dcrat | e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1

Analysis

max time kernel
66s
max time network
69s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-11-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

2.2MB
MD5

83539ba7c5103e90cf7230812873abb5
SHA1

aa84fc6f29b943e714f7be00e4cc7af957484381
SHA256

e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1
SHA512

e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487
SSDEEP

24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\TrustedInstaller.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\Default User\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\taskhostw.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\TrustedInstaller.exe\""	Local Security Authority Process.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4952	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4016	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	4016	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
5044	powershell.exe
964	powershell.exe
440	powershell.exe
4940	powershell.exe
4208	powershell.exe
1956	powershell.exe
3664	powershell.exe
1752	powershell.exe
3736	powershell.exe
1480	powershell.exe
4748	powershell.exe
3308	powershell.exe
3404	powershell.exe
3596	powershell.exe
4564	powershell.exe
4908	powershell.exe
228	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Bootstrapper.exeWScript.exeLocal Security Authority Process.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation	Local Security Authority Process.exe

Executes dropped EXE 2 IoCs

Processes:

Local Security Authority Process.exetaskhostw.exe

pid	Process
2524	Local Security Authority Process.exe
5596	taskhostw.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\TrustedInstaller.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Recovery\\WindowsRE\\taskhostw.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\TrustedInstaller.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
20	ipinfo.io
21	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9D57193CB80D4EC08E56A854DE17BA3.TMP	csc.exe
File created	\??\c:\Windows\System32\dnk2o1.exe	csc.exe

Drops file in Program Files directory 2 IoCs

Processes:

Local Security Authority Process.exe

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\TrustedInstaller.exe	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\04c1e7795967e4	Local Security Authority Process.exe

Drops file in Windows directory 2 IoCs

Processes:

Local Security Authority Process.exe

description	ioc	Process
File created	C:\Windows\BitLockerDiscoveryVolumeContents\sysmon.exe	Local Security Authority Process.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\121e5b5079f7c0	Local Security Authority Process.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.execmd.exeBootstrapper.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Modifies registry class 2 IoCs

Processes:

Bootstrapper.exeLocal Security Authority Process.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	Bootstrapper.exe
Key created	\REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings	Local Security Authority Process.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
2444	schtasks.exe
924	schtasks.exe
4952	schtasks.exe
1352	schtasks.exe
1624	schtasks.exe
4288	schtasks.exe
3824	schtasks.exe
2540	schtasks.exe
2884	schtasks.exe
2396	schtasks.exe
3276	schtasks.exe
3996	schtasks.exe
2948	schtasks.exe
3192	schtasks.exe
1500	schtasks.exe
2848	schtasks.exe
1212	schtasks.exe
3704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Local Security Authority Process.exe

pid	Process
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe
2524	Local Security Authority Process.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Local Security Authority Process.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2524	Local Security Authority Process.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	4564	powershell.exe
Token: SeDebugPrivilege	4908	powershell.exe
Token: SeDebugPrivilege	3404	powershell.exe
Token: SeDebugPrivilege	440	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3736	powershell.exe
Token: SeDebugPrivilege	4748	powershell.exe
Token: SeIncreaseQuotaPrivilege	1752	powershell.exe
Token: SeSecurityPrivilege	1752	powershell.exe
Token: SeTakeOwnershipPrivilege	1752	powershell.exe
Token: SeLoadDriverPrivilege	1752	powershell.exe
Token: SeSystemProfilePrivilege	1752	powershell.exe
Token: SeSystemtimePrivilege	1752	powershell.exe
Token: SeProfSingleProcessPrivilege	1752	powershell.exe
Token: SeIncBasePriorityPrivilege	1752	powershell.exe
Token: SeCreatePagefilePrivilege	1752	powershell.exe
Token: SeBackupPrivilege	1752	powershell.exe
Token: SeRestorePrivilege	1752	powershell.exe
Token: SeShutdownPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeSystemEnvironmentPrivilege	1752	powershell.exe
Token: SeRemoteShutdownPrivilege	1752	powershell.exe
Token: SeUndockPrivilege	1752	powershell.exe
Token: SeManageVolumePrivilege	1752	powershell.exe
Token: 33	1752	powershell.exe
Token: 34	1752	powershell.exe
Token: 35	1752	powershell.exe
Token: 36	1752	powershell.exe
Token: SeIncreaseQuotaPrivilege	964	powershell.exe
Token: SeSecurityPrivilege	964	powershell.exe
Token: SeTakeOwnershipPrivilege	964	powershell.exe
Token: SeLoadDriverPrivilege	964	powershell.exe
Token: SeSystemProfilePrivilege	964	powershell.exe
Token: SeSystemtimePrivilege	964	powershell.exe
Token: SeProfSingleProcessPrivilege	964	powershell.exe
Token: SeIncBasePriorityPrivilege	964	powershell.exe
Token: SeCreatePagefilePrivilege	964	powershell.exe
Token: SeBackupPrivilege	964	powershell.exe
Token: SeRestorePrivilege	964	powershell.exe
Token: SeShutdownPrivilege	964	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeSystemEnvironmentPrivilege	964	powershell.exe
Token: SeRemoteShutdownPrivilege	964	powershell.exe
Token: SeUndockPrivilege	964	powershell.exe
Token: SeManageVolumePrivilege	964	powershell.exe
Token: 33	964	powershell.exe
Token: 34	964	powershell.exe
Token: 35	964	powershell.exe
Token: 36	964	powershell.exe
Token: SeIncreaseQuotaPrivilege	3664	powershell.exe
Token: SeSecurityPrivilege	3664	powershell.exe
Token: SeTakeOwnershipPrivilege	3664	powershell.exe
Token: SeLoadDriverPrivilege	3664	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Bootstrapper.exeWScript.execmd.exeLocal Security Authority Process.execsc.execmd.exe

description	pid	Process	procid_target
PID 640 wrote to memory of 3632	640	Bootstrapper.exe	81
PID 640 wrote to memory of 3632	640	Bootstrapper.exe	81
PID 640 wrote to memory of 3632	640	Bootstrapper.exe	81
PID 3632 wrote to memory of 2960	3632	WScript.exe	90
PID 3632 wrote to memory of 2960	3632	WScript.exe	90
PID 3632 wrote to memory of 2960	3632	WScript.exe	90
PID 2960 wrote to memory of 2524	2960	cmd.exe	92
PID 2960 wrote to memory of 2524	2960	cmd.exe	92
PID 2524 wrote to memory of 2112	2524	Local Security Authority Process.exe	96
PID 2524 wrote to memory of 2112	2524	Local Security Authority Process.exe	96
PID 2112 wrote to memory of 64	2112	csc.exe	98
PID 2112 wrote to memory of 64	2112	csc.exe	98
PID 2524 wrote to memory of 964	2524	Local Security Authority Process.exe	114
PID 2524 wrote to memory of 964	2524	Local Security Authority Process.exe	114
PID 2524 wrote to memory of 4908	2524	Local Security Authority Process.exe	115
PID 2524 wrote to memory of 4908	2524	Local Security Authority Process.exe	115
PID 2524 wrote to memory of 4564	2524	Local Security Authority Process.exe	116
PID 2524 wrote to memory of 4564	2524	Local Security Authority Process.exe	116
PID 2524 wrote to memory of 4748	2524	Local Security Authority Process.exe	117
PID 2524 wrote to memory of 4748	2524	Local Security Authority Process.exe	117
PID 2524 wrote to memory of 1480	2524	Local Security Authority Process.exe	118
PID 2524 wrote to memory of 1480	2524	Local Security Authority Process.exe	118
PID 2524 wrote to memory of 3596	2524	Local Security Authority Process.exe	119
PID 2524 wrote to memory of 3596	2524	Local Security Authority Process.exe	119
PID 2524 wrote to memory of 1956	2524	Local Security Authority Process.exe	120
PID 2524 wrote to memory of 1956	2524	Local Security Authority Process.exe	120
PID 2524 wrote to memory of 3404	2524	Local Security Authority Process.exe	121
PID 2524 wrote to memory of 3404	2524	Local Security Authority Process.exe	121
PID 2524 wrote to memory of 228	2524	Local Security Authority Process.exe	122
PID 2524 wrote to memory of 228	2524	Local Security Authority Process.exe	122
PID 2524 wrote to memory of 3736	2524	Local Security Authority Process.exe	123
PID 2524 wrote to memory of 3736	2524	Local Security Authority Process.exe	123
PID 2524 wrote to memory of 5044	2524	Local Security Authority Process.exe	124
PID 2524 wrote to memory of 5044	2524	Local Security Authority Process.exe	124
PID 2524 wrote to memory of 4208	2524	Local Security Authority Process.exe	125
PID 2524 wrote to memory of 4208	2524	Local Security Authority Process.exe	125
PID 2524 wrote to memory of 1752	2524	Local Security Authority Process.exe	126
PID 2524 wrote to memory of 1752	2524	Local Security Authority Process.exe	126
PID 2524 wrote to memory of 4940	2524	Local Security Authority Process.exe	127
PID 2524 wrote to memory of 4940	2524	Local Security Authority Process.exe	127
PID 2524 wrote to memory of 440	2524	Local Security Authority Process.exe	128
PID 2524 wrote to memory of 440	2524	Local Security Authority Process.exe	128
PID 2524 wrote to memory of 3664	2524	Local Security Authority Process.exe	129
PID 2524 wrote to memory of 3664	2524	Local Security Authority Process.exe	129
PID 2524 wrote to memory of 3308	2524	Local Security Authority Process.exe	130
PID 2524 wrote to memory of 3308	2524	Local Security Authority Process.exe	130
PID 2524 wrote to memory of 2592	2524	Local Security Authority Process.exe	148
PID 2524 wrote to memory of 2592	2524	Local Security Authority Process.exe	148
PID 2592 wrote to memory of 5596	2592	cmd.exe	154
PID 2592 wrote to memory of 5596	2592	cmd.exe	154
PID 2592 wrote to memory of 4596	2592	cmd.exe	153
PID 2592 wrote to memory of 4596	2592	cmd.exe	153
PID 2592 wrote to memory of 5596	2592	cmd.exe	154
PID 2592 wrote to memory of 5596	2592	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z5jjzmtn\z5jjzmtn.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC1A.tmp" "c:\Windows\System32\CSC9D57193CB80D4EC08E56A854DE17BA3.TMP"
        6⤵
        
        PID:64
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TrustedInstaller.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FakeaCZykR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:5596
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4596
      - C:\Recovery\WindowsRE\taskhostw.exe
        
        "C:\Recovery\WindowsRE\taskhostw.exe"
        6⤵
        Executes dropped EXE
        
        PID:5596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60ba7ac90c0e466144b48a90919960b6

SHA1
fe7f5d9e1d317f9409d8daa35d9c890f7e222d6a

SHA256
43d3c3113c66141b3a1f1f1bbf2d32a80128d029903ca58db09e9c6a9410ef9e

SHA512
92a1d912fd7be06820ec97b192b965d04ff44ff6a1c76b55405ecf20ca995762d823f52f174d8f48feb1d454716ab244adb4945febbf4fe4a6f91dd9791f87f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
856B

MD5
07ae3b481c76113050c16ecf23424b78

SHA1
b934e824477a28bf3cc10fdd6e14706c3267ff56

SHA256
2f54825f302f3558b022a78b467bb9af45e8f1098bbddbbe6fad633c56f159ac

SHA512
f621b62ac04e3488725e93ee7bc40228250d7a8aee3d5a1910a746df6995f5958d8a42156bc7d4770c899c7eb0cb391b8c14c30486900e41292e53becc30ac99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
26c94c408a5a2e1e04f1191fc2902d3e

SHA1
ce50b153be03511bd62a477abf71a7e9f94e68a5

SHA256
86ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec

SHA512
70e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\FakeaCZykR.bat

Filesize
211B

MD5
f1ac75776a82958536ec3dc1a6b17818

SHA1
d1d7c80ed8db254e8292be605a46c168703db7ab

SHA256
130fb6078ee14341759aa8c0ff6074bd03fc7efbe54878fd10f3d6a944d8d6a3

SHA512
2c81d8ef76902c3e33c0d96835af572ffa84580be011ea042483cc21be0aff3ae7e542630eaacb4836f42887dee7b203d2c1b6bd3a5b9d921bdd50dba941f945

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCC1A.tmp

Filesize
1KB

MD5
3e8ec6d2080df2806f4bfed2bdb25c31

SHA1
c6399f983324cab2fed11c2aabd87074f8a44332

SHA256
3f8a17a1ca055713fe54ac6753060d709ce8818b54c6e6dcd62d8aa580d14027

SHA512
c5aef9ec1bfcff4fffbd65f31daf185515dbef0eb332b9874498ad6801d0ec4834567573ca07539a5f0dc628ff1e7464d4d663c0dfbf9a81716f1fa03a40960e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q1iuhzjb.na2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe

Filesize
1.9MB

MD5
4ba31fe7c90af2148e83fe198cf99d7b

SHA1
bd86eece0e892752950a13282cb323e0775ecae4

SHA256
196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e

SHA512
79991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat

Filesize
93B

MD5
fb55729d3f331e20fb5c1e5377634743

SHA1
ad5d1b461d7608598e2683d66eeee3c2a38c625f

SHA256
8603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9

SHA512
2ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe

Filesize
245B

MD5
dde897c67a0ad3384e01f44658e986d0

SHA1
51e5a863d22d2305da3d6e82ed2da727a6db5ffa

SHA256
f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57

SHA512
901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z5jjzmtn\z5jjzmtn.0.cs

Filesize
367B

MD5
d4441b688526b290b7bcccffbb00c280

SHA1
aa342a2d41021b3599287079abf6d2ce0d41ba19

SHA256
11824058b0d24cd2aa80c7d670107fdc5000957a964647658608356e14edbf4a

SHA512
afd62acae217c83d09106b026bcd5c5b73278ba7c2536b46a923fe11bd0dfa20ab6763b3eec49538b70901d0ec25a9b8fc4eded40c297dc7ecf4dc494ac1668b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\z5jjzmtn\z5jjzmtn.cmdline

Filesize
235B

MD5
bafbde2452403aa18df464b05418bae3

SHA1
1a7cfebd0631806c105de4c989bf90a316f80c05

SHA256
f10f12d43c4bb4fc94e36e377a12ba04978d087679dfb3dca94946e94367432e

SHA512
ab0fd81c3f4bad28a51d6eefec61e9e70fe89e9fe90a25da7b57f7317ac5a5baaf475c63cb6b18d0c03165922ecd5fd78fdedb0b2300e95752193411562bf472

Download Submit
\??\c:\Windows\System32\CSC9D57193CB80D4EC08E56A854DE17BA3.TMP

Filesize
1KB

MD5
775561cb0fd5f100b42ac5758ae200bb

SHA1
05987ff3a389d36f7cc66f0906afd470803520e2

SHA256
821d62917f13490566a3cff08a261328a0954dbb3d96cec18025763de74cb2d5

SHA512
6fc136ba28b0c822a00989a1df46c7629c7d1b820fee96fc2d24efe6d0ef2ee521f446637830978d9369d6d92ce11848170ac24a9e618aa5a78518cb011b27b9

Download Submit
memory/1480-76-0x000002C4A7E00000-0x000002C4A7E22000-memory.dmp

Filesize
136KB

Download
memory/2524-23-0x0000000002FB0000-0x0000000002FC8000-memory.dmp

Filesize
96KB

Download
memory/2524-57-0x0000000002FF0000-0x0000000002FF8000-memory.dmp

Filesize
32KB

Download
memory/2524-56-0x000000001C2A0000-0x000000001C30B000-memory.dmp

Filesize
428KB

Download
memory/2524-25-0x00000000013D0000-0x00000000013DE000-memory.dmp

Filesize
56KB

Download
memory/2524-27-0x0000000001570000-0x0000000001578000-memory.dmp

Filesize
32KB

Download
memory/2524-29-0x0000000001590000-0x000000000159C000-memory.dmp

Filesize
48KB

Download
memory/2524-21-0x000000001BD00000-0x000000001BD50000-memory.dmp

Filesize
320KB

Download
memory/2524-20-0x0000000002F90000-0x0000000002FAC000-memory.dmp

Filesize
112KB

Download
memory/2524-18-0x00000000013C0000-0x00000000013CE000-memory.dmp

Filesize
56KB

Download
memory/2524-16-0x0000000000B10000-0x0000000000CF8000-memory.dmp

Filesize
1.9MB

Download
memory/2524-15-0x00007FFEEA5D3000-0x00007FFEEA5D5000-memory.dmp

Filesize
8KB

Download
memory/5596-252-0x000000001B820000-0x000000001B828000-memory.dmp

Filesize
32KB

Download
memory/5596-251-0x000000001BC10000-0x000000001BC7B000-memory.dmp

Filesize
428KB

Download