Analysis

  • max time kernel
    44s
  • max time network
    84s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-11-2024 10:41

General

  • Target

    SolaraBootstrapper.exe

  • Size

    2.2MB

  • MD5

    83539ba7c5103e90cf7230812873abb5

  • SHA1

    aa84fc6f29b943e714f7be00e4cc7af957484381

  • SHA256

    e3b04ffe1c3222f16e71be15978a33b03fa6bdd92e276d7fa933f04e6929aed1

  • SHA512

    e8183cbd06ae2f1930cf7a2d417562d1c90cc1e5bbe580f0049d2b303ab4699f59981d6ab6a3f774c01dc014e9f1c7cc1933e1e6aeaea62404f42e1e07d27487

  • SSDEEP

    24576:2TbBv5rUyXVijPqBdzumpuWIax7RAxXo6MA17qm8w4tBPP+3wVwLsvMlDF/3cWA3:IBJiSr41q9FtBPW3+elDNMWAgPrc7H

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Dcrat family
  • Modifies WinLogon for persistence 2 TTPs 6 IoCs
  • Process spawned unexpected child process 18 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 19 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2244
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5032
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4532
        • C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft/Local Security Authority Process.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4248
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2imsq2ve\2imsq2ve.cmdline"
            5⤵
            • Drops file in System32 directory
            • Suspicious use of WriteProcessMemory
            PID:1928
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF40.tmp" "c:\Windows\System32\CSC70C0BFD96E5F458394AEAACD647985A0.TMP"
              6⤵
                PID:4900
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4844
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3300
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3332
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1452
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1272
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:1948
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3784
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3832
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3708
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3144
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\Engines\Lexicon\cmd.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4124
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\dllhost.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:4320
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5008
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:772
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3676
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5024
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dKfdWFG73w.bat"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1380
              • C:\Windows\system32\chcp.com
                chcp 65001
                6⤵
                  PID:2940
                • C:\Windows\system32\PING.EXE
                  ping -n 10 localhost
                  6⤵
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:5228
                • C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe
                  "C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5468
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1380
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3656
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\Engines\Lexicon\cmd.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2664
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3052
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4240
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\dllhost.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:4336
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2628
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1924
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\RuntimeBroker.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3176
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2556
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3400
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\Local Security Authority Process.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1048
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:940
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2280
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:3324
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:2108
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority Process" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:1580
      • C:\Windows\system32\schtasks.exe
        schtasks.exe /create /tn "Local Security Authority ProcessL" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe'" /rl HIGHEST /f
        1⤵
        • Process spawned unexpected child process
        • Scheduled Task/Job: Scheduled Task
        PID:228

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        aa4f31835d07347297d35862c9045f4a

        SHA1

        83e728008935d30f98e5480fba4fbccf10cefb05

        SHA256

        99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0

        SHA512

        ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        e3840d9bcedfe7017e49ee5d05bd1c46

        SHA1

        272620fb2605bd196df471d62db4b2d280a363c6

        SHA256

        3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

        SHA512

        76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        7d760ca2472bcb9fe9310090d91318ce

        SHA1

        cb316b8560b38ea16a17626e685d5a501cd31c4a

        SHA256

        5c362b53c4a4578d8b57c51e1eac15f7f3b2447e43e0dad5102ecd003d5b41d4

        SHA512

        141e8661d7348ebbc1f74f828df956a0c6e4cdb70f3b9d52623c9a30993bfd91da9ed7d8d284b84f173d3e6f47c876fb4a8295110895f44d97fd6cc4c5659c35

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        3284cb698efa6fb773dc0eebd30a3214

        SHA1

        a1093d44f025e5ba9609e99a3fc5fce3723fd7f3

        SHA256

        22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa

        SHA512

        af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        6903d57eed54e89b68ebb957928d1b99

        SHA1

        fade011fbf2e4bc044d41e380cf70bd6a9f73212

        SHA256

        36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

        SHA512

        c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        45f53352160cf0903c729c35c8edfdce

        SHA1

        b35a4d4fbaf2a3cc61e540fc03516dd70f3c34ab

        SHA256

        9cf18d157a858fc143a6de5c2dd3f618516a527b34478ac478d8c94ff027b0d2

        SHA512

        e3fa27a80a1df58acb49106c306dab22e5ed582f6b0cd7d9c3ef0a85e9f5919333257e88aa44f42a0e095fd577c9e12a02957a7845c0d109f821f32d8d3343f3

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        dc4dd6766dd68388d8733f1b729f87e9

        SHA1

        7b883d87afec5be3eff2088409cd1f57f877c756

        SHA256

        3407d8ad0c68a148aef81c7f124849573ac02097acd15f9bbe80f86e0498e826

        SHA512

        3084c1b7bb0fd998cddb8c917bac87f163a0f134a420158db4f354cb81ec1d5d65d3bac1d9b3e11b0a6707deacece47f819b1ed55ddf2b1d287fbdb244bf65a4

      • C:\Users\Admin\AppData\Local\Temp\RESFF40.tmp

        Filesize

        1KB

        MD5

        8af6baa4304f12e075631b6f4b1012c0

        SHA1

        276a1aee510aaf7a1bef0f697bb186388904b31e

        SHA256

        9a2f1be170c19f96e737f6218c7f83fed50af746383e6e40ed5abe304b2191c3

        SHA512

        4cc6c215e841630929e2650d4575708f50bfedc55e857780ecf404adba6f916cac151affb5fe06264e9e69e402b859206836b399a67cb8aa0c576692b9d34a55

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ntydr0xc.oct.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\dKfdWFG73w.bat

        Filesize

        175B

        MD5

        6c315e1a51f8b64ea358bee73f88d903

        SHA1

        49f14da4afd2dcb69d6d6d93aa430e92a193d2ac

        SHA256

        aca10ba341f66b22732d60d005517afc687f1e22a0f0d82b57d07f025a8c9994

        SHA512

        949b64dd59d8b743d5d5489178c20ebd203663bb8c671baf9a8dc493afc3e2357ca42d5292781d574b85a02df499db1ced1c504eef8631dabd773dc3021f2fe9

      • C:\Users\Admin\AppData\Roaming\Microsoft\Local Security Authority Process.exe

        Filesize

        1.9MB

        MD5

        4ba31fe7c90af2148e83fe198cf99d7b

        SHA1

        bd86eece0e892752950a13282cb323e0775ecae4

        SHA256

        196706cf85ccf38343444deecaeaced58faf7c22963fe45aaa8ea9938fe19a0e

        SHA512

        79991360ad8d5c8968f2aa4836b3b7b39074c99ad28aa25cc69931c4bdf2115921042d818d4cc319984cfa0ed8a9ee015506f3b4b8c026aeda82c5b03a5328f7

      • C:\Users\Admin\AppData\Roaming\Microsoft\ZkitL4SswB6Acn9KQ4n8phMXm8v73bXNMxhzpq69L79HkSe5Tb.bat

        Filesize

        93B

        MD5

        fb55729d3f331e20fb5c1e5377634743

        SHA1

        ad5d1b461d7608598e2683d66eeee3c2a38c625f

        SHA256

        8603cadb532a5ab019b7f07a2c9652905a459f88c8cfe74d387f0d9594f323c9

        SHA512

        2ed609b4ad5d0d9da2d12c12947091e0ce2937a12856d95979a7d2c4248b1d5244e5fc3616d0be8a1fd8febc888eeb0bb6fe08fe38a359ceb2345510645d1870

      • C:\Users\Admin\AppData\Roaming\Microsoft\qp9vGmuwSr0nkeo7qSVAnhO3kZyMkfu12RZ0OBiQNAI58E5ZggR.vbe

        Filesize

        245B

        MD5

        dde897c67a0ad3384e01f44658e986d0

        SHA1

        51e5a863d22d2305da3d6e82ed2da727a6db5ffa

        SHA256

        f3ea38d1aea5a693f1b87b3d1152f8a1de82391b34e2061ee0fbb29f2ec6dc57

        SHA512

        901990365c1539d432871ef01d36261f537e0928e3afbd93f0833d04355a55464dbe2ca07c59d7d495bb93ad0bf73ed33db748e5856d75941c18f232503c1892

      • \??\c:\Users\Admin\AppData\Local\Temp\2imsq2ve\2imsq2ve.0.cs

        Filesize

        373B

        MD5

        5919cdc3fdc2a941b7bef6b72c0a0d68

        SHA1

        6eb0ec31d8d4abf5886757ec37270457a092ffb9

        SHA256

        91b510833d4758e646e3a6c31b3a74ca80fb37a62765718c5601fedf25562823

        SHA512

        21dc4aabfec9556724fdadde4ac9615c5a51fe695bde6794c4c47f6d7c6f85b207850d614fb988d5d13f80f3b47f1a2df738948e5b748d0fe02515e47966bab8

      • \??\c:\Users\Admin\AppData\Local\Temp\2imsq2ve\2imsq2ve.cmdline

        Filesize

        235B

        MD5

        8c620adbb215361ba8c2d828991e62ce

        SHA1

        766d507313c2cbcabeaa63143eb73f18eb10ac00

        SHA256

        7b2e49b56016ec2507cbab2ad3a48dba92ac2de71a796c12ebfd8e86830a862a

        SHA512

        7f5d631534af9244f11d0d1a524ba7219a171fa7975909425561dbb087d563308b83cffdb9a329d1d7926027d679f7d8566eeee605d69c7fa7d164b38d017db3

      • \??\c:\Windows\System32\CSC70C0BFD96E5F458394AEAACD647985A0.TMP

        Filesize

        1KB

        MD5

        d87433b9d28901689cc7a1ef612d57cc

        SHA1

        1c34e0cdd05420fb5e9242d68c378c1dddf6ffb5

        SHA256

        12746c77ce88ff77399e5a6296dbb83ec7d860399ec4e6bdadcff76ec462a48c

        SHA512

        dbad8b5c060fa65a9ecbe9f77dc7297526ad5265628bfc19193db0ef9ee5682087ed564c2e5889ea29b27b54d353cd6bfde8d5f317bafc81f8f8bf399899c588

      • memory/3300-68-0x000001E2D46A0000-0x000001E2D46C2000-memory.dmp

        Filesize

        136KB

      • memory/4248-26-0x00000000030F0000-0x00000000030FC000-memory.dmp

        Filesize

        48KB

      • memory/4248-24-0x00000000030E0000-0x00000000030E8000-memory.dmp

        Filesize

        32KB

      • memory/4248-22-0x00000000016E0000-0x00000000016EE000-memory.dmp

        Filesize

        56KB

      • memory/4248-20-0x000000001BA10000-0x000000001BA28000-memory.dmp

        Filesize

        96KB

      • memory/4248-18-0x000000001BEB0000-0x000000001BF00000-memory.dmp

        Filesize

        320KB

      • memory/4248-17-0x000000001B9F0000-0x000000001BA0C000-memory.dmp

        Filesize

        112KB

      • memory/4248-15-0x0000000001680000-0x000000000168E000-memory.dmp

        Filesize

        56KB

      • memory/4248-13-0x0000000000C40000-0x0000000000E28000-memory.dmp

        Filesize

        1.9MB

      • memory/4248-12-0x00007FF93B8C3000-0x00007FF93B8C5000-memory.dmp

        Filesize

        8KB