Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2024 06:27

General

  • Target

    SolaraBootstrapper.exe

  • Size

    56KB

  • MD5

    531ab3880581aa1715864b4f101dbeb8

  • SHA1

    126fe92bb2d367f816d14d8748b7de2e54cce4d3

  • SHA256

    b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e

  • SHA512

    98a78e6ddb012b222840a3f2843427e210303280505894b332d0543ea894f66728f9980e9b04872fbf63e00c86d77d78f85477a55d715af499c20ad914988f2e

  • SSDEEP

    1536:yEwY717Orc6qIDaXvKXPRFXeoWpCZewuHMCC99W:l1arckOvKX5ptiC0C9Q

Malware Config

Extracted

Family

xworm

C2

necessary-threatened.gl.at.ply.gg:15323

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 63 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 59 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Users\Admin\AppData\Local\Temp\epic.exe
      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:636
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epic.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2860
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2368
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
      • C:\Users\Admin\AppData\Local\Temp\epic.exe
        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2552
      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2608
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1052
        • C:\Users\Admin\AppData\Local\Temp\epic.exe
          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:2028
        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2916
          • C:\Users\Admin\AppData\Local\Temp\epic.exe
            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:2772
          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1028
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
              6⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1308
            • C:\Users\Admin\AppData\Local\Temp\epic.exe
              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:2396
            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:700
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1316
              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2256
              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                7⤵
                  PID:1620
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                    8⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2720
                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2512
                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                    8⤵
                      PID:2488
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                        9⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2540
                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                        9⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2824
                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                        9⤵
                          PID:2088
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                            10⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1244
                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:1092
                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                            10⤵
                              PID:1464
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                11⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:468
                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                11⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2388
                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                11⤵
                                  PID:2108
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                    12⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2764
                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                    12⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:1536
                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                    12⤵
                                      PID:1972
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                        13⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1988
                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                        13⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:1676
                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                        13⤵
                                          PID:836
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                            14⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3056
                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                            14⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:1780
                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                            14⤵
                                              PID:2988
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                15⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:3036
                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                15⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2708
                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                15⤵
                                                  PID:2700
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                    16⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1588
                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                    16⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2864
                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                    16⤵
                                                      PID:2520
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                        17⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2748
                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                        17⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2224
                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                        17⤵
                                                          PID:2664
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                            18⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:2824
                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                            18⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:468
                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                            18⤵
                                                              PID:1448
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                19⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2548
                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                19⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:672
                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                19⤵
                                                                  PID:1404
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                    20⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2060
                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                    20⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1308
                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                    20⤵
                                                                      PID:1772
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                        21⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1188
                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                        21⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:900
                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                        21⤵
                                                                          PID:1964
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                            22⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:2416
                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                            22⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                            PID:1620
                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                            22⤵
                                                                              PID:2236
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                23⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2632
                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                23⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2532
                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                23⤵
                                                                                  PID:2488
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                    24⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2508
                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                    24⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1664
                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                    24⤵
                                                                                      PID:2528
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                        25⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:2840
                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                        25⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:544
                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                        25⤵
                                                                                          PID:2716
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                            26⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:2408
                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                            26⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            PID:408
                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                            26⤵
                                                                                              PID:2560
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                27⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:2000
                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                27⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                PID:3000
                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                27⤵
                                                                                                  PID:612
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                    28⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:1728
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                    28⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    PID:892
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                    28⤵
                                                                                                      PID:1316
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                        29⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:1628
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                        29⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                        PID:2536
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                        29⤵
                                                                                                          PID:2756
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                            30⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2644
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                            30⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            PID:2344
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                            30⤵
                                                                                                              PID:1104
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                31⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:2672
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                31⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:1400
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                31⤵
                                                                                                                  PID:1596
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                    32⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:912
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                    32⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:1800
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                    32⤵
                                                                                                                      PID:2556
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                        33⤵
                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                        PID:1816
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                        33⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:2984
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                        33⤵
                                                                                                                          PID:2680
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                            34⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                            PID:2968
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                            34⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:2032
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                            34⤵
                                                                                                                              PID:2364
                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                35⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                PID:308
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                35⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2160
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                35⤵
                                                                                                                                  PID:2300
                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                    36⤵
                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                    PID:672
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                    36⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    PID:3060
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                    36⤵
                                                                                                                                      PID:2928
                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                        37⤵
                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                        PID:1308
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                        37⤵
                                                                                                                                        • Executes dropped EXE
                                                                                                                                        PID:2220
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                        37⤵
                                                                                                                                          PID:3036
                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                            38⤵
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            PID:900
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                            38⤵
                                                                                                                                            • Executes dropped EXE
                                                                                                                                            PID:3028
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                            38⤵
                                                                                                                                              PID:1980
                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                39⤵
                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                PID:1928
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                39⤵
                                                                                                                                                • Executes dropped EXE
                                                                                                                                                PID:2744
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                39⤵
                                                                                                                                                  PID:1804
                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                    40⤵
                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                    PID:1616
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                    40⤵
                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                    PID:1732
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                    40⤵
                                                                                                                                                      PID:1400
                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                        41⤵
                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                        PID:960
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                        41⤵
                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                        PID:2348
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                        41⤵
                                                                                                                                                          PID:2440
                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                            42⤵
                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                            PID:2108
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                            42⤵
                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                            PID:2248
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                            42⤵
                                                                                                                                                              PID:860
                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                43⤵
                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                PID:2560
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                43⤵
                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                PID:468
                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                43⤵
                                                                                                                                                                  PID:3052
                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                    44⤵
                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                    PID:1740
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                    44⤵
                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                    PID:1788
                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                    44⤵
                                                                                                                                                                      PID:2980
                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                        45⤵
                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                        PID:2616
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                        45⤵
                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                        PID:1648
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                        45⤵
                                                                                                                                                                          PID:1632
                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                            46⤵
                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                            PID:2788
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                            46⤵
                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                            PID:2812
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                            46⤵
                                                                                                                                                                              PID:2068
                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                47⤵
                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                PID:764
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                47⤵
                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                PID:2672
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                47⤵
                                                                                                                                                                                  PID:884
                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                    48⤵
                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                    PID:952
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                    48⤵
                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                    PID:912
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                    48⤵
                                                                                                                                                                                      PID:1616
                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                        49⤵
                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                        PID:2476
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                        49⤵
                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                        PID:2664
                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                        49⤵
                                                                                                                                                                                          PID:2844
                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                            50⤵
                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                            PID:2840
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                            50⤵
                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                            PID:2860
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                            50⤵
                                                                                                                                                                                              PID:1552
                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                51⤵
                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                PID:1068
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                51⤵
                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                PID:928
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                51⤵
                                                                                                                                                                                                  PID:2916
                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                    52⤵
                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                    PID:1404
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                    52⤵
                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                    PID:3008
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                    52⤵
                                                                                                                                                                                                      PID:2056
                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                        PID:1772
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:2656
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                          PID:1972
                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                            PID:2872
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:1224
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                              PID:2600
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                PID:772
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                PID:1624
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                55⤵
                                                                                                                                                                                                                  PID:764
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    PID:2432
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:1148
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                      PID:2112
                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                        57⤵
                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                        PID:568
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                        57⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        PID:1332
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                        57⤵
                                                                                                                                                                                                                          PID:2008
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                            PID:2548
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2000
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                            58⤵
                                                                                                                                                                                                                              PID:1092
                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                PID:2440
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:636
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                59⤵
                                                                                                                                                                                                                                  PID:1320
                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                                    PID:2260
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:556
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                                                                                                                    60⤵
                                                                                                                                                                                                                                      PID:1032

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe

                                                                                                                Filesize

                                                                                                                69KB

                                                                                                                MD5

                                                                                                                d28bff9bfb1d04c41b995138532caf06

                                                                                                                SHA1

                                                                                                                2c0a7ac9450b36abb624ad17d6d3fc9e4d919d45

                                                                                                                SHA256

                                                                                                                a6cfbd450cbc9a1a040c955e51632d8f32d4477de0c9f46e4f37303ce28e0a4e

                                                                                                                SHA512

                                                                                                                b1142bba18e6a6fb2f8879b683b50f51f9a1900865000cecbb0b774d3d675b0f31da283ddd655e6468ae3c04ae9c64de6ca434ffc8c5a8cd843e44dbf2336ced

                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                Filesize

                                                                                                                7KB

                                                                                                                MD5

                                                                                                                aadd3fe949f8b18df9ed2af05cda8849

                                                                                                                SHA1

                                                                                                                39809819251ee74a8d3ea177eb12dfea97cc9519

                                                                                                                SHA256

                                                                                                                726b95a983d4617a4de25375a103e8656051bbce24c0715eeb2cf55901cd565d

                                                                                                                SHA512

                                                                                                                86f31a530e2d5cd364a84a13442d8a880cf3dc252663ebf2a3f6d319d7a554b3b065cf8e8b796fdf55beb16a64d9ded8ee2c81e77cb3857f8c0490c2c5cbb91f

                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                Filesize

                                                                                                                7KB

                                                                                                                MD5

                                                                                                                27dcb90b12922f7c96538fc7b535477a

                                                                                                                SHA1

                                                                                                                a020d177aa7565fac215a3bceb82f557e9355a3d

                                                                                                                SHA256

                                                                                                                729d3ecacb040bc6408a26c0fe8ab6a68c1976180e2ffebcdabbb133ca454e46

                                                                                                                SHA512

                                                                                                                393f4ff15ca91399e3cd0b958dd5348af6f0c819ba2d06ead9afffab37abcd8a5daab17288f74c51368703b1a9e27b3dec059820dbc9dbe3aad7c4b5975c9edb

                                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                Filesize

                                                                                                                7KB

                                                                                                                MD5

                                                                                                                dc6a028b965159f2fa866752c58fbf7f

                                                                                                                SHA1

                                                                                                                78d63d4bd49dcf7668ada256287f2dec61ee7b4b

                                                                                                                SHA256

                                                                                                                fa59e419ee3c9402195349d063bade78ac8e3d08568b708f50d38e7384775510

                                                                                                                SHA512

                                                                                                                75419751911ec9db39ed45cc86e9c607cfd62320e82b57c912947d555a4f84a4ab0ddd004ba65cc126bd403f665028fb2b7219eb3137fdd6132b4769b5e4e0a4

                                                                                                              • \??\PIPE\srvsvc

                                                                                                                MD5

                                                                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                                                                SHA1

                                                                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                SHA256

                                                                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                SHA512

                                                                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                              • memory/636-29-0x00000000022A0000-0x00000000022A8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/2236-1-0x000000013FAF0000-0x000000013FB02000-memory.dmp

                                                                                                                Filesize

                                                                                                                72KB

                                                                                                              • memory/2236-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

                                                                                                                Filesize

                                                                                                                4KB

                                                                                                              • memory/2360-6-0x0000000002C80000-0x0000000002D00000-memory.dmp

                                                                                                                Filesize

                                                                                                                512KB

                                                                                                              • memory/2360-7-0x000000001B680000-0x000000001B962000-memory.dmp

                                                                                                                Filesize

                                                                                                                2.9MB

                                                                                                              • memory/2360-8-0x0000000002730000-0x0000000002738000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/2860-35-0x00000000020C0000-0x00000000020C8000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/2864-21-0x0000000001E70000-0x0000000001E78000-memory.dmp

                                                                                                                Filesize

                                                                                                                32KB

                                                                                                              • memory/2864-20-0x000000001B650000-0x000000001B932000-memory.dmp

                                                                                                                Filesize

                                                                                                                2.9MB

                                                                                                              • memory/2892-14-0x0000000000F10000-0x0000000000F28000-memory.dmp

                                                                                                                Filesize

                                                                                                                96KB