dcrat | hxxps://disk[.]yandex[.]ru/d/3aGfXahbd5j1Dw

Analysis

max time kernel
269s
max time network
275s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/3aGfXahbd5j1Dw

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Checks computer location settings 2 TTPs 38 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Reviewdhcp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 37 IoCs

pid	Process
756	Loader.exe
1604	Loader.exe
5012	Loader.exe
1812	Loader.exe
2472	Loader.exe
5688	Loader.exe
5700	Loader.exe
1452	Reviewdhcp.exe
5288	wscript.exe
3148	Reviewdhcp.exe
960	Reviewdhcp.exe
4500	Reviewdhcp.exe
1184	Reviewdhcp.exe
3164	Reviewdhcp.exe
5252	Reviewdhcp.exe
2020	wscript.exe
3140	Loader.exe
3352	Loader.exe
4696	Loader.exe
5832	Reviewdhcp.exe
4700	Reviewdhcp.exe
4612	Reviewdhcp.exe
3996	Reviewdhcp.exe
2596	Reviewdhcp.exe
1396	Reviewdhcp.exe
872	Reviewdhcp.exe
5536	Reviewdhcp.exe
4184	Reviewdhcp.exe
3488	Reviewdhcp.exe
4836	Reviewdhcp.exe
1564	Reviewdhcp.exe
508	Reviewdhcp.exe
1416	Reviewdhcp.exe
2040	Reviewdhcp.exe
884	Reviewdhcp.exe
1832	Reviewdhcp.exe
2016	Reviewdhcp.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\817c8c8ec737a7	Reviewdhcp.exe
File created	C:\Program Files\Common Files\microsoft shared\csrss.exe	Reviewdhcp.exe
File created	C:\Program Files\Common Files\microsoft shared\886983d96e3d3e	Reviewdhcp.exe
File created	C:\Program Files\Windows Media Player\wscript.exe	Reviewdhcp.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	Reviewdhcp.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\6ccacd8608530f	Reviewdhcp.exe
File created	C:\Windows\SKB\csrss.exe	Reviewdhcp.exe
File created	C:\Windows\SKB\886983d96e3d3e	Reviewdhcp.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\en-US-N\Idle.exe	Reviewdhcp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5132	PING.EXE
5744	PING.EXE
436	PING.EXE
3828	PING.EXE
1100	PING.EXE
1272	PING.EXE
5232	PING.EXE

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Reviewdhcp.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Loader.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Loader.rar:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
3828	PING.EXE
1100	PING.EXE
1272	PING.EXE
5232	PING.EXE
5132	PING.EXE
5744	PING.EXE
436	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe
1452	Reviewdhcp.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeDebugPrivilege	3596	firefox.exe
Token: SeRestorePrivilege	5740	7zFM.exe
Token: 35	5740	7zFM.exe
Token: SeSecurityPrivilege	5740	7zFM.exe
Token: SeDebugPrivilege	1452	Reviewdhcp.exe
Token: SeDebugPrivilege	5288	wscript.exe
Token: SeDebugPrivilege	3148	Reviewdhcp.exe
Token: SeDebugPrivilege	960	Reviewdhcp.exe
Token: SeDebugPrivilege	4500	Reviewdhcp.exe
Token: SeDebugPrivilege	1184	Reviewdhcp.exe
Token: SeDebugPrivilege	3164	Reviewdhcp.exe
Token: SeDebugPrivilege	5252	Reviewdhcp.exe
Token: SeDebugPrivilege	2020	wscript.exe
Token: SeDebugPrivilege	5832	Reviewdhcp.exe
Token: SeDebugPrivilege	4700	Reviewdhcp.exe
Token: SeDebugPrivilege	4612	Reviewdhcp.exe
Token: SeDebugPrivilege	3996	Reviewdhcp.exe
Token: SeDebugPrivilege	2596	Reviewdhcp.exe
Token: SeDebugPrivilege	1396	Reviewdhcp.exe
Token: SeDebugPrivilege	872	Reviewdhcp.exe
Token: SeDebugPrivilege	5536	Reviewdhcp.exe
Token: SeDebugPrivilege	4184	Reviewdhcp.exe
Token: SeDebugPrivilege	3488	Reviewdhcp.exe
Token: SeDebugPrivilege	4836	Reviewdhcp.exe
Token: SeDebugPrivilege	1564	Reviewdhcp.exe
Token: SeDebugPrivilege	508	Reviewdhcp.exe
Token: SeDebugPrivilege	1416	Reviewdhcp.exe
Token: SeDebugPrivilege	2040	Reviewdhcp.exe
Token: SeDebugPrivilege	884	Reviewdhcp.exe
Token: SeDebugPrivilege	1832	Reviewdhcp.exe
Token: SeDebugPrivilege	2016	Reviewdhcp.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
5740	7zFM.exe
5740	7zFM.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe
3596	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 2476 wrote to memory of 3596	2476	firefox.exe	83
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 2996	3596	firefox.exe	86
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88
PID 3596 wrote to memory of 1396	3596	firefox.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://disk.yandex.ru/d/3aGfXahbd5j1Dw"
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://disk.yandex.ru/d/3aGfXahbd5j1Dw
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {152dfdd9-ef54-4fe2-9b27-cbffdee750b7} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" gpu
    3⤵
    PID:2996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2388 -parentBuildID 20240401114208 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d389406-2882-47a0-924a-5fd3e5828213} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" socket
    3⤵
    - Checks processor information in registry
    PID:1396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3472 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 2652 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3166c1db-4ab6-483d-8dc7-21187febb77f} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4312 -childID 2 -isForBrowser -prefsHandle 4304 -prefMapHandle 4300 -prefsLen 29144 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07232878-4689-419b-be7e-b16405f7bc0e} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:2248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2776 -childID 3 -isForBrowser -prefsHandle 4612 -prefMapHandle 4620 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe03f07d-b4a6-4bdb-b3f4-433041c83736} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5104 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5052 -prefMapHandle 1524 -prefsLen 29320 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e033ba19-821a-416f-a571-66debc17ad75} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" utility
    3⤵
    - Checks processor information in registry
    PID:5544
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5436 -childID 4 -isForBrowser -prefsHandle 5404 -prefMapHandle 4008 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa635e85-cb10-4ec3-9b84-51a994824a75} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:5764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 5 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {796fd09c-0996-4829-9e22-ab19fdadd5df} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:5772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 6 -isForBrowser -prefsHandle 5428 -prefMapHandle 5424 -prefsLen 27174 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d14eb6a-0b17-4dda-8e7c-b423601fafc8} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:5792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6104 -childID 7 -isForBrowser -prefsHandle 6096 -prefMapHandle 6092 -prefsLen 27364 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {196093e7-a524-4283-ad77-c0e9a94592c6} 3596 "\\.\pipe\gecko-crash-server-pipe.3596" tab
    3⤵
    PID:6088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5532

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Loader.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5740

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3996
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1452
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gKb56fXXEK.bat"
        5⤵
        
        PID:4000
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5176
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5132
      - C:\Program Files\Windows Media Player\wscript.exe
        
        "C:\Program Files\Windows Media Player\wscript.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat"
        7⤵
        
        PID:2668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2456
        
        C:\Program Files\Windows Media Player\wscript.exe
        
        "C:\Program Files\Windows Media Player\wscript.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:6132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3148

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3684
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:960

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1812
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5252

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4500

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5868
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1184

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5700
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat" "
1⤵
PID:5888
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3364
- C:\Windows\system32\w32tm.exe
  w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
  2⤵
  PID:1840

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3140
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3512
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:5832
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAbXgo5nXx.bat"
        5⤵
        
        PID:5692
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3652
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5744
      - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4700
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat"
        5⤵
        
        PID:5332
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2680
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:436
      - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        7⤵
        
        PID:2104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1580
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat"
        9⤵
        
        PID:5972
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:5780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4972
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat"
        11⤵
        
        PID:5892
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:5152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:5504
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat"
        13⤵
        
        PID:5852
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:5644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3956
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IzyQn8pRfl.bat"
        15⤵
        
        PID:3148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4724
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2hXwS5IfKK.bat"
        17⤵
        
        PID:112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:5968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5732
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
        19⤵
        
        PID:3808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:5988
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3828
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YvmOC36wL2.bat"
        21⤵
        
        PID:3196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1100
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YvmOC36wL2.bat"
        23⤵
        
        PID:2380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2020
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1272
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat"
        25⤵
        
        PID:3120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:5212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4668
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat"
        27⤵
        
        PID:5136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:5912
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat"
        29⤵
        
        PID:6108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:2660
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5232
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat"
        31⤵
        
        PID:5920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:5140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2216
        
        C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
        
        "C:\Blocksurrogatereviewsvc\Reviewdhcp.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0EsgTYIxwU.bat"
        33⤵
        
        PID:5124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4828

C:\Users\Admin\Desktop\Loader.exe
"C:\Users\Admin\Desktop\Loader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:5012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1984
  - - C:\Blocksurrogatereviewsvc\Reviewdhcp.exe
      "C:\Blocksurrogatereviewsvc/Reviewdhcp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Blocksurrogatereviewsvc\Reviewdhcp.exe

Filesize
1.6MB

MD5
2fda7a178135afb898f96997a9a03fec

SHA1
be098aac5d23492c3606ff8e7d5e67af728d425c

SHA256
4a230a867ee79ebe85e27dce94561680d4cc972c0cd24f1a8f9d179393781fd6

SHA512
0fc7d9d7425216cb8ad4c4b175b3c00da9b726bd976df0b1edb00d09da2e997694001beffe06dda68f0c9ec3d01ad365a36139772f295bb06c27985a48fddba2

Download Submit
C:\Blocksurrogatereviewsvc\cFWrXa8iq0OGUc0ZjCtbFYej8WOT6SV7ENbsVPxY0hCxjO.bat

Filesize
83B

MD5
906a9e1fa7e63c285723ea9188c1c6a1

SHA1
b726993fabad82f99db42bf23b357b14208f63c5

SHA256
8fac22a523b3c3b65bb16974153324438e4356f73741b39bd7cba3e28e3547ed

SHA512
c47a6f1c9ac9b53f7208539c08c9d0f011982c4fe0a666393cc2997663e00a3feacba88efdc07fa4462c4f2b1b0967f66d8179625501d710cd2019d2dc7b8cd4

Download Submit
C:\Blocksurrogatereviewsvc\sTyNZguGi7DTKy1fzyDYyDk.vbe

Filesize
248B

MD5
46b92f5d22b94fc2a867645538595d1c

SHA1
84731beb1f182b9a6ca7f09dbc3d9e6638af5349

SHA256
590ad3571a667b0da5200adc6949f1dbf1308d17501d7b6665d126ee3c323a96

SHA512
9ef2776c75c4095bdc4c0fdae0f73a5062158b84d93d6fac80c70cf9b7823507a0139e1abe6e29c9132e4b5f8b788f48683b3444a43a64dc25147a9a3fb63b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Reviewdhcp.exe.log

Filesize
1KB

MD5
47ab59baf4dcc4e17b4ceb468e55d551

SHA1
d026131c94cb679cb244c4e860f43591b539e2a2

SHA256
3eb7725a57375437481e559b2286b9d6745378a370a38d93d2d5bb90e786bfea

SHA512
3e1bd72f400439b189b9ed2821c4c868210f77bdd5ea8dac58b5c4fcc81c4fa7f7ee520812b5868327000a0cb723a637f5756d5eae054bcfb70674d409426604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wscript.exe.log

Filesize
1KB

MD5
11aa02596ceccef38b448c52a899f470

SHA1
6da94dc9579e969d39d5e65c066af3a5251e39b4

SHA256
e778ec777a79a1a9c9a3b605ab9681558395d2f3ef46f6c34dca1e00dcd771fd

SHA512
5de4fd51ae76cce8de25c5257ee873a71668acdf407bc3351410f9f840a9b074099d4c018657d2cc8f33273e6fd03e4365165e4834ba12c052d735212bf5d0d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
55f967bda1a86a8edea81d555c5065c9

SHA1
2f3a29125b02384cb3499b1068cf27172ff2dfc9

SHA256
d882c9d86a5b061e5c25ec127d1403353222e4ed5115b3f8eb04a5abae9fcfb2

SHA512
ff44c8eca01000bd870e31e3b5dc1f80d204fb7a44180a354bac37e0c5eed1e8deae0b89eb0fa9199204818c7c8765c3ff1ac6ae2edec48b362080b2d1f49aa6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\3BFB4E43684790939B567D661AD64D209E1A7A2D

Filesize
122KB

MD5
6ec6e03b898c075c4b4dc4ecfb444f44

SHA1
c6ec21ca80dc6a9f6f7c6f92ca4b35cb5ede7f70

SHA256
d9e9c5e26f7b45d08c35a12d4541297dd6f138b755a2e2489374e635509dcd78

SHA512
5d404e53fa15e4150bfdb6ca824d3174964830d06cce8bd077667e55614b65498bfcdab1c3a7f1c260baff3bd8665757b8a597fd870c2fddb140c599ca497e1f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\5FFA366587C2007401ED90846380BEE340DF03F4

Filesize
18KB

MD5
c50336dbbf42cf66cd39d744a1616b0c

SHA1
0ce40ed2a3f623a863d19aab9541646f994eb87d

SHA256
174ed7b1dd1fceea326b0f46ac02dcccdc11cf1e4a77a0e0088b045553ba04c2

SHA512
fbbd306aa930d1a4e67da992ca472f69cb29ad2bbd00a04a9718bd282c5d5f7e3ea5a1959d87992d8d7deb498ad51f6e256e8bd8e4057d84c5743077a3c0736d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\AABE96BA22787782BA41B959C8ABDFBC6E46DFA2

Filesize
32KB

MD5
a6095db2a28a186f07ac820f706c61a0

SHA1
27b63512c79053e5349ac2943212fb62c17420d4

SHA256
6cf440dcaa78391a3cd97139cbf0b44ddc7ae1fd1ed45233478f6c8a2a782439

SHA512
ab0d0457a5383b9ca7e5ebbbf3ded93b65ba3820f7b77cee1b768e2e003c163173c81b9f46fa77e350afce69ba5c6c2f64d65520cfb111202d10d68dda7b9665

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\CDB24F4E8748C130FF0F0B8441F52A104142FB0D

Filesize
17KB

MD5
957e870193f9aaa2c5d621a01704f9f7

SHA1
5674b76ca16212a81be378c701d856c935e61e3f

SHA256
edfc5a12177220b69258bc848973c11e0e26335b750a646415e0ca7a86b2df48

SHA512
c3daab20d2212da47286edfb597d8d9bcb9752ec412e4d7061db2c00f91a3850ddbfaaf1beaa514f89cedbf9dff7158b343da7d968176817335e5d799d7c5c2d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\cache2\entries\F10744C7CA592971724ABF51AAA27CFD2D19D557

Filesize
16KB

MD5
2d9c9198b9f5eb3318c02fc965aace43

SHA1
c37970262e77914fc24da5fb75d95461127260bd

SHA256
23096991bca76fe6141a3a7c190951eb53fa8c3cc5f3fc7a1c69ac9de12b0cd9

SHA512
36e01ff10f16f9486d877469b68bfea516038582930469dc4711149633563ab991a1ff8b167869841ea647d65c7dd0a5441ae5146422498fd0d50dfae373f875

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85mw8mk9.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
3ae0f73ed0847101b8bffb5351004895

SHA1
18b49c428cb019c639a2451d0016152f1f96e059

SHA256
811b544b18f43af671399dad5e19f4d70c0a2d8343ccfa1c7c949e18a8cb1bcf

SHA512
a161976484f2acddb907fad8cf545f5bb880986a019485548bbf1812d2337d8b58b6129a84ae7f9f76a28b3b267df37ce9d3a694975a89d39a89298e070aeab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0EsgTYIxwU.bat

Filesize
217B

MD5
766657ea0ba9ce436a493546bf72a579

SHA1
045918ff52e366bcd0c297d55b12d4ccf295a02a

SHA256
a1d47bcf5919b29428070536e6648d44ef2814187a8ba9fedb950f3ca9376733

SHA512
d1771d58f869e80b654589646b62b92db0c6b53f2496d7135640c612ddfc9e2093ce9dcdeac82082689635c11ea36e78aefd8cba5585041e3046132248819803

Download Submit
C:\Users\Admin\AppData\Local\Temp\285J1A1WUD.bat

Filesize
217B

MD5
9a613dd24ddd9d31fcd022b41fa3a4cb

SHA1
6a024da71b9566f9c56693a39a823ced4f64c0dc

SHA256
56e125c9a200ba32c3c8312cff190c71eb3ca887e6b9aa50b3ce2d1b5eb87aa6

SHA512
1d4507147cb20bebf4e2511bfc27d00a8e036127169e764d0f1afd7eb20d7180813d2040ea463a76a409319331e956024eabbcd933ec9d213f9e0b33f74dbf05

Download Submit
C:\Users\Admin\AppData\Local\Temp\2hXwS5IfKK.bat

Filesize
217B

MD5
b3ac6a7613070b1da0beb9cce61387f3

SHA1
9243282cd105743b76c6a57c9b3dee4b1321a80f

SHA256
ed0149cbbc588deee110c24eb2e51c5f3565dd137137ae93f88ffa6f9b985235

SHA512
a40f8348363e728f81a2e1fad5e2a5ae97dadeeaf66c8aae76dc15919155a2a04590a1aed02bbc0b453d06ba6706e278eacb867020135f5dabeb6afddfa6040b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
217B

MD5
8ec959a0077a6982136d778eeec5e111

SHA1
3d0788b5c2a4733c639479153cf6056510196b02

SHA256
b9b41aa8b16c14893169a5dbec28a73d4723c911bd2475d929b912537aacee42

SHA512
1b46757f6f6c6a83022511ca4d177ec50998757d5b4bb187ea79041ab0576217c35d37e3959778b6823e8069806857e0b30f973071f6dc404ac4f9300a9f6508

Download Submit
C:\Users\Admin\AppData\Local\Temp\DABqzejj4v.bat

Filesize
225B

MD5
0f04c7d00c13742b9b38c48132cdc1a2

SHA1
d4626d1d5776d5743f3c815cd227c8a68d1cca7d

SHA256
c9e7a480a27a4af5ae053d2141b805d2443e30bdc6568bf685d70325c51415d1

SHA512
78ffb7eed61176bd163e8cc915c780f8ab22c7fd022714d70140e0052bf14d401e364c78f517bd5f83fb12852eb0600a863772175be6313c95fb96db28d6b318

Download Submit
C:\Users\Admin\AppData\Local\Temp\EHU1Lrqt50.bat

Filesize
169B

MD5
044b5f4c844a431b18f270c0225b32eb

SHA1
f935fcde54a75244bc59c65e5083c5c3491676a9

SHA256
3b9570208c5d14dd6cb898665960ce29483cf464626603aed4528d2426c0c6ad

SHA512
ab08fb37595481abe294134e45767fb248bd6bb51a8ce1588802ffb6d152777bfd3885559444d047a99bf5651aabe2ed6f345a6bb448cd81a8f0900c2c850417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IzyQn8pRfl.bat

Filesize
217B

MD5
b9b71860382f3374d79f8eb4b3a4d187

SHA1
10e46c5812bc28690b87b39fda1e064d95c0eb88

SHA256
d9b6cb21a5a0b40ecb01bf4c9228870e7235733895a57d91827a5110224901e3

SHA512
9c996960a1899a37ca0571606ccbbe595dca05c50081fe640a9a871a9c07068d09c6e318964a03403811cdc7d38c7373e90ac1e8be02add26050975ed4af353a

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDnYIupIqg.bat

Filesize
217B

MD5
1288c702dc6cae27582c948ff7ff366e

SHA1
1ff57f1e9158b188ae3c7695b0b035211c724587

SHA256
3f869b593778f93dc73da47ed99ce8dd7fb6da3eede8c1c4043d62628f4799e7

SHA512
c6330c1ff1276d94231c39e4dcfd83751d12797fabb0cc0580712bb60e4d8574520d1532ffff9a23e1ef4ec0294a0bacfdd49d698e88dd2716f6e78ce6765e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YvmOC36wL2.bat

Filesize
169B

MD5
6376e4fdeb3a286de13307ad111cefe2

SHA1
79d2935fe0cf57a92526e14801e47b0735cac991

SHA256
f2f2d47bc674c32ec4593a76f0e1f1a48b754a35929efe38393c3d2c54337ccd

SHA512
0969c9c3811dadaacf7e838a8956105a96d453e5e3c39c709dbbef3c5afde9603cd7bbcdadf72384f31f2305b061729362af442d914b40fb6badb533e4c645e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZAbXgo5nXx.bat

Filesize
169B

MD5
ff795d2f883b6aeadffe529f5a052754

SHA1
86c0333071d99f901feab97a3eae4470b44e3686

SHA256
8fbf49aafed3c8229c6e5c6c2cac19369c1751bbdb358a87d48def1e90c07f66

SHA512
df77d6b804fa1d78f3a6d8ac75090c9dba0899d4b3e14890f9f519ae82aae2659aaf027024ccfaebe9aaf04915fc70e4658193960ca093f1e7f6352ab947b96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gKb56fXXEK.bat

Filesize
177B

MD5
b84697c5e79851151275aeeb95d18115

SHA1
c3dfb93f6b5e3b1c11fa3bc8282281241d9f56b0

SHA256
d2190e80b8f9bdf410ea2d53585d38efd2d45c1c686ed63c8c40133abe970779

SHA512
a8f4f3e67de2404e293f8125c86ace9b5e97069ebe01093fbb1bddb18c22130201444538ec20b3157ba768e34209ce2d19c2ded3abf521c595436e059eea92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat

Filesize
169B

MD5
e478ba5956f5c95a405a7ac8ab6d4e5d

SHA1
760a89e8aa3f4d4e1db5554c9cfc5f8bc073d0a9

SHA256
66893f0c1dca49b3eb2cae2e2c2e0568b715134e1741f8a547f7cec10b26ba1c

SHA512
a0df37eccc9deb295d909c78431198e5ce30b6174faee4d4e20b23e63db8dded90eca43ca6416a11c7c5653b535a09edc4ae3bc0e4f695c24241a6e3eb6ad799

Download Submit
C:\Users\Admin\AppData\Local\Temp\lxRC8VlBb2.bat

Filesize
217B

MD5
ecd299f00ef422d4220c2ed39215de6d

SHA1
d620c79c53568215bbc16d5c56b28d9298b05593

SHA256
6edd651ee658f5a72b950d88ae6a608d0343be986c0c34e2b9ea6763f8a01386

SHA512
c7f339ec63c243fe582989651b380e3eff83708b4ed7a58c7039e81e14596a2a493b57563a4de446084c662914d090a97d8f8cc1bed5ce7f1404a376eea6371c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat

Filesize
217B

MD5
f3e7070cdea0b0eadfbce20395887e87

SHA1
6af2a9a7e4d88a8f59e94b880428f686d670c9e5

SHA256
93da3addc34b92dc2b88511e1a48575b2dcf70835dee215191e9eac966d53f3c

SHA512
c867c839567629e7084fc5f3bc5a4d7a505caa01a329480e0ef2368b87b9acc0c8f7dc03a20606aa6ffc9b084496859a7738600f12e788abf728eacdd2edc8a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\z03YznJ6kZ.bat

Filesize
169B

MD5
3dd886aee773823e4b8dc522bba86692

SHA1
65699c44f2c2e3193ef5a167d4de1465cf80a4a4

SHA256
47c51baa726ffb5de351de08aaf6137cd9bd63fb3364403000ab6ef876c442e5

SHA512
cdc4432c56d3b2f20a966ddec2378e77d2c379dd27dec2a48b333960b9ff50784e82250c1e7b4b6295146af9694333aa00975023061c7a048c58586891f21c81

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\AlternateServices.bin

Filesize
6KB

MD5
31ed4c32840f764354e6452257e1220f

SHA1
17d6a4440f7260db99039b88464e19a782ead504

SHA256
33d9f1a8d9f50b798c5ca3ad3c40f74a32f85a49566b568d451c94cb7ec95a62

SHA512
e5a8091d4aa22dd54bd91a77589ccdad4ce8e181663b4f18186401fa31cabf472dc037ff593c068352f6863358b235360f6e2bce30738b06492f44d04fbe5180

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
7b6479eb299404f139da796ce688914c

SHA1
2942c7ada75eddb27960c1da88d6ad6e49ce6ca6

SHA256
56f6a70863441926d21ee65fe553d556008e5f70a452bcf160b206c6d168380d

SHA512
5b6856656e01cee009838b6f821edb4bb48e61add716e6b76aafeec8a19570affffff97cc00ef8f536fcaaa41e72e49761f56b9f8aadee0878690879d97652bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
af9eaf38b88c7345017183e0701da7e6

SHA1
4d2cc9ccd72b5066fd1da4653e51b49c3f739bd2

SHA256
35db68fcccde4b7360787b4817042a007cba868a13ddb986bbb6b06d193b2243

SHA512
3f9f604fd68f016faf4b76a67449dceb52ee8b6b895bfa36f59942bf8cfc8f44229ee28c36302bdeed24f2398a16335bc1880700cd72a79120912dc8b8715647

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\23005ed0-b225-4901-9572-dffdf6ef656d

Filesize
716B

MD5
c880e888fd92e71da2577a066bb57c0c

SHA1
eea64e7ed3b4604cca7f2876288827894b6568dc

SHA256
5017266114cea4055b9133c75095378c2d079bf45afcb877e9bbd4656064762f

SHA512
a2475f76208f749778c07d0cae5ac55113e957d0c223994dd41b16107310cf170670eb3966fb142db592eb734f93197e9b42f85ecf32c6d106de691e1629810e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\44274d5f-d20d-46d1-bdea-9987a4733f73

Filesize
982B

MD5
44f6a53ce69892c46f70bccacee795c3

SHA1
03c4674c36fd3a052f90517d97365c02874cf33e

SHA256
25a8ba621c4a962923c311dd8f1d944fe69949b970df8755dcc5e2493d534ad1

SHA512
6e32cd434958759ad52f1c1e283a4744e90b644e08fe0cfd829ff5e98ce374d86fb62f99fb4ea1d75356ea84d3359f8d2e799018e94935ef1945d1a4cf7dcce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\datareporting\glean\pending_pings\c6674870-ff94-4184-97dd-fc5fa1a33fc5

Filesize
24KB

MD5
f8d68b2a58a2b30bc761972a268c60e0

SHA1
aba685f8ca607ec833170c1b4e867270c2dd2b74

SHA256
8d3874d4923e491f56096cd6648f4372e155d12327c5f12b7c0d72e80fb914fb

SHA512
6f1a14461743071b6009744383e513967f040124118288a9815cde3e77d10717503ba0e945d75f7e0920658b529a8de39ffa9d4226979fd2599c0192e09921d1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
10KB

MD5
cd129ea586ff693ed06a9c4c15f6baf5

SHA1
f706df73846c95ba16d4cdb863a0ebd1c9b491ba

SHA256
160e68f72aaac5b7d39ad2e1aaaf6f1bd00ff05bfb3a9b338e33c16060d84d61

SHA512
d84621e2143ef535cca06429d465fb12e52fdbc7bd2f9d6e357e1d4a332fafaa331f325a3f2e61c672a078dce14288fab6995b434bcfdfdd7d1ad17f02400549

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs-1.js

Filesize
11KB

MD5
8f54af119be4bd639a466faa31ec6c3c

SHA1
e3ebd2080e003d7e162195457f4f1425eb0fc9d9

SHA256
4300cbdacf1c89b6add8ad9ad927d881f448afe370dae12c0b1774fe7d84c480

SHA512
c6e3a79067a7b0ca60560ed503cac5d6459d7338cf4a670731976cef27c37f38d231cd12968b5bf19a5bdeb7abb14cc4c1bc1be801461ca1299235107b8f4ffe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\prefs.js

Filesize
11KB

MD5
8e1e3f1082fcf7c1db11f69d7efdc14f

SHA1
fb78dc20bbe543c1c5c23db33c9b6bc09ef21ee4

SHA256
3f21da2d0bcf1109180bf1d87deb8f918433fac47463389e79657e85bd506c98

SHA512
906355065bc434a08bfa5bf7482128c2194f3e057355be8cd2e80b58ba1cf29cf15d81a6715205d9ba3be33733caa4712829b8b8b24b3e2bcb04dbb73f3461ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85mw8mk9.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
60630f1bd606b15197c6668469bc551e

SHA1
9100a10c9773527277e3d47c3b8e4ed4654338e7

SHA256
347be32b15c6ddae08f9779d7a16a2e601beeac1e3ab625d89eaed200cda40b7

SHA512
7078df879c482570713bc7beaaf2fd96e6a928bca667b6625bc01b6d0634a71bf03295b14be5d3b81eafeb62f64f8aeebbd8a8d1fe046f0287f0a594d26c8897

Download Submit
C:\Users\Admin\Desktop\Loader.exe

Filesize
1.4MB

MD5
1e7a149a4995ba4c2a34041989ce4158

SHA1
099c80e3162c5817827a4cb789ad11d129fda3fe

SHA256
1b816f6b718264d9323d2c47c53b187d5eb885d1c56bb3a4259e1028c3ba9159

SHA512
6993b5f8dae40fb83ed5ce3229fc8ea4353895122898824b4442c22b2a1dfabc1a5551583c55b84bf55eac294f02131657a1d7ad05ea64c0bde07c868015d4fc

Download Submit
C:\Users\Admin\Downloads\Loader.DR7lwAjW.rar.part

Filesize
1.3MB

MD5
6017324282d78c9b7f4ddb9f70b74823

SHA1
0b9f0274006e4e14a756e902511b31b20e641967

SHA256
2588687a50074efa3142b249355cd0c408aee80ae49360c99a95313aa307160f

SHA512
3076cf51f0774cfc5e091122da5f6f18c8670602cdce82037765dd104d796baa72beafcaeff9225bc9ede3b8bac2d61776bdfea4d6bc88fd11d5247b1bf844ef

Download Submit
memory/1452-768-0x0000000000580000-0x0000000000718000-memory.dmp

Filesize
1.6MB

Download