dcrat | e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1

Analysis

max time kernel
65s
max time network
66s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-11-2024 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

2.2MB
MD5

83539ba7c5103e90cf7230812873abb5
SHA1

aa84fc6f29b943e714f7be00e4cc7af957484381
SHA256

e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1
SHA512

e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487
SSDEEP

24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\90.0.818.66\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\wininit.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\", \"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\90.0.818.66\\sysmon.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\", \"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\", \"C:\\Users\\Default\\Start Menu\\wininit.exe\""	Local Security Authority Process.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3316	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2420	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2420	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1696	powershell.exe
1972	powershell.exe
3324	powershell.exe
4060	powershell.exe
1888	powershell.exe
4204	powershell.exe
1868	powershell.exe
2424	powershell.exe
4508	powershell.exe
4712	powershell.exe
1484	powershell.exe
1760	powershell.exe
4900	powershell.exe
4396	powershell.exe
1944	powershell.exe
2516	powershell.exe
2128	powershell.exe

Executes dropped EXE 2 IoCs

Processes:

Local Security Authority Process.exefontdrvhost.exe

pid process

3448 Local Security Authority Process.exe
5296 fontdrvhost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Local Security Authority Process.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\90.0.818.66\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Local Security Authority Process = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Local Security Authority Process.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Start Menu\\wininit.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\lsass.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\Program Files (x86)\\Microsoft\\EdgeCore\\90.0.818.66\\sysmon.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Java\\jre-1.8\\lib\\applet\\fontdrvhost.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files\\Windows Defender\\de-DE\\spoolsv.exe\""	Local Security Authority Process.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Start Menu\\wininit.exe\""	Local Security Authority Process.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ipinfo.io
2 ipinfo.io

flow	ioc
1	ipinfo.io
2	ipinfo.io

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC5798B35B82024A78B85BB4885E54351.TMP	csc.exe
File created	\??\c:\Windows\System32\pf6bhg.exe	csc.exe

Drops file in Program Files directory 9 IoCs

Processes:

Local Security Authority Process.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\lib\applet\5b884080fd4f94	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\121e5b5079f7c0	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe	Local Security Authority Process.exe
File created	C:\Program Files\Windows Defender\de-DE\f3b6ecef712a24	Local Security Authority Process.exe
File created	C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe	Local Security Authority Process.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe	Local Security Authority Process.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\6203df4a6bafc7	Local Security Authority Process.exe
File created	C:\Program Files\Windows Defender\de-DE\spoolsv.exe	Local Security Authority Process.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Bootstrapper.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 2 IoCs

Processes:

Bootstrapper.exeLocal Security Authority Process.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Bootstrapper.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	Local Security Authority Process.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3316	schtasks.exe
1184	schtasks.exe
3876	schtasks.exe
4804	schtasks.exe
1628	schtasks.exe
3856	schtasks.exe
3664	schtasks.exe
2944	schtasks.exe
2404	schtasks.exe
1080	schtasks.exe
5020	schtasks.exe
1088	schtasks.exe
4612	schtasks.exe
2572	schtasks.exe
1976	schtasks.exe
4892	schtasks.exe
2432	schtasks.exe
4972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Local Security Authority Process.exe

pid	process
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe
3448	Local Security Authority Process.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Local Security Authority Process.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exefontdrvhost.exe

description	pid	process
Token: SeDebugPrivilege	3448	Local Security Authority Process.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	4712	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	5296	fontdrvhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

Bootstrapper.exeWScript.execmd.exeLocal Security Authority Process.execsc.execmd.exe

description	pid	process	target process
PID 600 wrote to memory of 3884	600	Bootstrapper.exe	WScript.exe
PID 600 wrote to memory of 3884	600	Bootstrapper.exe	WScript.exe
PID 600 wrote to memory of 3884	600	Bootstrapper.exe	WScript.exe
PID 3884 wrote to memory of 4600	3884	WScript.exe	cmd.exe
PID 3884 wrote to memory of 4600	3884	WScript.exe	cmd.exe
PID 3884 wrote to memory of 4600	3884	WScript.exe	cmd.exe
PID 4600 wrote to memory of 3448	4600	cmd.exe	Local Security Authority Process.exe
PID 4600 wrote to memory of 3448	4600	cmd.exe	Local Security Authority Process.exe
PID 3448 wrote to memory of 72	3448	Local Security Authority Process.exe	csc.exe
PID 3448 wrote to memory of 72	3448	Local Security Authority Process.exe	csc.exe
PID 72 wrote to memory of 1952	72	csc.exe	cvtres.exe
PID 72 wrote to memory of 1952	72	csc.exe	cvtres.exe
PID 3448 wrote to memory of 2128	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 2128	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 2424	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 2424	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1868	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1868	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1972	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1972	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1696	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1696	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 3324	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 3324	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1888	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1888	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1760	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1760	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 2516	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 2516	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1944	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1944	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1484	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1484	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4060	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4060	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4712	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4712	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4508	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4508	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4396	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4396	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4900	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4900	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4204	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 4204	3448	Local Security Authority Process.exe	powershell.exe
PID 3448 wrote to memory of 1352	3448	Local Security Authority Process.exe	cmd.exe
PID 3448 wrote to memory of 1352	3448	Local Security Authority Process.exe	cmd.exe
PID 1352 wrote to memory of 4208	1352	cmd.exe	chcp.com
PID 1352 wrote to memory of 4208	1352	cmd.exe	chcp.com
PID 1352 wrote to memory of 1748	1352	cmd.exe	w32tm.exe
PID 1352 wrote to memory of 1748	1352	cmd.exe	w32tm.exe
PID 1352 wrote to memory of 5296	1352	cmd.exe	fontdrvhost.exe
PID 1352 wrote to memory of 5296	1352	cmd.exe	fontdrvhost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:600
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pll0tbkn\pll0tbkn.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:72
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECB2.tmp" "c:\Windows\System32\CSC5798B35B82024A78B85BB4885E54351.TMP"
        6⤵
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\III9aksf7i.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4208
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1748
      - C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe
        
        "C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jre-1.8\lib\applet\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Start Menu\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aa4f31835d07347297d35862c9045f4a

SHA1
83e728008935d30f98e5480fba4fbccf10cefb05

SHA256
99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

SHA512
ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3284cb698efa6fb773dc0eebd30a3214

SHA1
a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

SHA256
22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

SHA512
af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ae67abe49ef8ab8e76e1ca80d8344de1

SHA1
f2b538bbcd7097f414563e512eeef3c83d7963d6

SHA256
46cf691b4f643e595afd0d9647eab12b858918d679d82617c6609b687628a0a7

SHA512
101b5ef9d6f834fdc2983f3107bb241b9f5cafefdc7859a664fb569b7d592de70db5c8d16abdc29a430103d20d2f15a20b1b99a895d2c7f0d8e2250d87c8f29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
7d760ca2472bcb9fe9310090d91318ce

SHA1
cb316b8560b38ea16a17626e685d5a501cd31c4a

SHA256
5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

SHA512
141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
dc4dd6766dd68388d8733f1b729f87e9

SHA1
7b883d87afec5be3eff2088409cd1f57f877c756

SHA256
3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

SHA512
3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
46be07258b725e1bf96cffe321fc24c5

SHA1
1b4d2672713249c43bc53586c98d8350a82e3ef4

SHA256
a8c358fe0e8a1b6def1f55c1e2caed2329b78cf6b48a9bb6e92797b6416dcd8b

SHA512
0e97b97b56f7dfae214ebc5900f2ff62e78ae79422bb06bd9b4fe7217a120166ba6045d0e4ed9aacbad82816b2afb5fdf9219003a591e8c61a94470e6b54cc26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
292B

MD5
529f48608468e26a68df03d1125c6cfd

SHA1
ca85a2fbdc4ce924134af94fff814bfb823e8b84

SHA256
20a1a5543d087352ff516e3dbdfd8b4b21f386ca675b022188d2765740da87ea

SHA512
9e58920590220ba95894a10bd200f48e5559ff9cae07020badc2c43809669bfdbec2c6e84c176489ab3c561daabb2126c98750391e9ab9ce6c8cf8f5bec151c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\III9aksf7i.bat

Filesize
232B

MD5
1f956011c7b9efa748c1b3ff5c432abb

SHA1
f2f328a564cd5c0ff5771ca3e7c9dbc9eb566ecd

SHA256
2ee74d10f67b4eafdc2c39cb7530a7512c41ff2e044dc80667110d2ac691b3e0

SHA512
bb4eef58e180742efb7208282f400609fa7d02a939d74bef74df03e7c607cc5f0ea7c5ab1db9eced124225a2c09e81f3ec5758e11b44e232071c696033364fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESECB2.tmp

Filesize
1KB

MD5
63dd120b2eb883d7fc9c9b061237d006

SHA1
59a35fa4659a1b156358bd57dbbca34d17a21fec

SHA256
63e0a49cf238d03f7c7198e46a3e161dfac561c4d1f51022bb2c7de0a6fd65e8

SHA512
a379e2915b290b7b5cc19071fcd085d40c82409669a0b431da8d1c40772c48cdbfe66bc294df81fc1a9cf150992666bbc9d0f746e84514971fe8fab43e2a7500

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khm3gu4r.mi2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe

Filesize
1.9MB

MD5
4ba31fe7c90af2148e83fe198cf99d7b

SHA1
bd86eece0e892752950a13282cb323e0775ecae4

SHA256
196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e

SHA512
79991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat

Filesize
93B

MD5
fb55729d3f331e20fb5c1e5377634743

SHA1
ad5d1b461d7608598e2683d66eeee3c2a38c625f

SHA256
8603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9

SHA512
2ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe

Filesize
245B

MD5
dde897c67a0ad3384e01f44658e986d0

SHA1
51e5a863d22d2305da3d6e82ed2da727a6db5ffa

SHA256
f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57

SHA512
901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pll0tbkn\pll0tbkn.0.cs

Filesize
388B

MD5
5485bbc2b13dabe2f119d0f65817a5bf

SHA1
e66a89f0a6fb652d6b6825fc1c7ab689af70898d

SHA256
252300bbb16708eb47938df9740b259ed9269f1c8a16bf5fa6b6e8db9293c7fe

SHA512
587f1c5d6274d60634dffed68fca61717219934f47113a86ab95b61b2916c801a945d9c55a8b377d5a4c5b343a705714e3e5c6fed89485179c4787ba9ed194ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pll0tbkn\pll0tbkn.cmdline

Filesize
235B

MD5
bee53178c79202910757178382b55f9b

SHA1
a554b98129449f240c3bb4347d9d689f88d9ab57

SHA256
e23d2369047345d3427ea76f09d63072063de0517af68728e8ab0421e97c406f

SHA512
40cc18d06512440c89d49030712b5ea83c574529c937c07d4f56ed04dfebcb574d33ad3aa93cc94c60b37b8838ef1857bc41732ae1dc7ff2af370f2b75224ae5

Download Submit
\??\c:\Windows\System32\CSC5798B35B82024A78B85BB4885E54351.TMP

Filesize
1KB

MD5
54a5996cbde821a9af661e0a87f72fe0

SHA1
78f3b0738e15ceb9edd17d90dd3dc68c9d42658f

SHA256
ed14104f62993b17bcd142ee2716120393de87b43772fcc2baf7fd2d87c5bf0a

SHA512
32eca948504a8ad573e736d0bccbf4a389bd6d16a7bba6e2bbf14bac649bde91dcb1d3a0cf483b8f83b99942ca813d91e45ac00ccbb2518e3b19ceb2f770d0f4

Download Submit
memory/1696-59-0x00000189C27B0000-0x00000189C27D2000-memory.dmp

Filesize
136KB

Download
memory/3448-72-0x000000001E8D0000-0x000000001E9EE000-memory.dmp

Filesize
1.1MB

Download
memory/3448-26-0x00000000032C0000-0x00000000032CC000-memory.dmp

Filesize
48KB

Download
memory/3448-24-0x00000000032B0000-0x00000000032B8000-memory.dmp

Filesize
32KB

Download
memory/3448-22-0x0000000001AB0000-0x0000000001ABE000-memory.dmp

Filesize
56KB

Download
memory/3448-20-0x000000001BF40000-0x000000001BF58000-memory.dmp

Filesize
96KB

Download
memory/3448-18-0x000000001BF90000-0x000000001BFE0000-memory.dmp

Filesize
320KB

Download
memory/3448-17-0x000000001BF20000-0x000000001BF3C000-memory.dmp

Filesize
112KB

Download
memory/3448-15-0x0000000001A90000-0x0000000001A9E000-memory.dmp

Filesize
56KB

Download
memory/3448-13-0x0000000000F60000-0x0000000001148000-memory.dmp

Filesize
1.9MB

Download
memory/3448-12-0x00007FF985CE3000-0x00007FF985CE5000-memory.dmp

Filesize
8KB

Download
memory/5296-238-0x000000001D850000-0x000000001D96E000-memory.dmp

Filesize
1.1MB

Download