5dffdb4d3f6c4577377d614da57e3363acc4

SHA256
f267f4b1e20bcb1604a5839e95e04563238aa961c4bcaba4c22842ddf40c6c8b

SHA512
c7d664a8fea52e85523e089f46f408e3d949c23cf880bd85d9271e312f2451fbaf2e53ae6cf6f07bd4ad307f952bf661ea66c2c3040b47dcf6e86137cdb4d313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
4296838d788869c1f69e655b085b6157

SHA1
7f06c5f278c50a91870e0a2a977a7b5c761db8b1

SHA256
6dccab50120d78e96c1bee8802b5081de46e298b2edce03063cc0a54ded35075

SHA512
7707bab93315bf8cd4b9573c1a19717c87de3effd340918cb7422e6e2d2056f742ed05f13050081db5f39ebbda2d93c6adafcedb58209ccd8ce338e5cdf21d56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
167393508dcb55ab74fda626ef243c38

SHA1
5b9a7bf1f53968d1c8b3b789a0693978b3c769c0

SHA256
ef01a314483d23e72b3d95992401a35b60505af22eb0b99a7f8a1f195e7b50dd

SHA512
d28137479b0398fe3b3a3300ded68a8605d8347dc12cccacdd1110d1e4f818164a3f38d148af1caac6eab065ca314e953ebedc27cc3c92617b97f715e8a44ae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f8149a72ac6486b80b38daca0d0bf319

SHA1
6e3f1dd2ac984261a8dc7892e72e5fb4c33d95cf

SHA256
981d1038792203ea1ead522744fe110078706021b64262f465149f7c3d04a2c5

SHA512
b267f335855bc162a60fe79aaafbb0dc8c8905593df765c552fc942d637f938cbc485edf6535bb2ed16ac248ea45b8d9e81412bf8b443606319509ddcd099917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2e8262705dffe5d0e07d0dc776a9ae21

SHA1
c5324c7e0dd287e8794bf6a9f52edf1f522a8cfc

SHA256
4e37b36d7f3776554e915e73a4e998a9783e4e4a511fdbbfad65c8411dc64f73

SHA512
f031c488e9978122b01b19cf183fec5fc4e4f422ab6d1764901a55e0e847988a7aadf7351c95c790aab7b79f340d827be9713c349480b202d11185eef20fb08f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1b242465881286af16cd015e41e18c0a

SHA1
6576e5814927cd9dd242cfb89aaf45f3aa4d594d

SHA256
f83a2039ce5bf9bd8c53d8851dfce3f1b3a31d34b4e4cd55f9d09be4d0debcd6

SHA512
2148b0e66150e19565dcf5c5c617dd3993fe55d264631d284589bdb2ca0f48784d675ebd2bd79484b52e71aca7a9aa970d8c1c73b19f650c0135d9f6e3ec7c25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
c89dbcb9b91cc09e3f4c26987898f88e

SHA1
64104053ca0ea87dad0d3146f881ff138c1224a0

SHA256
dd0e53da79a966da7477f921ef781e3ccee14a5153314ed211f497eca6c7561b

SHA512
d0413f597dee5e4f059e7ec65e48c965f5b200d8eb0256015be89118db52bc475229cef1318c462c4fc2db0d66e127842e89373381071941f4d1b4111bf69e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
e50731bd806391770390dea982fc9911

SHA1
e1da756eeee53bed30240a0a79fac74500b344fb

SHA256
d81276d933c6633da6d729ee655f8ca7f96dd1adff115c0ccca19678282f455b

SHA512
2c5972c91b5c94f1741aa1b2215f97360de595830d7badab5e9d4169786d51536c489283ee951fec208371918fa2dfa177eccc98e67306ae50e00d31c362c524

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
2df8e626782d502dc40c234ce874cedd

SHA1
d22b8bf17df73c4f3cc38069f0fa6dfff5e65bd0

SHA256
779476fa4ddcccc6e6ad5e565dff7db3001a2bfc30033f78f003703b1673daf4

SHA512
21377884ae2d0313016a7abe9fbe93a1942c5dda955425266cef0ac91530f755aebc8255eeec4ce6c2fa7ea0c701eec8c87c713d65170c365ccb2600d9982299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
93KB

MD5
ae7376322814da10ba3e47fb5d2e7306

SHA1
89719e8d02f2775ed69aa744aadc35819214eefc

SHA256
02c8c93ae81d9d7b48b0caa49a3d7f61d840613b67e27f276fca43a5c2abb093

SHA512
47385caab7e910b2bade8325efb3a1519f2136b4b46e7f86b8f66aa6be6f0e756d02dcac28a3f8652912091026b3b6eef1d97b17c7303a9cb8ca5c99b56a5563

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuA91D.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuA91D.tmp\ioSpecial.ini

Filesize
1KB

MD5
8c17ab42fab54d41100ec53d75f062fe

SHA1
6fb2ea06348a806d39cef16cbcdef09b48b27fd4

SHA256
3ca8aa36dca56f26461f7ea5eedcc37120d103bc88736ae836b2b26ffb824a04

SHA512
d755999248a28bb6532114a6526b099545233df4a2fe95add2271901b9c214e600b193c61bb8f64b7ee8776e847d8f02c5083f452b8e2ffc07fb0046a5225be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuA91D.tmp\ioSpecial.ini

Filesize
1KB

MD5
609b6927312917a5a53ec648bacd3dc4

SHA1
fbcdb4578f10bcb3cce17d39acbfab5aa4c1e509

SHA256
e2c79e9faad1f5de2c6465454cfefbc48024d56231fd5d4a6898fc7e9e8333d0

SHA512
db4c4e6e1743cd3196f6085d804da017b91507ef57a559903dacfce68f4a4b9f7b80de13a77f407866d4dec330d67d239e17ba2cb81af705e8d11a9a6252183f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuA91D.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE5D.tmp\DotNetChecker.dll

Filesize
95KB

MD5
90707abc35ad1a925b128527ac974989

SHA1
47d0d433e513f0cceccb23b2522c7bc82d634691

SHA256
8c1879e3e0855e6c22134b8cbb0986b97eb270fdddf8536be2afa18aa9344a4d

SHA512
7cb2cce6c63210fe9abb2ba5d4e0e2a130f2c3c69ab02502d68e427a3d02b8822dbfbdc132899806f31740f44023922d3815629ab051aa01b5d829a419dd7f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE5D.tmp\InstallOptions.dll

Filesize
15KB

MD5
d095b082b7c5ba4665d40d9c5042af6d

SHA1
2220277304af105ca6c56219f56f04e894b28d27

SHA256
b2091205e225fc07daf1101218c64ce62a4690cacac9c3d0644d12e93e4c213c

SHA512
61fb5cf84028437d8a63d0fda53d9fe0f521d8fe04e96853a5b7a22050c4c4fb5528ff0cdbb3ae6bc74a5033563fc417fc7537e4778227c9fd6633ae844c47d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE5D.tmp\StartMenu.dll

Filesize
7KB

MD5
a8c86996c4230c2209f5927f21321377

SHA1
45ce0ab93cb6a3a594e54878cce05df724024393

SHA256
110545415a59402635e1c9439acba15b44bab268ed02ad2a262ce12604a47855

SHA512
69ee73496b916777936b0dddd2cc4a4f916e393f7d0b167cba77a4a239ee1e3f645d9b90dee1627c42a23eb6c3403e4d086546b9f78b3a2e4999c8f92f6a3bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE5D.tmp\ioSpecial.ini

Filesize
1KB

MD5
c6dc98f7ec3908fb386cea953bbd3c84

SHA1
067e048d7a4e176ec0c4d638259671fdd8dae62b

SHA256
7ece16747d33606a3022cc74f76f2df4a893d48306e7b2c2219f0f770e1083db

SHA512
d1729a2b8f86c400ead990caf3d89e5695216bff69dd1b9c479acfb03a7c1408e1da3b275c56f30a098364840dea23230274d3f438c6dbcccdae2e64c6140e38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyCE5D.tmp\nsisdl.dll

Filesize
15KB

MD5
05f72d6a944e701217ef2eb2cc13e0ee

SHA1
fac99c39150ae484e4b3e0af2f4be86bb1835dde

SHA256
aab28914794a1cdda4561e9f2af3e006dbed220d9d6bfe049b56d0cb9b783648

SHA512
c87e783fc169ef01ac0d3ce29fbfbf349a2e22329df9203a1443cc2caebbe7f8282c0754740289ecca534951cb7e574bafef9ccbaa0da7c287109920ec9573eb

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 382417.crdownload

Filesize
17.2MB

MD5
2b8322f747ed7623d698c524ccf2ea16

SHA1
fae3a00cd6334cee7e793aa6bb56bffc45c0bca0

SHA256
1f1ad9c1f639326946f39129cb9ff5015669a0a3dd9e21db07163fb48cb6b709

SHA512
e1a3070b760cd7999339a21e72618b7614c1b26bf5b2acbbdfd45c27eb115d0d566fa5d835cf505d274025366a2a474450bd49b3607340cf52731c7f26e784e4

Download Submit
C:\Users\Admin\Downloads\ZenStudio_Setup_v1.5.0_Build_76.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3032-493-0x0000000009B10000-0x0000000009B1E000-memory.dmp

Filesize
56KB

Download
memory/3032-497-0x000000000A010000-0x000000000A020000-memory.dmp

Filesize
64KB

Download
memory/3032-483-0x0000000008310000-0x0000000008422000-memory.dmp

Filesize
1.1MB

Download
memory/3032-484-0x0000000006CC0000-0x0000000006D26000-memory.dmp

Filesize
408KB

Download
memory/3032-485-0x0000000008AC0000-0x0000000008B16000-memory.dmp

Filesize
344KB

Download
memory/3032-486-0x0000000009400000-0x000000000941C000-memory.dmp

Filesize
112KB

Download
memory/3032-487-0x0000000009420000-0x000000000944A000-memory.dmp

Filesize
168KB

Download
memory/3032-481-0x0000000000B70000-0x0000000001F06000-memory.dmp

Filesize
19.6MB

Download
memory/3032-496-0x0000000009C80000-0x0000000009CB2000-memory.dmp

Filesize
200KB

Download
memory/3032-482-0x000000000E0D0000-0x000000000F268000-memory.dmp

Filesize
17.6MB

Download
memory/3032-498-0x000000000A0C0000-0x000000000A0C8000-memory.dmp

Filesize
32KB

Download
memory/3032-499-0x000000000F6F0000-0x000000000F728000-memory.dmp

Filesize
224KB

Download
memory/3032-500-0x000000000F6C0000-0x000000000F6CE000-memory.dmp

Filesize
56KB

Download
memory/3032-501-0x0000000007460000-0x0000000007A06000-memory.dmp

Filesize
5.6MB

Download
memory/3032-502-0x0000000006F90000-0x0000000007022000-memory.dmp

Filesize
584KB

Download
memory/3032-503-0x0000000007030000-0x0000000007390000-memory.dmp

Filesize
3.4MB

Download
memory/3032-504-0x0000000007A10000-0x0000000007D0E000-memory.dmp

Filesize
3.0MB

Download
memory/3032-505-0x0000000007390000-0x0000000007398000-memory.dmp

Filesize
32KB

Download
memory/3032-506-0x00000000073C0000-0x0000000007436000-memory.dmp

Filesize
472KB

Download
memory/3032-507-0x000000000DE90000-0x000000000DE98000-memory.dmp

Filesize
32KB

Download