dcrat | aeb0677958be57d2f11478ee5ee9f71340bd2e9622fbcc594415b60f931285a1

Analysis

max time kernel
1041s
max time network
1049s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-11-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FizzyCheat (1).rar
Size

37.6MB
MD5

70f8f6d8896058fca67f20fb924c820b
SHA1

ecded00cb4b778f2a65f4946cf7b4820709e8514
SHA256

aeb0677958be57d2f11478ee5ee9f71340bd2e9622fbcc594415b60f931285a1
SHA512

b50f829eccc7c8609b212995e435cb949a75f8a61166613b456a6763635b95bc4d401c00d090a36e88a08064f18c80f16202670233d5da93d8b594e75d4eb9a4
SSDEEP

786432:grBrEaDuM6HEBkdsGDpjKCAJDgmtbuHrWs73CeEEsNbH1COpVyHPoXSet8fa:+NEx7HaOsGD5KCfmtMrT/EEs9H1COTMa

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\", \"C:\\Windows\\INF\\WmiApRpl\\0009\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\", \"C:\\Windows\\INF\\WmiApRpl\\0009\\WmiPrvSE.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\OEM\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\System.exe\", \"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\", \"C:\\Windows\\INF\\WmiApRpl\\0009\\WmiPrvSE.exe\", \"C:\\Recovery\\WindowsRE\\services.exe\""	Defender.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4172	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4668	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	2344	schtasks.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2344	schtasks.exe	85

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4228	powershell.exe
4152	powershell.exe
3288	powershell.exe
4704	powershell.exe
4208	powershell.exe
3820	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	FizzyLoader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Defender.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	Defender.exe

Executes dropped EXE 11 IoCs

pid	Process
1704	FizzyLoader.exe
3368	FizzyLoader.exe
3856	Defender.exe
2736	Defender.exe
3296	Defender.exe
4964	services.exe
4840	Defender.exe
3872	System.exe
2456	SIHClient.exe
3332	RuntimeBroker.exe
1016	WmiPrvSE.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\INF\\WmiApRpl\\0009\\WmiPrvSE.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\OEM\\RuntimeBroker.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\OEM\\RuntimeBroker.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIHClient = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\INF\\WmiApRpl\\0009\\WmiPrvSE.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\7-Zip\\Lang\\System.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\7-Zip\\Lang\\System.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SIHClient = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\SIHClient.exe\""	Defender.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ipinfo.io
39	ipinfo.io
50	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5A741F4D1814EE6906FA4D7FBD4FDE.TMP	csc.exe
File created	\??\c:\Windows\System32\npvh5b.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	Defender.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe	Defender.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\7b3bf1de107bcf	Defender.exe
File created	C:\Program Files\7-Zip\Lang\System.exe	Defender.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe	Defender.exe
File created	C:\Windows\INF\WmiApRpl\0009\24dbde2999530e	Defender.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FizzyLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	Defender.exe
Key created	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000_Classes\Local Settings	Defender.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
544	schtasks.exe
2720	schtasks.exe
4488	schtasks.exe
5068	schtasks.exe
3560	schtasks.exe
2296	schtasks.exe
1652	schtasks.exe
656	schtasks.exe
4172	schtasks.exe
4900	schtasks.exe
4700	schtasks.exe
3240	schtasks.exe
4364	schtasks.exe
4852	schtasks.exe
1692	schtasks.exe
4548	schtasks.exe
5036	schtasks.exe
4668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe
2736	Defender.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3672	7zFM.exe
3296	Defender.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3672	7zFM.exe
Token: 35	3672	7zFM.exe
Token: SeSecurityPrivilege	3672	7zFM.exe
Token: SeDebugPrivilege	2736	Defender.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeIncreaseQuotaPrivilege	3288	powershell.exe
Token: SeSecurityPrivilege	3288	powershell.exe
Token: SeTakeOwnershipPrivilege	3288	powershell.exe
Token: SeLoadDriverPrivilege	3288	powershell.exe
Token: SeSystemProfilePrivilege	3288	powershell.exe
Token: SeSystemtimePrivilege	3288	powershell.exe
Token: SeProfSingleProcessPrivilege	3288	powershell.exe
Token: SeIncBasePriorityPrivilege	3288	powershell.exe
Token: SeCreatePagefilePrivilege	3288	powershell.exe
Token: SeBackupPrivilege	3288	powershell.exe
Token: SeRestorePrivilege	3288	powershell.exe
Token: SeShutdownPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeSystemEnvironmentPrivilege	3288	powershell.exe
Token: SeRemoteShutdownPrivilege	3288	powershell.exe
Token: SeUndockPrivilege	3288	powershell.exe
Token: SeManageVolumePrivilege	3288	powershell.exe
Token: 33	3288	powershell.exe
Token: 34	3288	powershell.exe
Token: 35	3288	powershell.exe
Token: 36	3288	powershell.exe
Token: SeIncreaseQuotaPrivilege	3820	powershell.exe
Token: SeSecurityPrivilege	3820	powershell.exe
Token: SeTakeOwnershipPrivilege	3820	powershell.exe
Token: SeLoadDriverPrivilege	3820	powershell.exe
Token: SeSystemProfilePrivilege	3820	powershell.exe
Token: SeSystemtimePrivilege	3820	powershell.exe
Token: SeProfSingleProcessPrivilege	3820	powershell.exe
Token: SeIncBasePriorityPrivilege	3820	powershell.exe
Token: SeCreatePagefilePrivilege	3820	powershell.exe
Token: SeBackupPrivilege	3820	powershell.exe
Token: SeRestorePrivilege	3820	powershell.exe
Token: SeShutdownPrivilege	3820	powershell.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeSystemEnvironmentPrivilege	3820	powershell.exe
Token: SeRemoteShutdownPrivilege	3820	powershell.exe
Token: SeUndockPrivilege	3820	powershell.exe
Token: SeManageVolumePrivilege	3820	powershell.exe
Token: 33	3820	powershell.exe
Token: 34	3820	powershell.exe
Token: 35	3820	powershell.exe
Token: 36	3820	powershell.exe
Token: SeIncreaseQuotaPrivilege	4228	powershell.exe
Token: SeSecurityPrivilege	4228	powershell.exe
Token: SeTakeOwnershipPrivilege	4228	powershell.exe
Token: SeLoadDriverPrivilege	4228	powershell.exe
Token: SeSystemProfilePrivilege	4228	powershell.exe
Token: SeSystemtimePrivilege	4228	powershell.exe
Token: SeProfSingleProcessPrivilege	4228	powershell.exe
Token: SeIncBasePriorityPrivilege	4228	powershell.exe
Token: SeCreatePagefilePrivilege	4228	powershell.exe
Token: SeBackupPrivilege	4228	powershell.exe
Token: SeRestorePrivilege	4228	powershell.exe
Token: SeShutdownPrivilege	4228	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3672	7zFM.exe
3672	7zFM.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1424	javaw.exe
1424	javaw.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 3368	1704	FizzyLoader.exe	93
PID 1704 wrote to memory of 3368	1704	FizzyLoader.exe	93
PID 1704 wrote to memory of 3368	1704	FizzyLoader.exe	93
PID 1704 wrote to memory of 3856	1704	FizzyLoader.exe	94
PID 1704 wrote to memory of 3856	1704	FizzyLoader.exe	94
PID 1704 wrote to memory of 3856	1704	FizzyLoader.exe	94
PID 3368 wrote to memory of 1424	3368	FizzyLoader.exe	95
PID 3368 wrote to memory of 1424	3368	FizzyLoader.exe	95
PID 3856 wrote to memory of 4148	3856	Defender.exe	96
PID 3856 wrote to memory of 4148	3856	Defender.exe	96
PID 3856 wrote to memory of 4148	3856	Defender.exe	96
PID 4148 wrote to memory of 3944	4148	WScript.exe	97
PID 4148 wrote to memory of 3944	4148	WScript.exe	97
PID 4148 wrote to memory of 3944	4148	WScript.exe	97
PID 3944 wrote to memory of 2736	3944	cmd.exe	99
PID 3944 wrote to memory of 2736	3944	cmd.exe	99
PID 2736 wrote to memory of 4760	2736	Defender.exe	104
PID 2736 wrote to memory of 4760	2736	Defender.exe	104
PID 4760 wrote to memory of 3780	4760	csc.exe	106
PID 4760 wrote to memory of 3780	4760	csc.exe	106
PID 2736 wrote to memory of 3820	2736	Defender.exe	122
PID 2736 wrote to memory of 3820	2736	Defender.exe	122
PID 2736 wrote to memory of 4208	2736	Defender.exe	123
PID 2736 wrote to memory of 4208	2736	Defender.exe	123
PID 2736 wrote to memory of 4704	2736	Defender.exe	124
PID 2736 wrote to memory of 4704	2736	Defender.exe	124
PID 2736 wrote to memory of 3288	2736	Defender.exe	125
PID 2736 wrote to memory of 3288	2736	Defender.exe	125
PID 2736 wrote to memory of 4152	2736	Defender.exe	126
PID 2736 wrote to memory of 4152	2736	Defender.exe	126
PID 2736 wrote to memory of 4228	2736	Defender.exe	127
PID 2736 wrote to memory of 4228	2736	Defender.exe	127
PID 2736 wrote to memory of 1264	2736	Defender.exe	134
PID 2736 wrote to memory of 1264	2736	Defender.exe	134
PID 1264 wrote to memory of 2720	1264	cmd.exe	136
PID 1264 wrote to memory of 2720	1264	cmd.exe	136
PID 1264 wrote to memory of 3040	1264	cmd.exe	137
PID 1264 wrote to memory of 3040	1264	cmd.exe	137
PID 1264 wrote to memory of 3296	1264	cmd.exe	139
PID 1264 wrote to memory of 3296	1264	cmd.exe	139

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FizzyCheat (1).rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3672

C:\Users\Admin\Desktop\FizzyLoader.exe
"C:\Users\Admin\Desktop\FizzyLoader.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe" org.develnext.jphp.ext.javafx.FXLauncher
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1424
- C:\Users\Admin\AppData\Local\Temp\Defender.exe
  "C:\Users\Admin\AppData\Local\Temp\Defender.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\2hbBFPDTsbLvI9WSxpz8v92GutXIS0hCELr6ZyO8V1wYE4.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\bd1AhTNNxrGV66tYOy2ZEUHGPs8VQbhmwUrnlWI0Sb7UU5ZCLEb9CdUjuon9.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3944
    - - C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet/Defender.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\os04tr55\os04tr55.cmdline"
        6⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1373.tmp" "c:\Windows\System32\CSC5A741F4D1814EE6906FA4D7FBD4FDE.TMP"
        7⤵
        
        PID:3780
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\OEM\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4228
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6MHcTztGt.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\OEM\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\OEM\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\OEM\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClient" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SIHClientS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Defender" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Recovery\WindowsRE\services.exe
"C:\Recovery\WindowsRE\services.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe"
1⤵
- Executes dropped EXE
PID:4840

C:\Program Files\7-Zip\Lang\System.exe
"C:\Program Files\7-Zip\Lang\System.exe"
1⤵
- Executes dropped EXE
PID:3872

C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe
"C:\Program Files (x86)\Windows Multimedia Platform\SIHClient.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Recovery\OEM\RuntimeBroker.exe
"C:\Recovery\OEM\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe
"C:\Windows\INF\WmiApRpl\0009\WmiPrvSE.exe"
1⤵
- Executes dropped EXE
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Defender.exe.log

Filesize
1KB

MD5
0c7b881614350595ad003cb71967c2a8

SHA1
bbdb28ba7631368066ff2dc1b37db8c702f5c89c

SHA256
8b1e9bc02eea5727bd85036aebe7e03a66c2ed866311cd4758b8257f89c64fb6

SHA512
5fa4980fa6fe979d2ccc70f2e6294d6aed1f987ee6f97a774ae41d2fad8e37735fd0c48f8dde00ce39b4ca38fc9806a5184df219a4acd22ab09249129e900bc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WmiPrvSE.exe.log

Filesize
847B

MD5
37544b654facecb83555afec67d08b33

SHA1
4dc0f5db034801784b01befef5c1d3304145e1dc

SHA256
ec084a6c6ecd7d31f1927b0cd926ec03ce346a469f24e5a860e05f2241bd7bf4

SHA512
4af827ead52c8769672f58a69fca18484aeba1e59b7ec0527e200f8e3d893bcbc1063ea820260fc0b922985ee3b26c3a6f79b4044fb34f1b58f2e3379971b5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6d1b8bb34838ccf42d5f69e919b1612

SHA1
20e9df1f5dd5908ce1b537d158961e0b1674949e

SHA256
8a4e7eae00df2e789c958a38e78ac0b53f439afe2d5bfe8a81fb8c6e232b6491

SHA512
ff3ba5dc3cb548018747a315f098e01c5a6f8aee029223ef4080b3db76b0ecaa6a01a1c79e1434bdf2aa5b2ae66ec85d33e760064282411c7712fba890a0309d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
83d94e8aa23c7ad2db6f972739506306

SHA1
bd6d73d0417971c0077f772352d2f538a6201024

SHA256
dfa5cbd243b304f47196c492bc2d8b29941a550c2f076ef8bdfca72755e71881

SHA512
4224625e8ef8dadc72f1e1a1edfe2079656b14f2af94ce6128316481d96e9d0b6edf4de13fcdcc182038a2b29eb562b9246f944aecebfcb7c5ee8d7936b6287e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
2.2MB

MD5
d61d8298f6aa1267808836fdcffbb1dc

SHA1
c2c63a6365e86f2116594743a9e276f4f21870a2

SHA256
06b0c863373d212c1552d6e4e4dc862acd4bf90af49ea1854813e1029a8a7f0e

SHA512
a9e568ac3d23a3a279a69ecfd54816bcb1e35cf4020d21ea9a4b08472078c1aeefde0d2cdb730c69d753130c6837c5cf713c23aa54b2cec405d0eda597156c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe

Filesize
36.1MB

MD5
0a34590d79e33bf17020fdccfb228522

SHA1
a8af8d2b0b6976c009e049d911663bc4193a89e6

SHA256
0af4b4ed4028bd1fd629d2d9696761a9ca05ce515be44a4bcf9edacbf96a67db

SHA512
3296d5db04fe3de85d7ca8c1dd3a888e3c7da41beade04091e98b06acfed0e7cc440afd376701c55c23d4e51e77f32198fe3c474055f57a4490c9bbb39a5c0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1373.tmp

Filesize
1KB

MD5
e0cc219098c4943bb960969b788e72bc

SHA1
38a0e3bd8c1bf44aa7680612bcd2125b13a08709

SHA256
1da5fb09f9c0a64eef01a46e838de017e9e4adb7391c9bcedf7fb70aa2895675

SHA512
d1f98c33964eef186a3d24fb83afe2660a8f203ef6668ad3ad193cafef4c67adb8e13bc9f7f47bdd5280648a4e45fff333115822756b3f2c300f4790e8e6a825

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3cuigkh.3ba.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6MHcTztGt.bat

Filesize
245B

MD5
9911bf6bb5255c3885d30d5598dd0756

SHA1
0d0324ec6356f84be4d41c15661f30d07c50ca68

SHA256
6dbaf11d3ef0fad627cd7394eacfbd1cd09e44b430fe69c57e6c15d875296ec4

SHA512
5f1eb49985e3bb7aa8205d4bd622d582b6944267a7873e66c95df4aeaf6f5fcf86842741929a009ce82fb0dc63a0d5c53cefe0d510d4b16d9b3dc83c709096c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\2hbBFPDTsbLvI9WSxpz8v92GutXIS0hCELr6ZyO8V1wYE4.vbe

Filesize
261B

MD5
372354b108c9afb589b208050aadf9bb

SHA1
c20ca72d4102051782565e1ed80f3382960865d3

SHA256
05c95cf50041da7e8f07daeab8ff6251b31f674f22dd933358c90e755732d0ba

SHA512
e46b3ffd0d880e872396a416d14a976e8cc9407c7013c6063d9e5fc4c96ff32524393d6c5d95bed8e360a6846b23e0b0c81d4c9cd56f955f4747600a50f43978

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe

Filesize
1.9MB

MD5
6cb50c9d25ef98e252246ee613f7c095

SHA1
227f13557df1edb63ef16009c46b5969ff69e361

SHA256
ea1a703b08ef3ad027b94818ba906972ea1f21786f8ec0a25cbd3ae360c795be

SHA512
5b58ce8c882b739ad86eb93097803dbcc20be9adceb305ffa1f739633bfc424ba1788c439f099b9613c1c59caf77a674568c8c14905f557b3d36545c3d397c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\bd1AhTNNxrGV66tYOy2ZEUHGPs8VQbhmwUrnlWI0Sb7UU5ZCLEb9CdUjuon9.bat

Filesize
98B

MD5
f830748023d1ce6570aecadcec9962f7

SHA1
13f52d0fb2babc3f3ced3d391841b7f54081da3c

SHA256
e5205d2d31a15deb389cdfeef8b1f0da25b29105a3d9c7d1ca0a012e6816e8be

SHA512
970cde745cb1484d546088fc86f332709af534a8a99abba4e3e6b32138ed08b049fe9895c1066c6da55d8449937af201bb09dae297dd153c62a8ce25a2d3df88

Download Submit
C:\Users\Admin\Desktop\FizzyLoader.exe

Filesize
37.5MB

MD5
adb2660da94ed2b2b4efcf0a5fdba55f

SHA1
839295fdbff243d8bc61a4d317dfe124729251b4

SHA256
cb471b3ebce3dbbd57ca427c7828c53c2b4e5dc2a09433f225527fb092422a31

SHA512
e6930f6c9c413e7b92e3871444009b21a81787897b673ce8d95bf0a78bbe1b6165b7243b5887f959ac41666c38034d28f75650a3b9e86a9ea8eb6f16583e8a98

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\os04tr55\os04tr55.0.cs

Filesize
365B

MD5
dc6cb39dacbaf874c76a6c4ed2bec7d5

SHA1
5eed2044a5ac71ab3b497b61ea10f08e0f993f43

SHA256
d54411a243b817bfebb91ba8125139e05216d4b624f52f92c68aa050b374ea19

SHA512
5b564d07c0ee71e0ba90900886658478d283d3a61d22b63aecf36339007256b1318870bac9cbf2c90248a6c017d39b50f73edaeea15ee8f304e98dca55fd25ac

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\os04tr55\os04tr55.cmdline

Filesize
235B

MD5
dc091b5c8957a02570c4352bd0d71ad5

SHA1
7bd58490bf6fcc1c3840dd91d264276c2f868b83

SHA256
912aa15305a1120863ad6025f873680df3c63d670d814e07eff9b730cd499689

SHA512
012047592777f9ed630deecfd4ef46c495d25256aff66aa852fd7143530cda231b9d4a4936cae2c7f47e570291a52ac0d701d443518ecbc8a3b365ee3a68a5f7

Download Submit
\??\c:\Windows\System32\CSC5A741F4D1814EE6906FA4D7FBD4FDE.TMP

Filesize
1KB

MD5
19e1421a54f1523ab11614835b872fb8

SHA1
d2de7ead70215a7063c9598e4b22e2ddb2d8698b

SHA256
1cac65243c3e3a5b909055f131d60f31713dac08a3252319eb2740f39925aa29

SHA512
250bd7f0546d3ae68be7de5657666a0f4460ca6948e02d36d2e7a5a24b209682fb29126adbae5f8a94ba0d6903dcce0f07b71db6e18b69ed4cd31ea110f4798a

Download Submit
memory/1424-184-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1424-321-0x000001FBB9A00000-0x000001FBB9A42000-memory.dmp

Filesize
264KB

Download
memory/1424-291-0x000001FBB9A00000-0x000001FBB9A42000-memory.dmp

Filesize
264KB

Download
memory/1424-292-0x000001FBB9AE0000-0x000001FBB9AF4000-memory.dmp

Filesize
80KB

Download
memory/1424-53-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1424-111-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1424-197-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1424-189-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1424-142-0x000001FBA12C0000-0x000001FBA12C1000-memory.dmp

Filesize
4KB

Download
memory/1704-6-0x00007FFF25930000-0x00007FFF263F2000-memory.dmp

Filesize
10.8MB

Download
memory/1704-33-0x00007FFF25930000-0x00007FFF263F2000-memory.dmp

Filesize
10.8MB

Download
memory/1704-4-0x00007FFF25933000-0x00007FFF25935000-memory.dmp

Filesize
8KB

Download
memory/1704-5-0x00000000007C0000-0x0000000002D48000-memory.dmp

Filesize
37.5MB

Download
memory/2736-60-0x0000000000A80000-0x0000000000C72000-memory.dmp

Filesize
1.9MB

Download
memory/2736-90-0x0000000002DB0000-0x0000000002DCC000-memory.dmp

Filesize
112KB

Download
memory/2736-222-0x000000001C140000-0x000000001C1AB000-memory.dmp

Filesize
428KB

Download
memory/2736-106-0x0000000002E10000-0x0000000002E1C000-memory.dmp

Filesize
48KB

Download
memory/2736-94-0x0000000002DD0000-0x0000000002DE8000-memory.dmp

Filesize
96KB

Download
memory/2736-101-0x0000000002DF0000-0x0000000002DF8000-memory.dmp

Filesize
32KB

Download
memory/2736-99-0x0000000002D90000-0x0000000002D9E000-memory.dmp

Filesize
56KB

Download
memory/2736-87-0x0000000002D30000-0x0000000002D3E000-memory.dmp

Filesize
56KB

Download
memory/2736-97-0x0000000002D80000-0x0000000002D8E000-memory.dmp

Filesize
56KB

Download
memory/2736-92-0x000000001B880000-0x000000001B8D0000-memory.dmp

Filesize
320KB

Download
memory/3296-328-0x000000001BD60000-0x000000001BDCB000-memory.dmp

Filesize
428KB

Download
memory/3368-30-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4228-221-0x0000024AEDE10000-0x0000024AEDE32000-memory.dmp

Filesize
136KB

Download