Malware Analysis Report

2024-11-13 13:46

Sample ID 240719-g73fnazfjf
Target SolaraBootstrapper.exe
SHA256 b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e
Tags
xworm execution persistence rat trojan dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b599c347056fe4bfa9bf3138e6e35fa0d29a2525ee1fa226f0b7dd5c1b90362e

Threat Level: Known bad

The file SolaraBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan dcrat infostealer

Xworm

DcRat

Detect Xworm Payload

Process spawned unexpected child process

DCRat payload

Command and Scripting Interpreter: PowerShell

Drops startup file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 06:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 06:27

Reported

2024-07-19 06:30

Platform

win7-20240704-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\dllhost.exe" C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2236 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2236 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2236 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2236 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2236 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2368 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2368 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2368 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2368 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2368 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2892 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2892 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2608 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 2608 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2608 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2608 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1988 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1988 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1988 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1988 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1988 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1028 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1028 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1028 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1028 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1028 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 700 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 700 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 700 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 700 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 700 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 necessary-threatened.gl.at.ply.gg udp
US 147.185.221.21:15323 necessary-threatened.gl.at.ply.gg tcp

Files

memory/2236-0-0x000007FEF5833000-0x000007FEF5834000-memory.dmp

memory/2236-1-0x000000013FAF0000-0x000000013FB02000-memory.dmp

memory/2360-6-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/2360-7-0x000000001B680000-0x000000001B962000-memory.dmp

memory/2360-8-0x0000000002730000-0x0000000002738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epic.exe

MD5 d28bff9bfb1d04c41b995138532caf06
SHA1 2c0a7ac9450b36abb624ad17d6d3fc9e4d919d45
SHA256 a6cfbd450cbc9a1a040c955e51632d8f32d4477de0c9f46e4f37303ce28e0a4e
SHA512 b1142bba18e6a6fb2f8879b683b50f51f9a1900865000cecbb0b774d3d675b0f31da283ddd655e6468ae3c04ae9c64de6ca434ffc8c5a8cd843e44dbf2336ced

memory/2892-14-0x0000000000F10000-0x0000000000F28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 dc6a028b965159f2fa866752c58fbf7f
SHA1 78d63d4bd49dcf7668ada256287f2dec61ee7b4b
SHA256 fa59e419ee3c9402195349d063bade78ac8e3d08568b708f50d38e7384775510
SHA512 75419751911ec9db39ed45cc86e9c607cfd62320e82b57c912947d555a4f84a4ab0ddd004ba65cc126bd403f665028fb2b7219eb3137fdd6132b4769b5e4e0a4

memory/2864-20-0x000000001B650000-0x000000001B932000-memory.dmp

memory/2864-21-0x0000000001E70000-0x0000000001E78000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/636-29-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/2860-35-0x00000000020C0000-0x00000000020C8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 27dcb90b12922f7c96538fc7b535477a
SHA1 a020d177aa7565fac215a3bceb82f557e9355a3d
SHA256 729d3ecacb040bc6408a26c0fe8ab6a68c1976180e2ffebcdabbb133ca454e46
SHA512 393f4ff15ca91399e3cd0b958dd5348af6f0c819ba2d06ead9afffab37abcd8a5daab17288f74c51368703b1a9e27b3dec059820dbc9dbe3aad7c4b5975c9edb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 aadd3fe949f8b18df9ed2af05cda8849
SHA1 39809819251ee74a8d3ea177eb12dfea97cc9519
SHA256 726b95a983d4617a4de25375a103e8656051bbce24c0715eeb2cf55901cd565d
SHA512 86f31a530e2d5cd364a84a13442d8a880cf3dc252663ebf2a3f6d319d7a554b3b065cf8e8b796fdf55beb16a64d9ded8ee2c81e77cb3857f8c0490c2c5cbb91f

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 06:27

Reported

2024-07-19 06:30

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Xworm

trojan rat xworm

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bagjsq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dllhost.lnk C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagjsq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\NVIDIA\DisplayDriver\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\dllhost.exe" C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\38384e6a620884 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Crashpad\attachments\epic.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\ebf1f9fa8afd6d C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\9e8d7a4ca61bd9 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Crashpad\attachments\ec9997f18dae22 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Multimedia Platform\smss.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Multimedia Platform\69ddcba757bf72 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\CbsTemp\c5b4cb5e9653cc C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\DigitalLocker\en-US\SearchApp.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\DigitalLocker\en-US\38384e6a620884 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\CbsTemp\Registry.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\CbsTemp\ee2ad38f3d4382 C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File created C:\Windows\CbsTemp\services.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A
File opened for modification C:\Windows\CbsTemp\services.exe C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\epic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3636 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 428 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3636 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3636 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3636 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4640 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4640 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4640 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4640 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4640 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 1136 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1136 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\epic.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3160 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3160 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3160 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3160 wrote to memory of 4852 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4852 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4852 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4852 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4852 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4852 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3876 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3876 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3876 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3876 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3876 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3272 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3272 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3272 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3272 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3272 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4972 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4972 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4972 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4716 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4716 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 4716 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4716 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3316 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3316 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3316 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3316 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\epic.exe
PID 3316 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3316 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3096 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3096 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'dllhost.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\bagjsq.exe

"C:\Users\Admin\AppData\Local\Temp\bagjsq.exe"

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

"C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe"

C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe

"C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NVIDIA\DisplayDriver\535.21\zajaYJ4rqwpmDK2a6yrvwdV.vbe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4d8 0x2f8

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\NVIDIA\DisplayDriver\535.21\mxJne99RtKqQDunPUGdos.bat" "

C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe

"C:\NVIDIA\DisplayDriver\535.21\NVIDIA Container.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\CbsTemp\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\CbsTemp\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Videos\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TiWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorker" /sc ONLOGON /tr "'C:\Users\Public\TiWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TiWorkerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TiWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\NVIDIA\DisplayDriver\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "epice" /sc MINUTE /mo 9 /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "epic" /sc ONLOGON /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "epice" /sc MINUTE /mo 6 /tr "'C:\Program Files\Crashpad\attachments\epic.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Windows\CbsTemp\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\CbsTemp\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\NVIDIA\DisplayDriver\535.21\csrss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4cvQWMksW9.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\NVIDIA\DisplayDriver\smss.exe

"C:\NVIDIA\DisplayDriver\smss.exe"

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\epic.exe'

C:\Users\Admin\AppData\Local\Temp\epic.exe

"C:\Users\Admin\AppData\Local\Temp\epic.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 necessary-threatened.gl.at.ply.gg udp
US 147.185.221.21:15323 necessary-threatened.gl.at.ply.gg tcp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 narzieo9.beget.tech udp

Files

memory/3636-0-0x00000000007E0000-0x00000000007F2000-memory.dmp

memory/3636-1-0x00007FFCB4EC3000-0x00007FFCB4EC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ef3zbta.qqa.psm1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/428-7-0x00000130E76E0000-0x00000130E7702000-memory.dmp

memory/428-12-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

memory/428-13-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

memory/428-14-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

memory/428-17-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\epic.exe

MD5 d28bff9bfb1d04c41b995138532caf06
SHA1 2c0a7ac9450b36abb624ad17d6d3fc9e4d919d45
SHA256 a6cfbd450cbc9a1a040c955e51632d8f32d4477de0c9f46e4f37303ce28e0a4e
SHA512 b1142bba18e6a6fb2f8879b683b50f51f9a1900865000cecbb0b774d3d675b0f31da283ddd655e6468ae3c04ae9c64de6ca434ffc8c5a8cd843e44dbf2336ced

memory/3636-26-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

memory/1136-31-0x0000000000C10000-0x0000000000C28000-memory.dmp

memory/3636-32-0x00007FFCB4EC0000-0x00007FFCB5981000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 110b59ca4d00786d0bde151d21865049
SHA1 557e730d93fdf944a0cad874022df1895fb5b2e2
SHA256 77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f
SHA512 cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef647504cf229a16d02de14a16241b90
SHA1 81480caca469857eb93c75d494828b81e124fda0
SHA256 47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512 a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34f595487e6bfd1d11c7de88ee50356a
SHA1 4caad088c15766cc0fa1f42009260e9a02f953bb
SHA256 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d
SHA512 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 54522d22658e4f8f87ecb947b71b8feb
SHA1 6a6144bdf9c445099f52211b6122a2ecf72b77e9
SHA256 af18fc4864bc2982879aed928c960b6266f372c928f8c9632c5a4eecd64e448a
SHA512 55f2c5a455be20dcb4cb93a29e5389e0422237bdd7ac40112fec6f16a36e5e19df50d25d39a6d5acb2d41a96514c7ecd8631ce8e67c4ff04997282f49d947aba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bdf48114c58625e31476a6fb6aa5095a
SHA1 eb495ab6d22d2747dd66d42bd9e97d9f2e0d44e1
SHA256 1b492aee1b0b755650a50df7ca12ab837d0dda9c8a9de81216ed0b36dde6fb0f
SHA512 11658e6f52f5186cdc3463d660969490d1cd5df03025c69d8c683ff412b1b5f3739a1d4d9c7da53a9c05732979ac2339a72342186401e6760207dc3980463b5d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aeceee3981c528bdc5e1c635b65d223d
SHA1 de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256 b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512 df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce1bcf918960a60f96aa47ba48f3f859
SHA1 19162756fbc393f9a0f8740ab628ca459f90f578
SHA256 770e134e98ec4a964e22e23bdfb6bfacd295382c5d45fc1b90d6ed9b34307ef5
SHA512 d37419f97ad15e303f6d92924b49766e6995579e6c06e650df4016a930bdff44ecafb440b1263d34ac5217239c49b1ebfd709080b690f9b52a7bb2d7fcd666c1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 46bf20e17dec660ef09b16e41372a7c3
SHA1 cf8daa89a45784a385b75cf5e90d3f59706ac5d5
SHA256 719589acc67594a2add00dca3c097551163199edbdd59a7f62f783871ef96e17
SHA512 91225c1aac17fa26ec00913d5e96950ed11d44a1fd28f34a1810fe143176864cf2b9624dc053183d8f28db5a3903c5e092aab180fb21ce2a3775223ee111df54

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d6b3de8a30f9be386829c5e91559b6b
SHA1 4c077a9c81e25a387be94d1a64245864ca8b3187
SHA256 79a969a0753f32377a162ea2f7018cd9cc790f8fc9232f6617d476921bda668c
SHA512 c89e31cb5a2e916787a09eeccf36128706d67ca610a25364d150670ae9bc69d6fc856bda4abe1d32923d3b6d00b8a18d8ce6525e0e2d5859ed11bd07a50fb99e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 120c6c9af4de2accfcff2ed8c3aab1af
SHA1 504f64ae4ac9c4fe308a6a50be24fe464f3dad95
SHA256 461315e4057c3fa4d0031df3f7e6511914f082698b6c41f5c2ada831ceffb222
SHA512 041712168718dff702da8203b4089b2e57db98ce503b8ecf36809dec0cd7a595a0d427caa960bc1bd29cbedc85ad3262773f2077a476b85aca387d48f7b07ba2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bc110200117a3752313ca2acaf8a9e1
SHA1 fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256 c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA512 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3b6cc0fbea08a0831f0026a696db8b8
SHA1 4e32202d4700061cfd80d55e42798131c9f530d4
SHA256 3284cae7b82be99d93064390ba071ba4321f3f24dd21515b37b2ca9f31b2e8d5
SHA512 6a06856f360b48c8bc8a15ffb8d7a6604ec357bcb1d0fad5d71a2cb876929a7b67eb40ba4493998ab1bbae8cb71212e124276f27d5c138a135041c27a41a0b7a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 085e0a3b869f290afea5688a8ac4e7c5
SHA1 0fedef5057708908bcca9e7572be8f46cef4f3ca
SHA256 1fed2c9bc05b3fcb93f493124dbf1680c6445f67e3d49680257183132514509c
SHA512 bbac0555a05dbe83154a90caa44a653c8a05c87594a211548b165c5b1d231e3818830e754c0b6de3e5cb64dba3a5ad18bebae05cb9157e1dd46bce2a86d18ede

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92075279f2dbcaa5724ee5a47e49712f
SHA1 8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb
SHA256 fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442
SHA512 744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47605a4dda32c9dff09a9ca441417339
SHA1 4f68c895c35b0dc36257fc8251e70b968c560b62
SHA256 e6254c2bc9846a76a4567ab91b6eae76e937307ff9301b65d577ffe6e15fe40a
SHA512 b6823b6e794a2fe3e4c4ecfb3f0d61a54821de7feb4f9e3e7fd463e7fbb5e6848f59865b487dafebeac431e4f4db81ef56836d94cac67da39852c566ed34a885

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6bde098f0d33d8063d6b7c7161a2d844
SHA1 831d57856a016d35c83ff74dfd2c2297bf1b44d2
SHA256 6d1d0c5311ea67e313b8018e4f8180654de2788c62582bf61ad0760ee14f7c20
SHA512 105c8ead7c8069e3a685fbacc777488e9f6b98d4451e8d2fc9019a307c250a699e1a6a9ee517cabe8bbe18c219b159722e4dda03f886789134bd06779d667535

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f536c480373e2df50ffce8e1d067bdf6
SHA1 3c7b0b3721ca2599e6b16d39e7fece78e374230a
SHA256 89df89337a558aed7397e1f9ce370c23009804a47887571499764770277724f9
SHA512 6a137a18d4aef26e5b824a96c179ece739e1d06bb667b30919cd976e9b3a63fe9006dcc0109dbb6407023bbe74ac3354f9ebf90d337d09711409e3e6a965e986

C:\Users\Admin\AppData\Local\Temp\bagjsq.exe

MD5 5293cd34f1929a6aef0d11a71bed6384
SHA1 2c8799dacba9e2d7d3d906b135643746aea72efa
SHA256 ae00a9c7d4ac7331cf5281e36893cfad2bca070e3717417312651bf7ed8a4f1e
SHA512 965b1452805d8613ba682e9af3700aff3caa2e17f32f306e93cb0e7c3b29a6f373c387debe34cbab743d32454d67b37792e9003378d3786471cf74d11d2308ab

memory/4152-501-0x00000000006E0000-0x0000000000F1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NVIDIA Container.exe

MD5 531bf67134a7c1fb4096113ca58cc648
SHA1 99e0fc1fb7a07c0685e426b327921d3e6c34498c
SHA256 67942630366d114efa35f3f4a79741a4a4eb2c3b0c8ffaac07af527f84d4489a
SHA512 8facae8335a4f33f54e48c64814946eb8b480800b4453612fffcef64117946a35d493f433d4e27186ee864603da756319f816e70c3bfc08b8bb1861fc7030ff4

C:\Users\Admin\AppData\Local\Temp\Screamer_by_LuckyKazya.exe

MD5 3c3d1168fc2724c551837a505ea4374e
SHA1 86c913a12067fd2c1bbc31fb64a5b5d056175841
SHA256 f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09
SHA512 0f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e

memory/632-526-0x0000000000D60000-0x00000000014C0000-memory.dmp

memory/632-527-0x0000000006490000-0x0000000006A34000-memory.dmp

memory/632-528-0x0000000005EE0000-0x0000000005F72000-memory.dmp

memory/632-530-0x0000000005E70000-0x0000000005E7A000-memory.dmp

memory/1072-542-0x0000000000E10000-0x0000000000F7A000-memory.dmp

memory/1072-543-0x000000001BB70000-0x000000001BB8C000-memory.dmp

memory/1072-546-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

memory/1072-545-0x000000001BB90000-0x000000001BBA6000-memory.dmp

memory/1072-544-0x000000001BBE0000-0x000000001BC30000-memory.dmp

memory/1072-547-0x000000001BBC0000-0x000000001BBCE000-memory.dmp

memory/1072-548-0x000000001BBD0000-0x000000001BBDE000-memory.dmp

memory/1072-549-0x000000001BC30000-0x000000001BC3C000-memory.dmp

C:\ProgramData\Package Cache\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\taskhostw.exe

MD5 4a591f46c87b49a7de93f5ac771cd4ab
SHA1 e0992350818e5c56d3f2e3a6db340d1f5b8f3314
SHA256 b495e22042b08f27b690da18986ec74d5054a65d05d5cf41fdecd5751482ccbd
SHA512 b498445d1e427853690250aebff35cbd7e28e85a89ad868e3483930b16ec13198357cfcd5feb45567b1bc8f3d9f97c5ecf2d242c8a5e9d758a536d0498ba7955

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7cc007980e419d553568a106210549a
SHA1 c03099706b75071f36c3962fcc60a22f197711e0
SHA256 a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165
SHA512 b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666