Malware Analysis Report

2024-10-10 13:06

Sample ID 240621-fhf1paycqh
Target e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc
SHA256 e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc
Tags
dcrat infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc

Threat Level: Known bad

The file e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer rat

DcRat

Process spawned unexpected child process

Detects executables containing URLs to raw contents of a Github gist

Detects executables packed with SmartAssembly

DCRat payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 04:52

Reported

2024-06-21 04:54

Platform

win7-20240508-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre7\bin\plugin2\886983d96e3d3e C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\886983d96e3d3e C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Windows Sidebar\taskhost.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Windows Sidebar\b75386f1303e64 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\csrss.exe C:\MSCONFIG\CONFIG.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\Program Files\Java\jre7\bin\plugin2\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\MSCONFIG\CONFIG.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jre7\bin\plugin2\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1284 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1284 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1284 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1284 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1284 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 2924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 2924 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 2164 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WerFault.exe
PID 2164 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WerFault.exe
PID 2164 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WerFault.exe
PID 2164 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\WerFault.exe
PID 2940 wrote to memory of 2524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2524 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2524 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2524 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2628 wrote to memory of 2916 N/A C:\MSCONFIG\CONFIG.exe C:\Program Files\Java\jre7\bin\plugin2\csrss.exe
PID 2628 wrote to memory of 2916 N/A C:\MSCONFIG\CONFIG.exe C:\Program Files\Java\jre7\bin\plugin2\csrss.exe
PID 2628 wrote to memory of 2916 N/A C:\MSCONFIG\CONFIG.exe C:\Program Files\Java\jre7\bin\plugin2\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe

"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\trx.exe

"C:\Users\Admin\AppData\Local\Temp\trx.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 1092

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "

C:\MSCONFIG\CONFIG.exe

"C:\MSCONFIG\CONFIG.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSCONFIG\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\plugin2\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\csrss.exe'" /rl HIGHEST /f

C:\Program Files\Java\jre7\bin\plugin2\csrss.exe

"C:\Program Files\Java\jre7\bin\plugin2\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 a0997184.xsph.ru udp
RU 141.8.192.103:80 a0997184.xsph.ru tcp

Files

memory/1284-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

memory/1284-1-0x000000013FF80000-0x0000000140074000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 74494703e5f44eeb9aa037f0f50bf682
SHA1 fcfd8813e63cd61c5bfd2db605827fb9070fe8e9
SHA256 3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66
SHA512 dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe

C:\Users\Admin\AppData\Local\Temp\trx.exe

MD5 03cde07f808c1c15f2b413e89a45b9d8
SHA1 2e4f97f7f28024db39758472d484484dc3030c0b
SHA256 daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f
SHA512 d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18

memory/2164-14-0x000000007452E000-0x000000007452F000-memory.dmp

memory/1284-13-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

memory/2164-16-0x00000000012E0000-0x00000000012EA000-memory.dmp

C:\MSCONFIG\0h6cj87wvPM.vbe

MD5 c82cc3c85bd84d0af9e997e0a4959cdd
SHA1 8ff246be20905b44b77082729819917245547013
SHA256 53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d
SHA512 09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9

C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat

MD5 8ec84d1942903da3492f14e534a8e841
SHA1 b152ff7373eac0aaef9c17637bde6cc754fe257a
SHA256 a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d
SHA512 bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076

\MSCONFIG\CONFIG.exe

MD5 5e14719cd7fbb360095ace17828a75b3
SHA1 72cd087ba89bef7546a5657b352b61f2ea31f492
SHA256 095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561
SHA512 20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27

memory/2628-35-0x0000000000E90000-0x0000000000FBE000-memory.dmp

memory/2628-36-0x00000000003D0000-0x00000000003E2000-memory.dmp

memory/2628-37-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/2628-38-0x0000000000460000-0x0000000000468000-memory.dmp

memory/2628-39-0x0000000000B00000-0x0000000000B12000-memory.dmp

memory/2628-40-0x0000000000B40000-0x0000000000B4C000-memory.dmp

memory/2628-41-0x0000000000B50000-0x0000000000B5C000-memory.dmp

memory/2916-58-0x00000000003A0000-0x00000000004CE000-memory.dmp

memory/2916-59-0x00000000005E0000-0x00000000005F2000-memory.dmp

memory/2916-60-0x0000000000800000-0x0000000000812000-memory.dmp

memory/2164-61-0x000000007452E000-0x000000007452F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 04:52

Reported

2024-06-21 04:54

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Performance\e1ef82546f0b02 C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Internet Explorer\images\7a0fd90576e088 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\5940a34987c991 C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files\Internet Explorer\56085415360792 C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 C:\MSCONFIG\CONFIG.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\trx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\MSCONFIG\CONFIG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\MSCONFIG\CONFIG.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Recovery\WindowsRE\conhost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\38384e6a620884 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Microsoft Office\root\wininit.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\5940a34987c991 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Internet Explorer\wininit.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Internet Explorer\56085415360792 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Microsoft Office\root\56085415360792 C:\MSCONFIG\CONFIG.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Internet Explorer\images\explorer.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Program Files\Internet Explorer\images\7a0fd90576e088 C:\MSCONFIG\CONFIG.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Performance\e1ef82546f0b02 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\Cursors\Registry.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\Cursors\ee2ad38f3d4382 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\Sun\Java\Deployment\1143e5710f078d C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\tracing\dwm.exe C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\tracing\6cb0b6c459d5d3 C:\MSCONFIG\CONFIG.exe N/A
File created C:\Windows\Performance\SppExtComObj.exe C:\MSCONFIG\CONFIG.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\trx.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\MSCONFIG\CONFIG.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Recovery\WindowsRE\conhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\MSCONFIG\CONFIG.exe N/A
Token: SeDebugPrivilege N/A C:\MSCONFIG\CONFIG.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1416 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1416 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1416 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1416 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1416 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1416 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe C:\Users\Admin\AppData\Local\Temp\trx.exe
PID 1436 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 1436 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 1436 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\trx.exe C:\Windows\SysWOW64\WScript.exe
PID 1384 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 2756 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2756 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2756 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 696 wrote to memory of 2784 N/A C:\MSCONFIG\CONFIG.exe C:\Windows\System32\cmd.exe
PID 696 wrote to memory of 2784 N/A C:\MSCONFIG\CONFIG.exe C:\Windows\System32\cmd.exe
PID 2784 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2784 wrote to memory of 1748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2784 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 2784 wrote to memory of 4380 N/A C:\Windows\System32\cmd.exe C:\MSCONFIG\CONFIG.exe
PID 4380 wrote to memory of 3832 N/A C:\MSCONFIG\CONFIG.exe C:\Recovery\WindowsRE\conhost.exe
PID 4380 wrote to memory of 3832 N/A C:\MSCONFIG\CONFIG.exe C:\Recovery\WindowsRE\conhost.exe
PID 3832 wrote to memory of 3944 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 3832 wrote to memory of 3944 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 3944 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3944 wrote to memory of 2180 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3944 wrote to memory of 4344 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 3944 wrote to memory of 4344 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 4344 wrote to memory of 5100 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 4344 wrote to memory of 5100 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 5100 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5100 wrote to memory of 1300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5100 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 5100 wrote to memory of 1312 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 1312 wrote to memory of 2948 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 1312 wrote to memory of 2948 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 2948 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2948 wrote to memory of 1080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2948 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 2948 wrote to memory of 1672 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 1672 wrote to memory of 3852 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 1672 wrote to memory of 3852 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 3852 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3852 wrote to memory of 4400 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3852 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 3852 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 3384 wrote to memory of 1448 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 3384 wrote to memory of 1448 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 1448 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1448 wrote to memory of 3284 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1448 wrote to memory of 2248 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 1448 wrote to memory of 2248 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 2248 wrote to memory of 4952 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 2248 wrote to memory of 4952 N/A C:\Recovery\WindowsRE\conhost.exe C:\Windows\System32\cmd.exe
PID 4952 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4952 wrote to memory of 1652 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4952 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe
PID 4952 wrote to memory of 4784 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe

"C:\Users\Admin\AppData\Local\Temp\e81e0a127594d46ef94d41487613fb3da26dc56b8c2fdad7783a7c62451b0bbc.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\trx.exe

"C:\Users\Admin\AppData\Local\Temp\trx.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\MSCONFIG\0h6cj87wvPM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat" "

C:\MSCONFIG\CONFIG.exe

"C:\MSCONFIG\CONFIG.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\images\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\MSCONFIG\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\MSCONFIG\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\MSCONFIG\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\MSCONFIG\CONFIG.exe

"C:\MSCONFIG\CONFIG.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 6 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\SolaraBootstrapper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\MSCONFIG\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4652 -ip 4652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 1428

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\conhost.exe

"C:\Recovery\WindowsRE\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 pastebin.com udp

Files

memory/1416-0-0x00007FFA4C3A3000-0x00007FFA4C3A5000-memory.dmp

memory/1416-1-0x0000000000EE0000-0x0000000000FD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 74494703e5f44eeb9aa037f0f50bf682
SHA1 fcfd8813e63cd61c5bfd2db605827fb9070fe8e9
SHA256 3e4f692506d372bebc12d344c5f1543b67fa1dbe095c910aab78456510d7fe66
SHA512 dbd2a8d928c797c70c4286d8ebabe202902445ed60e94eeccf33c7e3d794c7e362139187dcd1a57a4919503c1c791cfbe38f6f6eff454248382b3c4e023791fe

C:\Users\Admin\AppData\Local\Temp\trx.exe

MD5 03cde07f808c1c15f2b413e89a45b9d8
SHA1 2e4f97f7f28024db39758472d484484dc3030c0b
SHA256 daf2510e43a399ef767b7d9dfc87ac245a6d625b05aa9d60a3f1a5767f8cfb9f
SHA512 d6add1d4f6acf0b70d50bfbefdd2f9093860a0c9de745429c11a28b6e9d2921ab60fda306e3b90f641901c6fb9b50e0928d0b90e58ee799c573606971eb6ad18

memory/1416-16-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/1416-21-0x00007FFA4C3A0000-0x00007FFA4CE61000-memory.dmp

memory/4652-24-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

memory/4652-25-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

memory/4652-26-0x0000000003320000-0x000000000332A000-memory.dmp

C:\MSCONFIG\0h6cj87wvPM.vbe

MD5 c82cc3c85bd84d0af9e997e0a4959cdd
SHA1 8ff246be20905b44b77082729819917245547013
SHA256 53db8dddc4b2d19225bc4e07771a867791fea3399c93f2e377b6794c2df3e86d
SHA512 09c484cf6b54b4dfd612fdbe32c116ada544dd684e98d4bcdf5ce67534712d2e16685ebecde94aded6a1a8767df75a3390d9871b52061b45bb9011bf2de353d9

C:\MSCONFIG\qB5uXmVRAbtGKpRj2QeMA08.bat

MD5 8ec84d1942903da3492f14e534a8e841
SHA1 b152ff7373eac0aaef9c17637bde6cc754fe257a
SHA256 a695797842083715d31a3aba69946326d1208a8eb497b1dffbc9f7dfd4305c4d
SHA512 bd1e95501352c71ca432263bfca20a2bf9400074629133a0c7906165e79bb9d14419656f3e44da28e817657f86869e2196ae8f77c57683b8ca8e191ffe2bb076

C:\MSCONFIG\CONFIG.exe

MD5 5e14719cd7fbb360095ace17828a75b3
SHA1 72cd087ba89bef7546a5657b352b61f2ea31f492
SHA256 095b2894512ec27bb89f8e5b1feb35ed137ebec9debf234d61935405f5a27561
SHA512 20bdef4870af81d4dedd18872213788d4a8c5ab2b7cf48e14f1e36096b91f79d791d3481dbd6e35599a1f2a00a2e105e05d92a8202b1597326c6d17905d3bc27

memory/696-39-0x0000000000540000-0x000000000066E000-memory.dmp

memory/696-40-0x0000000000E30000-0x0000000000E42000-memory.dmp

memory/696-41-0x000000001B180000-0x000000001B18C000-memory.dmp

memory/696-42-0x0000000000E40000-0x0000000000E48000-memory.dmp

memory/696-43-0x000000001B190000-0x000000001B1A2000-memory.dmp

memory/696-44-0x000000001C040000-0x000000001C568000-memory.dmp

memory/696-46-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

memory/696-45-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jikD5aXlRk.bat

MD5 76a5acdd11c8445c4fb43b8ab007d86f
SHA1 0b9d3d98c7132186ea2142410b8bafed012ed65d
SHA256 5945ef32e06ce1d72e1290ffcaacd86ec45f4486554d4ea8d7efdcb3e1e0b8ff
SHA512 c95b0ae33c220e24b8e97971b226addb4c5a7a988a6bafd4bca63ee14b3fc3ee2b460d7ea4a7238e6739cde61810817c07c67c53bde59d2cedad08a30a0ccfb1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CONFIG.exe.log

MD5 3dabc3a15559ada6586962e5d966af35
SHA1 b9e7ebe34532596154354f7130acafe8654016ef
SHA256 43f6fa295df0ae3976c919bdd314b17768768b6eb14514b2b3a3fe8e7e477c5b
SHA512 e828eb2af6cb4551e3174cfe8fbcd3c7923ad71c8d6dbf33432223bb230561f8145fc894f457f6660266c2658166fca486c557337f1bafc1b9973d19959fa348

memory/4380-75-0x00000000025D0000-0x00000000025E2000-memory.dmp

memory/4380-76-0x0000000002660000-0x0000000002672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

MD5 cf6800bfb1c35205a8bc71d9d9bfa190
SHA1 22d56dd84ec4416c0461abb665d691d4510a53e5
SHA256 ab63bd127bf496cbd967233a1bfd2cc3d516d99853567b069ded9becc8efe77d
SHA512 e183da86e5ace5f29183a7d67dd2b35021c0ed8f691f68dfd8229333954077125f8397890e8aeaa782371efd5bd7c2043a17e15cfc8cee577d682551aad3a58f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\conhost.exe.log

MD5 45b7b984ff65c4ed6e0e1eec9a7e1dbb
SHA1 319c613685ba61edb0956fcb3301e659572e6255
SHA256 5779e6406a1a1a3938bcc0dcc2eecbdea9a23ae203d9d9dc678b056315139b69
SHA512 c8733ff26e452805c7791b1cd9a17913dafaf55567a6d8dea4bdd675aae5077d857b546878ab605101a2320e53621b9e07d2b0a51942ef14839891f2be581049

C:\Users\Admin\AppData\Local\Temp\ZAtO29mfgG.bat

MD5 033309c9fb0cb952e7e940828ab531f5
SHA1 abb4358ba92106e641671c611153f3a3e944b458
SHA256 6055914d2abbbce08f212f53dba273753e8eb5831912a1c26855e868a771cb66
SHA512 3b97ef986596f4139215da7eca5cdf55f15d2e7b54afe2f36aed2382ce9f81f96bc3ee49738ccb9334f796b86ec5b918065ac806860f5c380e5fbd603d94b4e6

C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

MD5 88a2763bba4bd031f7db3857d0f3c78f
SHA1 b54a5b883970e5dc493e87e58ed094fa3462744f
SHA256 f8c9f64cad1ef11c48d0c19b0c75f5289b8286dcf4bd4d892a7adc478f016750
SHA512 14bb52f3f25619e65bece77cb0f14a63aa2a560f536e8b302ef6051eda747769a58f42be7c72b4431297fe7a30e6e6aca13c55c2dccecdf8021e55f6dcfabb7f

C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

MD5 cf9cac864fe027e2390dc92c7e8bc1aa
SHA1 e921abfc1c577037bdf8bb329b7eb90076c9c786
SHA256 40a126dc0c1b85938738a36a0d5b64413b287b51ebeb372a812b5b733db31281
SHA512 0a2f7f082d5b9db65744ed57a6f81f771bbb66abf4a123cfe893bee86a5c03519d2903bdd24a18d5c9c613f519ee30167f52daafd43e33400456c68c35ee4a05

memory/3384-131-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

MD5 1c38052fa1d92ac87d9f1cbdd4554fb4
SHA1 7eaf591d94cf7401dbbcc26934f0c8810feda7c7
SHA256 06796c05a45c31d0e3204ddfe60d42a5b8e6504139ec54f55830aef446575d1d
SHA512 5372e780d0e5a63d17df46e700638af4f0975863f12773f48e6aa2717bf710938b6680f65b06cd80568302a0d829c3f09f08c8557ad6171ede4eb619b324d52c

C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

MD5 703ca2a879f3908c96a2b6cd8f83997d
SHA1 a69d052783f29f8b3e14434649f84b89c3086f1a
SHA256 030eaea140b2c52ec25afb033cfb3b7c7dd284d643c571332236193dac59ba88
SHA512 54cf6bd22ef84e16e15ee743a8cc906e49308a4b1dc37468223f4ebf7b32674f40ca66d15b9a71923fcc2518c99c6ca619019b271c7bda58b76e98dcfd1f2e6a