c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

Analysis

max time kernel
154s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 23:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
Size

260KB
MD5

dc756c26d4d10afa30f0c2aff839292b
SHA1

320a1590a31154b4dd7b789f1f4103fa8a77f68a
SHA256

c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8
SHA512

44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87
SSDEEP

6144:DYeCn05o6nhAIiN7yW2O3t5DZYWQUWrjbY06ZBmWU/950iT41+Cgs1G85:G8hn6B9t5D3QUc/Y06tU/b0FgRs1G0

Score

10^/10

evasion

Malware Config

Signatures

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

Executes dropped EXE 20 IoCs

pid	Process
1848	rundll32dll.exe
3280	rundll32dll.exe
1864	rundll32dll.exe
212	rundll32dll.exe
1668	rundll32dll.exe
5036	rundll32dll.exe
2444	rundll32dll.exe
3632	rundll32dll.exe
3424	rundll32dll.exe
3444	rundll32dll.exe
4228	rundll32dll.exe
1140	rundll32dll.exe
2180	rundll32dll.exe
4376	rundll32dll.exe
2012	rundll32dll.exe
2500	rundll32dll.exe
2084	rundll32dll.exe
260	rundll32dll.exe
2096	rundll32dll.exe
224	rundll32dll.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File created	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe
File opened for modification	C:\Windows\SysWOW64\rundll32dll.exe	rundll32dll.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1812 set thread context of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 1848 set thread context of 3280	1848	rundll32dll.exe	83
PID 1864 set thread context of 212	1864	rundll32dll.exe	87
PID 1668 set thread context of 5036	1668	rundll32dll.exe	93
PID 2444 set thread context of 3632	2444	rundll32dll.exe	97
PID 3424 set thread context of 3444	3424	rundll32dll.exe	101
PID 4228 set thread context of 1140	4228	rundll32dll.exe	105
PID 2180 set thread context of 4376	2180	rundll32dll.exe	109
PID 2012 set thread context of 2500	2012	rundll32dll.exe	119
PID 2084 set thread context of 260	2084	rundll32dll.exe	123
PID 2096 set thread context of 224	2096	rundll32dll.exe	127

Runs .reg file with regedit 11 IoCs

pid	Process
800	regedit.exe
3348	regedit.exe
3068	regedit.exe
5100	regedit.exe
4996	regedit.exe
3016	regedit.exe
2292	regedit.exe
4144	regedit.exe
3756	regedit.exe
3800	regedit.exe
3604	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 1812 wrote to memory of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 1812 wrote to memory of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 1812 wrote to memory of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 1812 wrote to memory of 3544	1812	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	79
PID 3544 wrote to memory of 4140	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	80
PID 3544 wrote to memory of 4140	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	80
PID 3544 wrote to memory of 4140	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	80
PID 4140 wrote to memory of 3756	4140	cmd.exe	81
PID 4140 wrote to memory of 3756	4140	cmd.exe	81
PID 4140 wrote to memory of 3756	4140	cmd.exe	81
PID 3544 wrote to memory of 1848	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	82
PID 3544 wrote to memory of 1848	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	82
PID 3544 wrote to memory of 1848	3544	c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe	82
PID 1848 wrote to memory of 3280	1848	rundll32dll.exe	83
PID 1848 wrote to memory of 3280	1848	rundll32dll.exe	83
PID 1848 wrote to memory of 3280	1848	rundll32dll.exe	83
PID 1848 wrote to memory of 3280	1848	rundll32dll.exe	83
PID 1848 wrote to memory of 3280	1848	rundll32dll.exe	83
PID 3280 wrote to memory of 4004	3280	rundll32dll.exe	84
PID 3280 wrote to memory of 4004	3280	rundll32dll.exe	84
PID 3280 wrote to memory of 4004	3280	rundll32dll.exe	84
PID 4004 wrote to memory of 3068	4004	cmd.exe	85
PID 4004 wrote to memory of 3068	4004	cmd.exe	85
PID 4004 wrote to memory of 3068	4004	cmd.exe	85
PID 3280 wrote to memory of 1864	3280	rundll32dll.exe	86
PID 3280 wrote to memory of 1864	3280	rundll32dll.exe	86
PID 3280 wrote to memory of 1864	3280	rundll32dll.exe	86
PID 1864 wrote to memory of 212	1864	rundll32dll.exe	87
PID 1864 wrote to memory of 212	1864	rundll32dll.exe	87
PID 1864 wrote to memory of 212	1864	rundll32dll.exe	87
PID 1864 wrote to memory of 212	1864	rundll32dll.exe	87
PID 1864 wrote to memory of 212	1864	rundll32dll.exe	87
PID 212 wrote to memory of 3836	212	rundll32dll.exe	88
PID 212 wrote to memory of 3836	212	rundll32dll.exe	88
PID 212 wrote to memory of 3836	212	rundll32dll.exe	88
PID 3836 wrote to memory of 5100	3836	cmd.exe	89
PID 3836 wrote to memory of 5100	3836	cmd.exe	89
PID 3836 wrote to memory of 5100	3836	cmd.exe	89
PID 212 wrote to memory of 1668	212	rundll32dll.exe	92
PID 212 wrote to memory of 1668	212	rundll32dll.exe	92
PID 212 wrote to memory of 1668	212	rundll32dll.exe	92
PID 1668 wrote to memory of 5036	1668	rundll32dll.exe	93
PID 1668 wrote to memory of 5036	1668	rundll32dll.exe	93
PID 1668 wrote to memory of 5036	1668	rundll32dll.exe	93
PID 1668 wrote to memory of 5036	1668	rundll32dll.exe	93
PID 1668 wrote to memory of 5036	1668	rundll32dll.exe	93
PID 5036 wrote to memory of 1312	5036	rundll32dll.exe	94
PID 5036 wrote to memory of 1312	5036	rundll32dll.exe	94
PID 5036 wrote to memory of 1312	5036	rundll32dll.exe	94
PID 1312 wrote to memory of 4996	1312	cmd.exe	95
PID 1312 wrote to memory of 4996	1312	cmd.exe	95
PID 1312 wrote to memory of 4996	1312	cmd.exe	95
PID 5036 wrote to memory of 2444	5036	rundll32dll.exe	96
PID 5036 wrote to memory of 2444	5036	rundll32dll.exe	96
PID 5036 wrote to memory of 2444	5036	rundll32dll.exe	96
PID 2444 wrote to memory of 3632	2444	rundll32dll.exe	97
PID 2444 wrote to memory of 3632	2444	rundll32dll.exe	97
PID 2444 wrote to memory of 3632	2444	rundll32dll.exe	97
PID 2444 wrote to memory of 3632	2444	rundll32dll.exe	97
PID 2444 wrote to memory of 3632	2444	rundll32dll.exe	97
PID 3632 wrote to memory of 1500	3632	rundll32dll.exe	98
PID 3632 wrote to memory of 1500	3632	rundll32dll.exe	98
PID 3632 wrote to memory of 1500	3632	rundll32dll.exe	98

C:\Users\Admin\AppData\Local\Temp\c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
"C:\Users\Admin\AppData\Local\Temp\c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Users\Admin\AppData\Local\Temp\c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
  C:\Users\Admin\AppData\Local\Temp\c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:3756
- - C:\Windows\SysWOW64\rundll32dll.exe
    C:\Windows\system32\rundll32dll.exe 1144 "C:\Users\Admin\AppData\Local\Temp\c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\SysWOW64\rundll32dll.exe
      C:\Windows\SysWOW64\rundll32dll.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3068
    - - C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1164 "C:\Windows\SysWOW64\rundll32dll.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:5100
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1136 "C:\Windows\SysWOW64\rundll32dll.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1312
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4996
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1128 "C:\Windows\SysWOW64\rundll32dll.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3800
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1136 "C:\Windows\SysWOW64\rundll32dll.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3424
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        13⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        14⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3016
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1140 "C:\Windows\SysWOW64\rundll32dll.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4228
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        15⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        16⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2292
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1136 "C:\Windows\SysWOW64\rundll32dll.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2180
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        17⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        18⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3604
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1140 "C:\Windows\SysWOW64\rundll32dll.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2012
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        19⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        20⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4144
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1136 "C:\Windows\SysWOW64\rundll32dll.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2084
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        21⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        22⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:800
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\system32\rundll32dll.exe 1136 "C:\Windows\SysWOW64\rundll32dll.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2096
        
        C:\Windows\SysWOW64\rundll32dll.exe
        
        C:\Windows\SysWOW64\rundll32dll.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        23⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        24⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
C:\Windows\SysWOW64\rundll32dll.exe

Filesize
260KB

MD5
dc756c26d4d10afa30f0c2aff839292b

SHA1
320a1590a31154b4dd7b789f1f4103fa8a77f68a

SHA256
c12dfde7d3d9c43ea6f853ac14d82c3fdf18c86f05f57672c3cddd6a379a12d8

SHA512
44379f788b7866cf79ed573dbfb7eeb983941c318947c3d44c0bbff01f76f34a554039aac7f0595fa6760a92d40484b98f7c68f7dedbb0a15eacb1a948d3de87

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/212-167-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/212-162-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/224-260-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/260-252-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1140-216-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2500-240-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3280-154-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3444-204-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3544-135-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3544-133-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3544-149-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3544-136-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3632-192-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/3632-187-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/4376-228-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/5036-177-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download