dcrat | aeb0677958be57d2f11478ee5ee9f71340bd2e9622fbcc594415b60f931285a1

Analysis

max time kernel
112s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FizzyCheat.rar
Size

37.6MB
MD5

70f8f6d8896058fca67f20fb924c820b
SHA1

ecded00cb4b778f2a65f4946cf7b4820709e8514
SHA256

aeb0677958be57d2f11478ee5ee9f71340bd2e9622fbcc594415b60f931285a1
SHA512

b50f829eccc7c8609b212995e435cb949a75f8a61166613b456a6763635b95bc4d401c00d090a36e88a08064f18c80f16202670233d5da93d8b594e75d4eb9a4
SSDEEP

786432:grBrEaDuM6HEBkdsGDpjKCAJDgmtbuHrWs73CeEEsNbH1COpVyHPoXSet8fa:+NEx7HaOsGD5KCfmtMrT/EEs9H1COTMa

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\conhost.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\", \"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\conhost.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Games\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	Defender.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	520	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2896	schtasks.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2896	schtasks.exe	38

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2684	powershell.exe
2100	powershell.exe
2108	powershell.exe
2784	powershell.exe
2216	powershell.exe
848	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
1952	FizzyLoader.exe
2236	FizzyLoader.exe
2632	Defender.exe
2656	Defender.exe
2072	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2768	cmd.exe
2768	cmd.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Games\\dllhost.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Games\\dllhost.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\conhost.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\blockcomIntoruntimenet\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defender = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\Defender.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	Defender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\csrss.exe\""	Defender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\conhost.exe\""	Defender.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ipinfo.io
10	ipinfo.io
163	ipinfo.io
164	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe
File created	\??\c:\Windows\System32\CSC42DCE5A8A711473DB07E70255C31FB85.TMP	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\dllhost.exe	Defender.exe
File created	C:\Program Files\Microsoft Games\5940a34987c991	Defender.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FizzyLoader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Defender.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1912	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "42"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "276"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{83820CB1-AC1D-11EF-9C86-EA7747D117E6} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "224"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "209"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "122"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "229"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com\ = "42"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.java.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "229"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "224"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "276"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DOMStorage\java.com\Total = "122"	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Defender.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Defender.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1912	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
520	schtasks.exe
2992	schtasks.exe
1092	schtasks.exe
712	schtasks.exe
644	schtasks.exe
1752	schtasks.exe
2268	schtasks.exe
2416	schtasks.exe
1336	schtasks.exe
2264	schtasks.exe
2316	schtasks.exe
2516	schtasks.exe
3024	schtasks.exe
2932	schtasks.exe
1140	schtasks.exe
924	schtasks.exe
1312	schtasks.exe
2136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe
2656	Defender.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	7zFM.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeRestorePrivilege	2436	7zFM.exe
Token: 35	2436	7zFM.exe
Token: SeSecurityPrivilege	2436	7zFM.exe
Token: SeSecurityPrivilege	2436	7zFM.exe
Token: SeSecurityPrivilege	2436	7zFM.exe
Token: SeDebugPrivilege	2656	Defender.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2072	conhost.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe
Token: SeShutdownPrivilege	440	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
2436	7zFM.exe
2436	7zFM.exe
2436	7zFM.exe
2436	7zFM.exe
1296	iexplore.exe
1296	iexplore.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe
440	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1296	iexplore.exe
1296	iexplore.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1952	2436	7zFM.exe	31
PID 2436 wrote to memory of 1952	2436	7zFM.exe	31
PID 2436 wrote to memory of 1952	2436	7zFM.exe	31
PID 1952 wrote to memory of 2236	1952	FizzyLoader.exe	32
PID 1952 wrote to memory of 2236	1952	FizzyLoader.exe	32
PID 1952 wrote to memory of 2236	1952	FizzyLoader.exe	32
PID 1952 wrote to memory of 2236	1952	FizzyLoader.exe	32
PID 1952 wrote to memory of 2632	1952	FizzyLoader.exe	33
PID 1952 wrote to memory of 2632	1952	FizzyLoader.exe	33
PID 1952 wrote to memory of 2632	1952	FizzyLoader.exe	33
PID 1952 wrote to memory of 2632	1952	FizzyLoader.exe	33
PID 2632 wrote to memory of 2600	2632	Defender.exe	34
PID 2632 wrote to memory of 2600	2632	Defender.exe	34
PID 2632 wrote to memory of 2600	2632	Defender.exe	34
PID 2632 wrote to memory of 2600	2632	Defender.exe	34
PID 2600 wrote to memory of 2768	2600	WScript.exe	35
PID 2600 wrote to memory of 2768	2600	WScript.exe	35
PID 2600 wrote to memory of 2768	2600	WScript.exe	35
PID 2600 wrote to memory of 2768	2600	WScript.exe	35
PID 2768 wrote to memory of 2656	2768	cmd.exe	37
PID 2768 wrote to memory of 2656	2768	cmd.exe	37
PID 2768 wrote to memory of 2656	2768	cmd.exe	37
PID 2768 wrote to memory of 2656	2768	cmd.exe	37
PID 2236 wrote to memory of 1296	2236	FizzyLoader.exe	42
PID 2236 wrote to memory of 1296	2236	FizzyLoader.exe	42
PID 2236 wrote to memory of 1296	2236	FizzyLoader.exe	42
PID 2236 wrote to memory of 1296	2236	FizzyLoader.exe	42
PID 2656 wrote to memory of 860	2656	Defender.exe	43
PID 2656 wrote to memory of 860	2656	Defender.exe	43
PID 2656 wrote to memory of 860	2656	Defender.exe	43
PID 1296 wrote to memory of 2144	1296	iexplore.exe	45
PID 1296 wrote to memory of 2144	1296	iexplore.exe	45
PID 1296 wrote to memory of 2144	1296	iexplore.exe	45
PID 1296 wrote to memory of 2144	1296	iexplore.exe	45
PID 860 wrote to memory of 2072	860	csc.exe	79
PID 860 wrote to memory of 2072	860	csc.exe	79
PID 860 wrote to memory of 2072	860	csc.exe	79
PID 2656 wrote to memory of 2784	2656	Defender.exe	63
PID 2656 wrote to memory of 2784	2656	Defender.exe	63
PID 2656 wrote to memory of 2784	2656	Defender.exe	63
PID 2656 wrote to memory of 2108	2656	Defender.exe	64
PID 2656 wrote to memory of 2108	2656	Defender.exe	64
PID 2656 wrote to memory of 2108	2656	Defender.exe	64
PID 2656 wrote to memory of 2100	2656	Defender.exe	65
PID 2656 wrote to memory of 2100	2656	Defender.exe	65
PID 2656 wrote to memory of 2100	2656	Defender.exe	65
PID 2656 wrote to memory of 2684	2656	Defender.exe	66
PID 2656 wrote to memory of 2684	2656	Defender.exe	66
PID 2656 wrote to memory of 2684	2656	Defender.exe	66
PID 2656 wrote to memory of 848	2656	Defender.exe	68
PID 2656 wrote to memory of 848	2656	Defender.exe	68
PID 2656 wrote to memory of 848	2656	Defender.exe	68
PID 2656 wrote to memory of 2216	2656	Defender.exe	69
PID 2656 wrote to memory of 2216	2656	Defender.exe	69
PID 2656 wrote to memory of 2216	2656	Defender.exe	69
PID 2656 wrote to memory of 932	2656	Defender.exe	75
PID 2656 wrote to memory of 932	2656	Defender.exe	75
PID 2656 wrote to memory of 932	2656	Defender.exe	75
PID 932 wrote to memory of 2644	932	cmd.exe	77
PID 932 wrote to memory of 2644	932	cmd.exe	77
PID 932 wrote to memory of 2644	932	cmd.exe	77
PID 932 wrote to memory of 1912	932	cmd.exe	78
PID 932 wrote to memory of 1912	932	cmd.exe	78
PID 932 wrote to memory of 1912	932	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FizzyCheat.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Local\Temp\7zO48971F87\FizzyLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO48971F87\FizzyLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://java.com/download
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1296 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2144
- - C:\Users\Admin\AppData\Local\Temp\Defender.exe
    "C:\Users\Admin\AppData\Local\Temp\Defender.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\2hbBFPDTsbLvI9WSxpz8v92GutXIS0hCELr6ZyO8V1wYE4.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\bd1AhTNNxrGV66tYOy2ZEUHGPs8VQbhmwUrnlWI0Sb7UU5ZCLEb9CdUjuon9.bat" "
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe
        
        "C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet/Defender.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Program Files directory
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oyk12byj\oyk12byj.cmdline"
        7⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7C9.tmp" "c:\Windows\System32\CSC42DCE5A8A711473DB07E70255C31FB85.TMP"
        8⤵
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Defender.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ETFuAMQ1Th.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1912
        
        C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe
        
        "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Defender.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Defender" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Defender" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DefenderD" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feef3f9758,0x7feef3f9768,0x7feef3f9778
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:2
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2260 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2268 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=3216 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:2
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3452 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2752 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3844 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3908 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4040 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2368 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2548 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3352 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3360 --field-trial-handle=1680,i,9119160107277805729,4489523056196291301,131072 /prefetch:8
  2⤵
  PID:2976

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27

Filesize
471B

MD5
e25e20936ce2f438efc05657849cd4b0

SHA1
563fbb8e945ec4854fb5c5233f101ef63eb1509c

SHA256
264b5c938d6529d4e0475168ad5f7fb23960683be21279c46175477ed8aaf1fb

SHA512
58e6b0d1495f13f9f8ccbd0ce28a37d44fe17ae9df94a30ca6ab67e6f4ebbca67c936903fb9fcb36d983d819dacfd7a62f6ce8043708e1797a15a60779209bb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
4fa32206cba80761aee26409c2cf88fd

SHA1
8ab4d2131c11b539825db486aad8a23bf72553e0

SHA256
c1153698091a8bf20bc0ef353cc36add48dbac4d29aa0d1c462b7bde42fb4a25

SHA512
fb30c96cd85ebdf424bcb5c2e3f87c5285627437b65e3e92187ff8ab7ba2114be256bbc6dc117102f4801f41a0c643099cec7fd6b1cabd9c2805dd5033f0bb4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
7e164b7e82e52cf158621c773c737ca8

SHA1
1c4a70a22b990419b95e74f10ccb78ea69efe1ce

SHA256
aba281d052ef2eed9269fa2b9cd20f299a341a7110821eaf7be3a0d1806ab3a3

SHA512
dd81986d906d537f21e28cb001aa01084283b8ae785441f1d3da7176dbf076d39f23e0515cd8acffe37b5ce7f6c73f2364708ad988842f750027b2a7f1430dc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27

Filesize
404B

MD5
7932109d688e2c1e144a619951e548d7

SHA1
6ffa7f1b8c701af9d7470d6a4c1378c70ea75150

SHA256
bde66a2b034979d66b81decf0eb874fce747236e2a039fdc92bd1d64575cc1fc

SHA512
ed26d8ca7cad83e070603f2b08f62ba891468eed36cad80bf85f4f57f3793da35ea44d3955cad5ae4e29edc15a21c794dcb59c40c1d0d9167bff387468c542c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5db5dcba72e0e51282a13cf84a17017a

SHA1
4a7924ad49a2f5eb6b998b8de8ea1ec0cddf9f28

SHA256
c32a08994ee60abb4146b43b4b61a80368bda8c1767a6e07be91c0b5036cffa6

SHA512
8ebbd25cd046455a78536a7a2c276b5dab4de9791f965ef50c4802cf11fb6e1ef21adb48741e520990f4c544bf98571a65a965c24dbcf61b710a85a4dde4ac06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71fe3ba9b45e01ec8dd0c8feaa66ddc0

SHA1
0cd652f94e65b5f2aaf8db7154e595912cec9d5c

SHA256
7a3a303f638823179cd151626c2125435e95020489117951290128c6a5f12a80

SHA512
21f2e57952f1e3043362f25ff3524cd5c9a8244237c67c92565906c6a651800160836312abbb900950a10aadeeaebd54af6afa9486610f4084caa8808850ff7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27343c25a5b7a4602f4b32e75c1b6f10

SHA1
a801b22d38be327868cfc1fd2852d3ca5d0171ca

SHA256
5f2270ef7480b31b1262f081bbd8b697f6739ea147be2d2acea327362fb262ab

SHA512
f906b0e998b5c2a17d2c5b985bc18aa72486f6f4007a6268cc76b6201894e70b21e5fc0e6b72cda55f135d1eafa2cc4b45fa128ffa7bfce735304b5d10824697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
becfe7817bbe2cdd9a84dc364bc7274d

SHA1
4bd8b097be94a9d7d2dbc359fd8d834a04c99ac0

SHA256
24cd3166df41bbe58b0ad12cf0baf2a8ebf6437789a9da5f260eeb83ae42765d

SHA512
b0c2c9c7d0f5495dca35363faa6a9e828e0f8bbb26347fc4070d02b89dbd8f6a8bb09a98a4d47446c86534769ea40e2505db8c23ccba3ac45cd42ac3137f5ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92592a50dadfa21a90d702d3719ec94d

SHA1
778feab796184e29483e48bb4245467642127388

SHA256
8bc5a8d5e18a71dcbe8d5bb5524fb5225d04ffbef4c84688ecff2854da1959f8

SHA512
4599e7147a5019bb64157a0901357c7023b865cc43f6b4c865214e09fc2db9006e25dfdbbf42c3ded3b79b60a3be72d345a0bda1c7a808a07898b6974e8aadac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b55fcad956309cb799915b5b5e54a51

SHA1
a5a3e9568ba6dbd29e5d4ec3501eb14d6ddcbbdd

SHA256
31ff0cda0d50d9935292034fa6b780fb6eadf4090516dc5b054c4b273d3845b4

SHA512
7df3118f3135c214caf10c4b9ae4b4934352a7be002e4a34196bed2d8475642668bfc3a70895c5fb74e257af03c7e94626723bacc136e09a122f85537873fa39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48dc8512864edcf9cce8f9f39054a366

SHA1
583d79c72bb9a41afbab08eb30bf440df36d4b2d

SHA256
55900dae5ca5eb8b5f68f518744a70d9fae14ae88188d18718e2a4c123ec8325

SHA512
4f6e11a12a7ca2074f9c34cc81bf077fa3b7907dc8ed1ca788bf951e400c8254052e3947bcae6828b43b9aaacc8c75ba5a75e1ed402c5f57031bcb0e048dd694

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20c147b97ae3dee8660add762fa18ca5

SHA1
5c51a10f54706565c96433e31305ba80a9dab064

SHA256
dcbd8560ae42b20f4c87ff585d4e5ea70507238edbd26e0e3705058496dd3c8d

SHA512
2f16e75b7c2d280dccf7d8c367e80e9ee0e0aee244575b41e03bb21cbad7520f8d553e76fd6e3abfd3ac0b264d0a945173e955f3679396a4a1bcbd8421d57b1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05afa5d03e7b0b80d7bf546b4f8e2393

SHA1
c1383f74a1ee8f825d68eb613acbc2344b9a0bb9

SHA256
7003636d84185ee4f582c9eb9f10f4e7e7a1e6033af3da442ac7bdf4c574b14c

SHA512
30c6f9ee5cb55962927392222589695d8193588b7bb5807bf6c6b4974ae4bc05adc62d8571a6fa488092749a829e87819d2b093fc9129e9b1fab0f44a7eff1c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d3070f4f918f4b394914afa5a1035f

SHA1
3ebed92bb99b6ae6f1849b7595b61859cb06fb6d

SHA256
ae4697feecf601d54b2157b40fbb4178d3761fdf4142bbc21baf38bff9797384

SHA512
924cccd0c2171cdf9270840787db73b0ed8fbf10d96493c65bfcd6c67affffbaa946ea2ddcd6ca2a81a59dd60106e943dea1aadff7f1a2610130178e6a5f3e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b5123a6dc5966e2943bb4ed6edbd4fb

SHA1
cb9a29b9aeabfc09ea48f3ff87941d22febdfc1b

SHA256
b0ea23f854067adbf9a744fff1100572e60ad12c1d0531e49ef7eafbf0301331

SHA512
7d298ca1ce12e0346fb4a3fe55c00b8ded376b2e054aaaaf72bf369e65a09293833589452f132d8b863bd679550cf50738704adb986cffae796604a543986649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc299fcaa243e50e723ca72813402b79

SHA1
6aac8c889d3dbb47bea27ae0382aeea0e2d7d608

SHA256
d253568ae95c4cb8cefef11716613a4fcf14118762c003b94c848aab9fa86d50

SHA512
aa84124c2e41c0ad84616e145124ea9469b075d4831111396600902e21475a77964625b473bedfd20bcbf40d08f611f8d0980a09b3feebdcdb8d7454c8a3ed06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e41428b6e3f827849b251ffd52678f4

SHA1
af94af22d34a78bdedf96a7a7e713760d9bc6148

SHA256
3d480f6ae3e87eb8248d1a9a9f9de11725f0a046bc0118a667bc9a63710d97a0

SHA512
dd6f1ba3b3fdbce3b0833c0fd070a14121e9b77ba238e0387ac7d70d290d665c87ade31e1367d0c961930116c6dd66a9594b59503ec91a6ced4e490b4924268d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0e2e206a2b15d76ffecf39bc10bf3a6

SHA1
85d16841aec6c609d7786866ca98b7a5428f313c

SHA256
6ae8a2dc51c64bee7a14eafa3320920dd2a8069bd200449d6bac8c32664b6e6b

SHA512
6efc0dd2e6c91cf1207ba88e74c35d8db1d16cca4e5d812a40a474d86739380ab55ae08132e5747e9d1334b861453fc5e33d6cffc5184dc864b041c3c5033e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f523b7c7a9615fdaee9d5a32b50e205

SHA1
3797e24ec85999d82cd2444b34efec6e0e309059

SHA256
aff190b5685885e16f3874ecd9b2a2fb33328cca42a9290b2973caf07bd50252

SHA512
f7bb81a94d1041b43e1f3e89b84ea0cb765871dcc4e8193a512b7dfb7cd30a2a697b9d39214d887fa0e2ebbcad9da170c2d1edb5f058680de0f1d3ed0e1fde32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4205b1b5cad67564027ade7418bbb6da

SHA1
867664f320e5a980d1052bf1a5e944b0ef63c59f

SHA256
91d457ba42c930f26aa8b0b9bca051d94288c3a24772ea3bc2978796cf40b143

SHA512
3282c4f949c98178995930f5f23aed0e1c63a7304d82e1f70c2335042e373b873ee86df462fff4800163c684a97252f0f9dbd255676e924c685ff667e567b9ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58d8579e24738cb6f243b5117e79b8bd

SHA1
0786c2b2bf40cc784bda1426a95a7735d93379c1

SHA256
baa7e4ac65e60f61cb0f7f0278a45789d5ea4938c1f8759a00b110de6aca3d9e

SHA512
c0498e643316efe7160e1d2352517335924ed9eaad4ace793419e4453dd139b4a3aba5746cec658d8dac1ba3f1d7317e4c3a8794f502b26c14ecc99c17726e9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b471d3e413534dcedfe33cd7fbf4f03b

SHA1
e10909f48569c3e7cacf59076e8382c18b4324c1

SHA256
1db797b8ee327e216f16164afc7ec13cd2509d19ae18c2d5a84300844b1c4500

SHA512
89ee52e19bcb64e03900b8e12158d4718387cb7f5164ee4a9452fe86d131cf4800e86099ff8c736a2266524c864227f610de7201a875163101d68a39ed93e416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfea0346b3864369f607dd3a6daab49c

SHA1
b83aa3d553dc0426367ffac00e2caca91c995653

SHA256
0d86220f7df2b098a9349fc85ddcc140c0c271503eef32b860b0c037244df706

SHA512
5f467f6394b4001c38959a8fc2c9545cbc6fecbf0715f871f871df3f6e4280ba784a0a47d1e16126f03a66d1b711c8824c0846d16ee7e17ca018b423beaa4f06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d328e7a376fc5900dd031edbf9e48a0

SHA1
f492271264e19dcdfb507e82f3c248a5487cd379

SHA256
7429e813deff437ac6bf8f4cd7802ee3fa9f57941727915a53b2b6a2b1fce437

SHA512
d1da78136cb644f5f0a8e0863c5e1d3b1827f8a592c01a5f0433fd476cefa16407f60ce473fdd951cac9eb44b2608dfb4024ac7db3949a0f7ed436e74428aa31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3e378284519f68ad14ccc5d7b7f6f78

SHA1
cbac18c931137a1b2d533d28da1a675e098dab17

SHA256
955b9f509be6b100822511bd1172560542355e2fda5e8806adfc0b12ffad97fd

SHA512
f338aa2830d05b86f7acad57d24fe00a15aa0d94562285c9e808da025b5a72f28caa308c33e721fafc5227ae4ace778491405ec46a831a1a62cfc0621b6d18aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bdc943042625c7a2a70f263afd10226

SHA1
9c8eb9f8506d6ae915bacf9c9f02940cd53e69bf

SHA256
4cad1f3389fdacf077c15afd833a16e70c9652676a75976a63b78da86b70049d

SHA512
bfce6b00aff98659ce6751dd420c3fcdf301a60ebf4f40d881bd2dc4ddd5a7fde564de12dce21f767fe74b40a7c454341287e7a1ffb27f448382f7ec03a625c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06515d94969f2d3b3f07447947f4f497

SHA1
ed94e6f9b7b8e2ad446f99b284a05b8e24521ed3

SHA256
129ec176bfa1ff7163cade44663a1b7bed2b482ca49fc53985a3d73cb3bf6c20

SHA512
42ceeeb33d2e7169b8780355a2a5370910c5d685d2d614cec791286832ba6e971ed28175a934714a7a72031e2598415a2ae09edc26986d7fed9132a5e777c274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e7f2e0fa4c6287d93424caf01a570a0

SHA1
8fd35647e44e43644096b750b164b1ba14e8b1e4

SHA256
161d47a1972c7aada0341090e72e348afcf48efa8dc376c60976c1f53339b8d8

SHA512
f05886274c0285c0b6b660c7a700357d3d82fa193a5811209d2a77c309bb44b746fc03467a1b3310e396a3f9cc5ac69b9c0d7c92268279e28f860df097f570a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
0b6655ef8f0a9dc861e97c52f7276bb5

SHA1
42e90a8483e4847700f65b06cf7d9b496c1c51f7

SHA256
51a709eb92321816e4d858d39aa27172045831a177e19d807cb9da4fbbf5470e

SHA512
cc7d88dc98df80ac939cff311fc29adcfd6ebed35fe09a451a0f3147f5e3f95d7f2d7b60afb571f1bf18587ac9a32161d3c1e9db356a0b10a45f9d6cfd54a6af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
03464ab060fa1f2bb0d2ef42e2c672ae

SHA1
90e337db99f15eecbf51621ab31890779f4444af

SHA256
0d378085a96dfedf23c276009b81aa65688bf743f7c5b5245f4c6613ae5b43ca

SHA512
c4aa03862cdc4bbdaff67baab8bf4a2900133126e20ff296e37b5f2151e1968527fdc0dd6b692bdcc93bfeb7374a28fa599c7ec7bff86688e81f2d4a918ac778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b2f3b53a131b7ec43fc5487ee1f48732

SHA1
2af6b18ad54a004b808279929ce16503bab741c0

SHA256
1af1d87480c88430538705539ef4c2e8deec53283a12fbcdccbddb66ad4b84ce

SHA512
1993ffdf50bdd4b7ebe174362b13f86d19d2edb11eb53e0d2230e843c62201bc692107aab1ab394c427cd4c7eeb5d74062b94718c357ee83f83b8a5a8e5ba3a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
b9515a721bea37485ad406c0d9e27549

SHA1
491ee5a6e173f48d94481708dd10ba49d21f939b

SHA256
ad6bf7afec56c8d0b38d0549cf35fed41e4f5b068d9273eb5d2b97d5a507914b

SHA512
65cff8f67a09378a42d6552d04a29de8bf66e9e789ca2b30dae727d050093bcd4404f67b7c8a078a9888e4e010373f322bc5cd2ee9f2afea9e580a9c2b2adb6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
7add1c824997f97426ac4a0ccdf5e5a5

SHA1
ad3e62c830285c473a119853c817e945c72d9a6c

SHA256
5c3edabc12228b3a6c41eba7a6211bff83801998f73b13855cba2edcd6a85f5f

SHA512
cef7528e27dd0b788adc14f4f8820694b0d6b08311f20ff1da2f489cffdda774e91a46f3bf4443e18083868616358e9e482351452e82c825ad3f13457e679934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c524058e-fe3a-4d6a-9d1c-54b87b8881d4.tmp

Filesize
6KB

MD5
fbf61f9efd43391c949867e7215f199a

SHA1
94ebb0798c675abb6ef14902d4dea27ed906ad3f

SHA256
94ac79206d09c593811f61e1c6c4b821352c2d589382fdcc2a5c887e94d2943c

SHA512
ac5ad27241b3ee3f66c6ac5129038578e8513d90a9e3cbc6d6e6f96da821116704e5f86fe70da54b175e66545735a4bbf70762041c964c2342327166b6befee4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
7b0eb788437e9d308591031145a33ae5

SHA1
31de8fa8f97b6b43b93386b56b541fac2d5c462a

SHA256
b2bcf5c4ddb3d21d81dc6ee3cfc2ef7d477336461f869fa146749d7f59e308d1

SHA512
d8ca5eb35c43c496edfaa8e7771e2a1e27fca484a028e8e5ce4457bbf19171e5d7f1afb1ad946ff95ef115dbf44a47e178eeecc6a5333c6f866646e70af737a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HU4SL1MK\www.java[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\HU4SL1MK\www.java[1].xml

Filesize
216B

MD5
69689af81786716e4bc3993ec589b3db

SHA1
20155a73261405d64b7b90f500d68df5dcd2fbbb

SHA256
068617bdb97a3d7def29b6e7cc15aa45f9d2ecb80a442f450b13233aa2e5471f

SHA512
41788122aa50ab720710c9d4006e45d4002a0118286fc8e4da38ba47185e426072e33a7ca642e6e8561700ac37286fff2aa4e900e0b3db5656e9ed7818c6692e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\anyweax\imagestore.dat

Filesize
1KB

MD5
8f8ac4999af92690580232c08638b110

SHA1
911a1dcc952f870bd1617caef1f84b2895c0839f

SHA256
ddc28f4e3f272212980a74ef8b9952d5fdfb252230e017b66f8d860d8c237277

SHA512
b33064d40e1e98bd09d0318f72c82c594e3490260b314faa383b72cf5ae66607ebe4a333c12c1da429b2e7e6921d3240edabe9c682f660983e713cebc47912bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q4648X1K\favicon[1].ico

Filesize
1KB

MD5
8e39f067cc4f41898ef342843171d58a

SHA1
ab19e81ce8ccb35b81bf2600d85c659e78e5c880

SHA256
872bad18b566b0833d6b496477daab46763cf8bdec342d34ac310c3ac045cefd

SHA512
47cd7f4ce8fcf0fc56b6ffe50450c8c5f71e3c379ecfcfd488d904d85ed90b4a8dafa335d0e9ca92e85b02b7111c9d75205d12073253eed681868e2a46c64890

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO48971F87\FizzyLoader.exe

Filesize
37.5MB

MD5
adb2660da94ed2b2b4efcf0a5fdba55f

SHA1
839295fdbff243d8bc61a4d317dfe124729251b4

SHA256
cb471b3ebce3dbbd57ca427c7828c53c2b4e5dc2a09433f225527fb092422a31

SHA512
e6930f6c9c413e7b92e3871444009b21a81787897b673ce8d95bf0a78bbe1b6165b7243b5887f959ac41666c38034d28f75650a3b9e86a9ea8eb6f16583e8a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Defender.exe

Filesize
2.2MB

MD5
d61d8298f6aa1267808836fdcffbb1dc

SHA1
c2c63a6365e86f2116594743a9e276f4f21870a2

SHA256
06b0c863373d212c1552d6e4e4dc862acd4bf90af49ea1854813e1029a8a7f0e

SHA512
a9e568ac3d23a3a279a69ecfd54816bcb1e35cf4020d21ea9a4b08472078c1aeefde0d2cdb730c69d753130c6837c5cf713c23aa54b2cec405d0eda597156c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ETFuAMQ1Th.bat

Filesize
228B

MD5
3761f774392f16b180c37db71e00db07

SHA1
2246a0d41beadb2076892093eb982f13a1921f93

SHA256
c17f1151c40dec0ff2a4b1582438186f4af95036cfbe1976b02172ba274d9f67

SHA512
c1688918a04b3d50c7f5130001ef37e2c45bb6089ab0d5b5e55e73541ce057b6c7e8cf7dd4dd8bb9b4ea582004bb8d276b44c1f6aa36e3e20b8c41135cdba4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\FizzyLoader.exe

Filesize
36.1MB

MD5
0a34590d79e33bf17020fdccfb228522

SHA1
a8af8d2b0b6976c009e049d911663bc4193a89e6

SHA256
0af4b4ed4028bd1fd629d2d9696761a9ca05ce515be44a4bcf9edacbf96a67db

SHA512
3296d5db04fe3de85d7ca8c1dd3a888e3c7da41beade04091e98b06acfed0e7cc440afd376701c55c23d4e51e77f32198fe3c474055f57a4490c9bbb39a5c0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD7C9.tmp

Filesize
1KB

MD5
bd1e04b6b71150554892d52ebe2d5a4f

SHA1
cc55d1ae9df29d8575a9ba20343cb5e3f7398550

SHA256
5f8891cfcc6cae900ab9dee6a8a06bbef432bca4d02f016625fab6af8b2735a1

SHA512
4ec38d924cc6948bac8a54a6dda061c3a28a5ed3504bbd10ca01e7e5ca62b8203e61a30b1efee5b99da85a01fb016086d6720719a2e6ffaee474e18336acb424

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\2hbBFPDTsbLvI9WSxpz8v92GutXIS0hCELr6ZyO8V1wYE4.vbe

Filesize
261B

MD5
372354b108c9afb589b208050aadf9bb

SHA1
c20ca72d4102051782565e1ed80f3382960865d3

SHA256
05c95cf50041da7e8f07daeab8ff6251b31f674f22dd933358c90e755732d0ba

SHA512
e46b3ffd0d880e872396a416d14a976e8cc9407c7013c6063d9e5fc4c96ff32524393d6c5d95bed8e360a6846b23e0b0c81d4c9cd56f955f4747600a50f43978

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\Defender.exe

Filesize
1.9MB

MD5
6cb50c9d25ef98e252246ee613f7c095

SHA1
227f13557df1edb63ef16009c46b5969ff69e361

SHA256
ea1a703b08ef3ad027b94818ba906972ea1f21786f8ec0a25cbd3ae360c795be

SHA512
5b58ce8c882b739ad86eb93097803dbcc20be9adceb305ffa1f739633bfc424ba1788c439f099b9613c1c59caf77a674568c8c14905f557b3d36545c3d397c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\blockcomIntoruntimenet\bd1AhTNNxrGV66tYOy2ZEUHGPs8VQbhmwUrnlWI0Sb7UU5ZCLEb9CdUjuon9.bat

Filesize
98B

MD5
f830748023d1ce6570aecadcec9962f7

SHA1
13f52d0fb2babc3f3ced3d391841b7f54081da3c

SHA256
e5205d2d31a15deb389cdfeef8b1f0da25b29105a3d9c7d1ca0a012e6816e8be

SHA512
970cde745cb1484d546088fc86f332709af534a8a99abba4e3e6b32138ed08b049fe9895c1066c6da55d8449937af201bb09dae297dd153c62a8ce25a2d3df88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
920ff70a522b66ed64764ef2964cb722

SHA1
5ad4be794d2aab79dd52732dafae53b866c35d85

SHA256
7b9bf0856095327273b853c7525acdc9c52c42662226700aaaa35b0784f8bd57

SHA512
8ea55cba4bef1346904020626662498dfd2105329adc35695eb295245402489b059c5430b1fca32b335d28be1545f7fe9ebd6c688a2c1c63d360c400955e35dd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oyk12byj\oyk12byj.0.cs

Filesize
376B

MD5
1da2915423adf48f94b479f9e36cc1b6

SHA1
e6a62dcb68ab67acb7fedabaeb7868401fcf113c

SHA256
66fe8bf6ee5c079ea066a5942189427782e1061946c7183565d514e68b4eac9f

SHA512
4a6de6342fbe7614dcf443c0daa0d201b03a4812561e1275c9a5c5a892f6b0a863c1f4b3a8a7a80fa3fe7843b52249e7638bcee2697393c3859cb8ed2f8c0e57

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\oyk12byj\oyk12byj.cmdline

Filesize
235B

MD5
efd66397f640fef46dd6cbd71dd238ae

SHA1
3c1746548f50713dbbba8d45078545015ef02432

SHA256
b55b82a3d143a3dc3f8823b88b17499476411115ebcfe8b870d1d26ac21c3dfd

SHA512
c4066ced3c23fdfedb99717c939c5a4a2304900c94e322977734d0b889d4f8ac9f9b814c0542fc34cd621755612455813936be694050ef770e5c3ac3b0314130

Download Submit
\??\c:\Windows\System32\CSC42DCE5A8A711473DB07E70255C31FB85.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/848-131-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1952-14-0x0000000001120000-0x00000000036A8000-memory.dmp

Filesize
37.5MB

Download
memory/2072-670-0x0000000000FF0000-0x00000000011E2000-memory.dmp

Filesize
1.9MB

Download
memory/2236-70-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2656-46-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2656-48-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2656-42-0x0000000000F10000-0x0000000001102000-memory.dmp

Filesize
1.9MB

Download
memory/2656-44-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/2656-54-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2656-56-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2656-52-0x00000000002B0000-0x00000000002BE000-memory.dmp

Filesize
56KB

Download
memory/2656-50-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/2784-119-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download