Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-07-2024 06:27

General

  • Target

    SolaraBootstrapper.exe

  • Size

    56KB

  • MD5

    531ab3880581aa1715864b4f101dbeb8

  • SHA1

    126fe92bb2d367f816d14d8748b7de2e54cce4d3

  • SHA256

    b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e

  • SHA512

    98a78e6ddb012b222840a3f2843427e210303280505894b332d0543ea894f66728f9980e9b04872fbf63e00c86d77d78f85477a55d715af499c20ad914988f2e

  • SSDEEP

    1536:yEwY717Orc6qIDaXvKXPRFXeoWpCZewuHMCC99W:l1arckOvKX5ptiC0C9Q

Malware Config

Extracted

Family

xworm

C2

necessary-threatened.gl.at.ply.gg:15323

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    dllhost.exe

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Detect Xworm Payload 2 IoCs
  • Process spawned unexpected child process 45 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Xworm

    Xworm is a remote access trojan written in C#.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 62 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 63 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 62 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 10 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3636
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:428
    • C:\Users\Admin\AppData\Local\Temp\epic.exe
      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1564
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epic.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4344
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3404
      • C:\Users\Admin\AppData\Local\Temp\bagjsq.exe
        "C:\Users\Admin\AppData\Local\Temp\bagjsq.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        PID:4152
        • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe
          "C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          PID:1432
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"
            5⤵
            • Checks computer location settings
            PID:3052
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "
              6⤵
                PID:2600
                • C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe
                  "C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Program Files directory
                  • Drops file in Windows directory
                  • Modifies registry class
                  PID:1072
                  • C:\Windows\System32\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4cvQWMksW9.bat"
                    8⤵
                      PID:1900
                      • C:\Windows\system32\w32tm.exe
                        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                        9⤵
                          PID:4308
                        • C:\NVIDIA\DisplayDriver\smss.exe
                          "C:\NVIDIA\DisplayDriver\smss.exe"
                          9⤵
                          • Executes dropped EXE
                          PID:628
              • C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe
                "C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe"
                4⤵
                • Executes dropped EXE
                PID:632
          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
            2⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:4640
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
              3⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:820
            • C:\Users\Admin\AppData\Local\Temp\epic.exe
              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
              3⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3720
            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
              3⤵
              • Checks computer location settings
              • Suspicious use of WriteProcessMemory
              PID:3160
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2464
              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                4⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:3044
              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                4⤵
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:4852
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                  5⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1148
                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                  5⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4640
                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                  5⤵
                  • Checks computer location settings
                  • Suspicious use of WriteProcessMemory
                  PID:3876
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                    6⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:944
                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                    6⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4412
                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                    6⤵
                    • Checks computer location settings
                    • Suspicious use of WriteProcessMemory
                    PID:3272
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                      7⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1732
                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                      7⤵
                      • Executes dropped EXE
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2100
                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                      7⤵
                      • Checks computer location settings
                      • Suspicious use of WriteProcessMemory
                      PID:4972
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                        8⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1020
                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                        8⤵
                        • Executes dropped EXE
                        • Suspicious use of AdjustPrivilegeToken
                        PID:2544
                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                        8⤵
                        • Checks computer location settings
                        • Suspicious use of WriteProcessMemory
                        PID:4716
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:4920
                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:2836
                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                          9⤵
                          • Checks computer location settings
                          • Suspicious use of WriteProcessMemory
                          PID:3316
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                            10⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4944
                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                            10⤵
                            • Executes dropped EXE
                            • Suspicious use of AdjustPrivilegeToken
                            PID:232
                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                            10⤵
                            • Checks computer location settings
                            • Suspicious use of WriteProcessMemory
                            PID:3096
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                              11⤵
                              • Command and Scripting Interpreter: PowerShell
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of AdjustPrivilegeToken
                              PID:4180
                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                              11⤵
                              • Executes dropped EXE
                              • Suspicious use of AdjustPrivilegeToken
                              PID:852
                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                              11⤵
                              • Checks computer location settings
                              PID:4524
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                12⤵
                                • Command and Scripting Interpreter: PowerShell
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:2724
                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                12⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3944
                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                12⤵
                                • Checks computer location settings
                                PID:4824
                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                  13⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:4912
                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                  13⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:3824
                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                  13⤵
                                  • Checks computer location settings
                                  PID:4860
                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                    14⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:4988
                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                    14⤵
                                    • Executes dropped EXE
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:208
                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                    14⤵
                                    • Checks computer location settings
                                    PID:4564
                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                      15⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:4208
                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                      15⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:2808
                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                      15⤵
                                      • Checks computer location settings
                                      PID:2872
                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                        16⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3828
                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                        16⤵
                                        • Executes dropped EXE
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:548
                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                        16⤵
                                        • Checks computer location settings
                                        PID:2540
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                          17⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4528
                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                          17⤵
                                          • Executes dropped EXE
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2796
                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                          17⤵
                                          • Checks computer location settings
                                          PID:1052
                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                            18⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:3520
                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                            18⤵
                                            • Executes dropped EXE
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:4344
                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                            18⤵
                                            • Checks computer location settings
                                            PID:1644
                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                              19⤵
                                              • Command and Scripting Interpreter: PowerShell
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2968
                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                              19⤵
                                              • Executes dropped EXE
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:1220
                                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                              19⤵
                                              • Checks computer location settings
                                              PID:2908
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                20⤵
                                                • Command and Scripting Interpreter: PowerShell
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1168
                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                20⤵
                                                • Executes dropped EXE
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2940
                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                20⤵
                                                • Checks computer location settings
                                                PID:1924
                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                  21⤵
                                                  • Command and Scripting Interpreter: PowerShell
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:3332
                                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                  21⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:2100
                                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                  21⤵
                                                  • Checks computer location settings
                                                  PID:3276
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                    22⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1728
                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                    22⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3588
                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                    22⤵
                                                    • Checks computer location settings
                                                    PID:4640
                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                      23⤵
                                                      • Command and Scripting Interpreter: PowerShell
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2636
                                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                      23⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:1868
                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                      23⤵
                                                      • Checks computer location settings
                                                      PID:3168
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                        24⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1128
                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                        24⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4716
                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                        24⤵
                                                        • Checks computer location settings
                                                        PID:2544
                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                          25⤵
                                                          • Command and Scripting Interpreter: PowerShell
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:68
                                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                          25⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2808
                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                          25⤵
                                                          • Checks computer location settings
                                                          PID:5032
                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                            26⤵
                                                            • Command and Scripting Interpreter: PowerShell
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:4524
                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                            26⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            PID:460
                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                            26⤵
                                                            • Checks computer location settings
                                                            PID:3440
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                              27⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2324
                                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                              27⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:1212
                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                              27⤵
                                                              • Checks computer location settings
                                                              PID:3148
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                28⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3728
                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                28⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:3720
                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                28⤵
                                                                • Checks computer location settings
                                                                PID:4240
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                  29⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1376
                                                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                  29⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2752
                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                  29⤵
                                                                  • Checks computer location settings
                                                                  PID:5084
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                    30⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4216
                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                    30⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4224
                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                    30⤵
                                                                    • Checks computer location settings
                                                                    PID:4972
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                      31⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4800
                                                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                      31⤵
                                                                      • Executes dropped EXE
                                                                      PID:3868
                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                      31⤵
                                                                      • Checks computer location settings
                                                                      PID:2808
                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                        32⤵
                                                                        • Command and Scripting Interpreter: PowerShell
                                                                        PID:3028
                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                        32⤵
                                                                        • Executes dropped EXE
                                                                        PID:4028
                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                        32⤵
                                                                        • Checks computer location settings
                                                                        PID:4344
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                          33⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          PID:2984
                                                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                          33⤵
                                                                          • Executes dropped EXE
                                                                          PID:1652
                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                          33⤵
                                                                          • Checks computer location settings
                                                                          PID:4360
                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                            34⤵
                                                                            • Command and Scripting Interpreter: PowerShell
                                                                            PID:4352
                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                            34⤵
                                                                            • Executes dropped EXE
                                                                            PID:3164
                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                            34⤵
                                                                            • Checks computer location settings
                                                                            PID:4528
                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                              35⤵
                                                                              • Command and Scripting Interpreter: PowerShell
                                                                              PID:2908
                                                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                              35⤵
                                                                              • Executes dropped EXE
                                                                              PID:596
                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                              35⤵
                                                                              • Checks computer location settings
                                                                              PID:4660
                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                36⤵
                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                PID:1848
                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                36⤵
                                                                                • Executes dropped EXE
                                                                                PID:2904
                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                36⤵
                                                                                • Checks computer location settings
                                                                                PID:1588
                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                  37⤵
                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                  PID:1620
                                                                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                  37⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:3568
                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                  37⤵
                                                                                  • Checks computer location settings
                                                                                  PID:3028
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                    38⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    PID:748
                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                    38⤵
                                                                                    • Executes dropped EXE
                                                                                    PID:2684
                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                    38⤵
                                                                                    • Checks computer location settings
                                                                                    PID:4868
                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                      39⤵
                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                      PID:4028
                                                                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                      39⤵
                                                                                      • Executes dropped EXE
                                                                                      PID:4644
                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                      39⤵
                                                                                      • Checks computer location settings
                                                                                      PID:2940
                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                        40⤵
                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                        PID:4768
                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                        40⤵
                                                                                        • Executes dropped EXE
                                                                                        PID:4852
                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                        40⤵
                                                                                        • Checks computer location settings
                                                                                        PID:1496
                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                          41⤵
                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                          PID:4672
                                                                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                          41⤵
                                                                                          • Executes dropped EXE
                                                                                          PID:1376
                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                          41⤵
                                                                                          • Checks computer location settings
                                                                                          PID:2300
                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                            42⤵
                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                            PID:2952
                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                            42⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:548
                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                            42⤵
                                                                                            • Checks computer location settings
                                                                                            PID:3576
                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                              43⤵
                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                              PID:3872
                                                                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                              43⤵
                                                                                              • Executes dropped EXE
                                                                                              PID:1176
                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                              43⤵
                                                                                              • Checks computer location settings
                                                                                              PID:1612
                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                44⤵
                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                PID:4880
                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                44⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:2572
                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                44⤵
                                                                                                • Checks computer location settings
                                                                                                PID:4168
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                  45⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  PID:2112
                                                                                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                  45⤵
                                                                                                  • Executes dropped EXE
                                                                                                  PID:2684
                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                  45⤵
                                                                                                  • Checks computer location settings
                                                                                                  PID:2624
                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                    46⤵
                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                    PID:4452
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                    46⤵
                                                                                                    • Executes dropped EXE
                                                                                                    PID:3416
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                    46⤵
                                                                                                    • Checks computer location settings
                                                                                                    PID:2756
                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                      47⤵
                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                      PID:4516
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                      47⤵
                                                                                                      • Executes dropped EXE
                                                                                                      PID:4328
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                      47⤵
                                                                                                      • Checks computer location settings
                                                                                                      PID:4092
                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                        48⤵
                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                        PID:4056
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                        48⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:1768
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                        48⤵
                                                                                                        • Checks computer location settings
                                                                                                        PID:2760
                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                          49⤵
                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                          PID:4248
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                          49⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:1356
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                          49⤵
                                                                                                          • Checks computer location settings
                                                                                                          PID:1540
                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                            50⤵
                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                            PID:460
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                            50⤵
                                                                                                            • Executes dropped EXE
                                                                                                            PID:2684
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                            50⤵
                                                                                                            • Checks computer location settings
                                                                                                            PID:2908
                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                              51⤵
                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                              PID:3068
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                              51⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:5044
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                              51⤵
                                                                                                              • Checks computer location settings
                                                                                                              PID:4644
                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                52⤵
                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                PID:2228
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                52⤵
                                                                                                                • Executes dropped EXE
                                                                                                                PID:4996
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                52⤵
                                                                                                                • Checks computer location settings
                                                                                                                PID:4920
                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                  53⤵
                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                  PID:2308
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                  53⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  PID:3276
                                                                                                                • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                  53⤵
                                                                                                                  • Checks computer location settings
                                                                                                                  PID:4772
                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                    54⤵
                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                    PID:4824
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                    54⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    PID:2828
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                    54⤵
                                                                                                                    • Checks computer location settings
                                                                                                                    PID:2780
                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                      55⤵
                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                      PID:5004
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                      55⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      PID:4376
                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                      55⤵
                                                                                                                      • Checks computer location settings
                                                                                                                      PID:4000
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                        56⤵
                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                        PID:4964
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                        56⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        PID:852
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                        56⤵
                                                                                                                        • Checks computer location settings
                                                                                                                        PID:1148
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                          57⤵
                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                          PID:1072
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                          57⤵
                                                                                                                          • Executes dropped EXE
                                                                                                                          PID:1536
                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                          57⤵
                                                                                                                          • Checks computer location settings
                                                                                                                          PID:4240
                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                            58⤵
                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                            PID:468
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                            58⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            PID:1404
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                            58⤵
                                                                                                                            • Checks computer location settings
                                                                                                                            PID:4656
                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'
                                                                                                                              59⤵
                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                              PID:5016
                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\epic.exe
                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\epic.exe"
                                                                                                                              59⤵
                                                                                                                                PID:3704
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
                                                                                                                                59⤵
                                                                                                                                  PID:60
            • C:\Windows\system32\AUDIODG.EXE
              C:\Windows\system32\AUDIODG.EXE 0x4d8 0x2f8
              1⤵
                PID:4784
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\services.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2060
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2184
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1144
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2824
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1900
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1736
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2088
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3328
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2588
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3332
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4176
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3356
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4168
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4904
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2040
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:824
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3272
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:848
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4516
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4384
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:644
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TiWorker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2692
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Users\Public\TiWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:5108
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TiWorker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4412
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4780
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4824
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2624
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2292
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1052
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3956
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4804
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3540
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4240
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "epice" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4280
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "epic" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3588
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "epice" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4128
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\Registry.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3416
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3728
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:3344
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2836
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:2084
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:1540
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4524
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4964
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f
                1⤵
                • Process spawned unexpected child process
                • Scheduled Task/Job: Scheduled Task
                PID:4852

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe

                Filesize

                1.4MB

                MD5

                4a591f46c87b49a7de93f5ac771cd4ab

                SHA1

                e0992350818e5c56d3f2e3a6db340d1f5b8f3314

                SHA256

                b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd

                SHA512

                b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

                Filesize

                654B

                MD5

                2ff39f6c7249774be85fd60a8f9a245e

                SHA1

                684ff36b31aedc1e587c8496c02722c6698c1c4e

                SHA256

                e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                SHA512

                1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                Filesize

                2KB

                MD5

                d85ba6ff808d9e5444a4b369f5bc2730

                SHA1

                31aa9d96590fff6981b315e0b391b575e4c0804a

                SHA256

                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                SHA512

                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                34f595487e6bfd1d11c7de88ee50356a

                SHA1

                4caad088c15766cc0fa1f42009260e9a02f953bb

                SHA256

                0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

                SHA512

                10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                54522d22658e4f8f87ecb947b71b8feb

                SHA1

                6a6144bdf9c445099f52211b6122a2ecf72b77e9

                SHA256

                af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a

                SHA512

                55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                bdf48114c58625e31476a6fb6aa5095a

                SHA1

                eb495ab6d22d2747dd66d42bd9e97d9f2e0d44e1

                SHA256

                1b492aee1b0b755650a50df7ca12ab837d0dda9c8a9de81216ed0b36dde6fb0f

                SHA512

                11658e6f52f5186cdc3463d660969490d1cd5df03025c69d8c683ff412b1b5f3739a1d4d9c7da53a9c05732979ac2339a72342186401e6760207dc3980463b5d

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                aeceee3981c528bdc5e1c635b65d223d

                SHA1

                de9939ed37edca6772f5cdd29f6a973b36b7d31b

                SHA256

                b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32

                SHA512

                df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                ce1bcf918960a60f96aa47ba48f3f859

                SHA1

                19162756fbc393f9a0f8740ab628ca459f90f578

                SHA256

                770e134e98ec4a964e22e23bdfb6bfacd295382c5d45fc1b90d6ed9b34307ef5

                SHA512

                d37419f97ad15e303f6d92924b49766e6995579e6c06e650df4016a930bdff44ecafb440b1263d34ac5217239c49b1ebfd709080b690f9b52a7bb2d7fcd666c1

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                46bf20e17dec660ef09b16e41372a7c3

                SHA1

                cf8daa89a45784a385b75cf5e90d3f59706ac5d5

                SHA256

                719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17

                SHA512

                91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                9d6b3de8a30f9be386829c5e91559b6b

                SHA1

                4c077a9c81e25a387be94d1a64245864ca8b3187

                SHA256

                79a969a0753f32377a162ea2f7018cd9cc790f8fc9232f6617d476921bda668c

                SHA512

                c89e31cb5a2e916787a09eeccf36128706d67ca610a25364d150670ae9bc69d6fc856bda4abe1d32923d3b6d00b8a18d8ce6525e0e2d5859ed11bd07a50fb99e

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                120c6c9af4de2accfcff2ed8c3aab1af

                SHA1

                504f64ae4ac9c4fe308a6a50be24fe464f3dad95

                SHA256

                461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222

                SHA512

                041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                da5c82b0e070047f7377042d08093ff4

                SHA1

                89d05987cd60828cca516c5c40c18935c35e8bd3

                SHA256

                77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                SHA512

                7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                9bc110200117a3752313ca2acaf8a9e1

                SHA1

                fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

                SHA256

                c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

                SHA512

                1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                eb1ad317bd25b55b2bbdce8a28a74a94

                SHA1

                98a3978be4d10d62e7411946474579ee5bdc5ea6

                SHA256

                9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                SHA512

                d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                e3b6cc0fbea08a0831f0026a696db8b8

                SHA1

                4e32202d4700061cfd80d55e42798131c9f530d4

                SHA256

                3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5

                SHA512

                6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                d8cb3e9459807e35f02130fad3f9860d

                SHA1

                5af7f32cb8a30e850892b15e9164030a041f4bd6

                SHA256

                2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                SHA512

                045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                ba169f4dcbbf147fe78ef0061a95e83b

                SHA1

                92a571a6eef49fff666e0f62a3545bcd1cdcda67

                SHA256

                5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                SHA512

                8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                085e0a3b869f290afea5688a8ac4e7c5

                SHA1

                0fedef5057708908bcca9e7572be8f46cef4f3ca

                SHA256

                1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c

                SHA512

                bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                10890cda4b6eab618e926c4118ab0647

                SHA1

                1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                SHA256

                00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                SHA512

                a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                92075279f2dbcaa5724ee5a47e49712f

                SHA1

                8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb

                SHA256

                fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442

                SHA512

                744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                47605a4dda32c9dff09a9ca441417339

                SHA1

                4f68c895c35b0dc36257fc8251e70b968c560b62

                SHA256

                e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a

                SHA512

                b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                6bde098f0d33d8063d6b7c7161a2d844

                SHA1

                831d57856a016d35c83ff74dfd2c2297bf1b44d2

                SHA256

                6d1d0c5311ea67e313b8018e4f8180654de2788c62582bf61ad0760ee14f7c20

                SHA512

                105c8ead7c8069e3a685fbacc777488e9f6b98d4451e8d2fc9019a307c250a699e1a6a9ee517cabe8bbe18c219b159722e4dda03f886789134bd06779d667535

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                f536c480373e2df50ffce8e1d067bdf6

                SHA1

                3c7b0b3721ca2599e6b16d39e7fece78e374230a

                SHA256

                89df89337a558aed7397e1f9ce370c23009804a47887571499764770277724f9

                SHA512

                6a137a18d4aef26e5b824a96c179ece739e1d06bb667b30919cd976e9b3a63fe9006dcc0109dbb6407023bbe74ac3354f9ebf90d337d09711409e3e6a965e986

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                6d42b6da621e8df5674e26b799c8e2aa

                SHA1

                ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                SHA256

                5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                SHA512

                53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                110b59ca4d00786d0bde151d21865049

                SHA1

                557e730d93fdf944a0cad874022df1895fb5b2e2

                SHA256

                77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

                SHA512

                cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                3072fa0040b347c3941144486bf30c6f

                SHA1

                e6dc84a5bd882198583653592f17af1bf8cbfc68

                SHA256

                da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

                SHA512

                62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                a7cc007980e419d553568a106210549a

                SHA1

                c03099706b75071f36c3962fcc60a22f197711e0

                SHA256

                a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

                SHA512

                b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                15dde0683cd1ca19785d7262f554ba93

                SHA1

                d039c577e438546d10ac64837b05da480d06bf69

                SHA256

                d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                SHA512

                57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Filesize

                944B

                MD5

                ef647504cf229a16d02de14a16241b90

                SHA1

                81480caca469857eb93c75d494828b81e124fda0

                SHA256

                47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

                SHA512

                a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

              • C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

                Filesize

                1.8MB

                MD5

                531bf67134a7c1fb4096113ca58cc648

                SHA1

                99e0fc1fb7a07c0685e426b327921d3e6c34498c

                SHA256

                67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a

                SHA512

                8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

              • C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe

                Filesize

                7.4MB

                MD5

                3c3d1168fc2724c551837a505ea4374e

                SHA1

                86c913a12067fd2c1bbc31fb64a5b5d056175841

                SHA256

                f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09

                SHA512

                0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ef3zbta.qqa.psm1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\bagjsq.exe

                Filesize

                8.2MB

                MD5

                5293cd34f1929a6aef0d11a71bed6384

                SHA1

                2c8799dacba9e2d7d3d906b135643746aea72efa

                SHA256

                ae00a9c7d4ac7331cf5281e36893cfad2bca070e3717417312651bf7ed8a4f1e

                SHA512

                965b1452805d8613ba682e9af3700aff3caa2e17f32f306e93cb0e7c3b29a6f373c387debe34cbab743d32454d67b37792e9003378d3786471cf74d11d2308ab

              • C:\Users\Admin\AppData\Local\Temp\epic.exe

                Filesize

                69KB

                MD5

                d28bff9bfb1d04c41b995138532caf06

                SHA1

                2c0a7ac9450b36abb624ad17d6d3fc9e4d919d45

                SHA256

                a6cfbd450cbc9a1a040c955e51632d8f32d4477de0c9f46e4f37303ce28e0a4e

                SHA512

                b1142bba18e6a6fb2f8879b683b50f51f9a1900865000cecbb0b774d3d675b0f31da283ddd655e6468ae3c04ae9c64de6ca434ffc8c5a8cd843e44dbf2336ced

              • memory/428-14-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/428-13-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/428-12-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/428-7-0x00000130E76E0000-0x00000130E7702000-memory.dmp

                Filesize

                136KB

              • memory/428-17-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/632-526-0x0000000000D60000-0x00000000014C0000-memory.dmp

                Filesize

                7.4MB

              • memory/632-527-0x0000000006490000-0x0000000006A34000-memory.dmp

                Filesize

                5.6MB

              • memory/632-528-0x0000000005EE0000-0x0000000005F72000-memory.dmp

                Filesize

                584KB

              • memory/632-530-0x0000000005E70000-0x0000000005E7A000-memory.dmp

                Filesize

                40KB

              • memory/1072-543-0x000000001BB70000-0x000000001BB8C000-memory.dmp

                Filesize

                112KB

              • memory/1072-545-0x000000001BB90000-0x000000001BBA6000-memory.dmp

                Filesize

                88KB

              • memory/1072-549-0x000000001BC30000-0x000000001BC3C000-memory.dmp

                Filesize

                48KB

              • memory/1072-548-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

                Filesize

                56KB

              • memory/1072-542-0x0000000000E10000-0x0000000000F7A000-memory.dmp

                Filesize

                1.4MB

              • memory/1072-547-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

                Filesize

                56KB

              • memory/1072-546-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

                Filesize

                64KB

              • memory/1072-544-0x000000001BBE0000-0x000000001BC30000-memory.dmp

                Filesize

                320KB

              • memory/1136-31-0x0000000000C10000-0x0000000000C28000-memory.dmp

                Filesize

                96KB

              • memory/3636-32-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/3636-26-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

                Filesize

                10.8MB

              • memory/3636-1-0x00007FFCB4EC3000-0x00007FFCB4EC5000-memory.dmp

                Filesize

                8KB

              • memory/3636-0-0x00000000007E0000-0x00000000007F2000-memory.dmp

                Filesize

                72KB

              • memory/4152-501-0x00000000006E0000-0x0000000000F1C000-memory.dmp

                Filesize

                8.2MB