dcrat | hxxp://excutor-solara[.]yzz[.]me/

Analysis

max time kernel
34s
max time network
54s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://excutor-solara.yzz.me/

Score

10^/10

dcrat orcus gamehack discovery execution infostealer rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

GameHack

31.44.184.52:25350

Mutex

sudo_06kkh814g4vz7sfklrh1emcow75dz383

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%appdata%\Windows\Defender\MpDefenderCoreProtion.exe
reconnect_delay
10000
registry_keyname
Sudik
taskscheduler_taskname
sudik
watchdog_path
AppData\aga.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe	family_orcus

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5220	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5392	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5432	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5412	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5496	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5676	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6032	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5728	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5860	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5784	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5824	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5648	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6096	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5148	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5292	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5480	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6008	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5444	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5912	4400	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5448	4400	schtasks.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe	dcrat
behavioral1/memory/5956-312-0x000000001AD10000-0x000000001AE14000-memory.dmp	family_dcrat_v2
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe	dcrat
behavioral1/memory/6068-338-0x0000000000800000-0x000000000095A000-memory.dmp	dcrat

Orcurs Rat Executable 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe	orcus
behavioral1/memory/5868-274-0x0000000000250000-0x000000000054E000-memory.dmp	orcus

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
5056	powershell.exe
1628	powershell.exe
3616	powershell.exe
5528	powershell.exe
5364	powershell.exe
5248	powershell.exe
5944	powershell.exe
4068	powershell.exe
5700	powershell.exe
5948	powershell.exe
6128	powershell.exe
6064	powershell.exe
5488	powershell.exe
832	powershell.exe
5080	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WinHelper32.exeGameHack.exeMpDefenderProtector.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WinHelper32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	GameHack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MpDefenderProtector.exe

Drops startup file 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe javaw.exe
Executes dropped EXE 6 IoCs

Processes:

Solara Excutor.exeWinHelper32.exeMpDefenderProtector.exeGameHack.exeSolara.exeMpDefenderCoreProtion.exe

pid process

4332 Solara Excutor.exe
5648 WinHelper32.exe
5868 MpDefenderProtector.exe
5912 GameHack.exe
5972 Solara.exe
5156 MpDefenderCoreProtion.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

38 raw.githubusercontent.com
39 raw.githubusercontent.com
53 raw.githubusercontent.com
54 raw.githubusercontent.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

MpDefenderCoreProtion.exe

description pid process target process

PID 5156 set thread context of 5500 5156 MpDefenderCoreProtion.exe installutil.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinHelper32.exe	javaw.exe

pid	process
4332	Solara Excutor.exe
5648	WinHelper32.exe
5868	MpDefenderProtector.exe
5912	GameHack.exe
5972	Solara.exe
5156	MpDefenderCoreProtion.exe

flow	ioc
38	raw.githubusercontent.com
39	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com

description	pid	process	target process
PID 5156 set thread context of 5500	5156	MpDefenderCoreProtion.exe	installutil.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

GameHack.exeWScript.exeMpDefenderCoreProtion.exeinstallutil.exeSolara Excutor.exeWinHelper32.exeWScript.exeMpDefenderProtector.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GameHack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderCoreProtion.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara Excutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinHelper32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MpDefenderProtector.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXE

pid process

5480 PING.EXE

pid	process
5480	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

Processes:

WinHelper32.exeGameHack.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	WinHelper32.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	GameHack.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

5480 PING.EXE

pid	process
5480	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
5392	schtasks.exe
4468	schtasks.exe
5412	schtasks.exe
5496	schtasks.exe
5676	schtasks.exe
4796	schtasks.exe
4876	schtasks.exe
2016	schtasks.exe
1300	schtasks.exe
5912	schtasks.exe
672	schtasks.exe
6032	schtasks.exe
5860	schtasks.exe
5480	schtasks.exe
6096	schtasks.exe
5148	schtasks.exe
5292	schtasks.exe
5436	schtasks.exe
5188	schtasks.exe
5728	schtasks.exe
996	schtasks.exe
5792	schtasks.exe
1476	schtasks.exe
6008	schtasks.exe
5444	schtasks.exe
5220	schtasks.exe
5824	schtasks.exe
5648	schtasks.exe
6120	schtasks.exe
1908	schtasks.exe
5784	schtasks.exe
5432	schtasks.exe
5580	schtasks.exe
3776	schtasks.exe
2092	schtasks.exe
5448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exeMpDefenderProtector.exeMpDefenderCoreProtion.exeinstallutil.exe

pid	process
2500	msedge.exe
2500	msedge.exe
3476	msedge.exe
3476	msedge.exe
1176	identity_helper.exe
1176	identity_helper.exe
4684	msedge.exe
4684	msedge.exe
1628	powershell.exe
1628	powershell.exe
1628	powershell.exe
3616	powershell.exe
3616	powershell.exe
3616	powershell.exe
5868	MpDefenderProtector.exe
5868	MpDefenderProtector.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5156	MpDefenderCoreProtion.exe
5500	installutil.exe
5500	installutil.exe
5500	installutil.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3476 msedge.exe
3476 msedge.exe
3476 msedge.exe
3476 msedge.exe
3476 msedge.exe
3476 msedge.exe
3476 msedge.exe
3476 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zFM.exepowershell.exepowershell.exeMpDefenderProtector.exeSolara.exewmic.exewmic.exe

description	pid	process
Token: SeRestorePrivilege	3640	7zFM.exe
Token: 35	3640	7zFM.exe
Token: SeSecurityPrivilege	3640	7zFM.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	5868	MpDefenderProtector.exe
Token: SeDebugPrivilege	5972	Solara.exe
Token: SeIncreaseQuotaPrivilege	5136	wmic.exe
Token: SeSecurityPrivilege	5136	wmic.exe
Token: SeTakeOwnershipPrivilege	5136	wmic.exe
Token: SeLoadDriverPrivilege	5136	wmic.exe
Token: SeSystemProfilePrivilege	5136	wmic.exe
Token: SeSystemtimePrivilege	5136	wmic.exe
Token: SeProfSingleProcessPrivilege	5136	wmic.exe
Token: SeIncBasePriorityPrivilege	5136	wmic.exe
Token: SeCreatePagefilePrivilege	5136	wmic.exe
Token: SeBackupPrivilege	5136	wmic.exe
Token: SeRestorePrivilege	5136	wmic.exe
Token: SeShutdownPrivilege	5136	wmic.exe
Token: SeDebugPrivilege	5136	wmic.exe
Token: SeSystemEnvironmentPrivilege	5136	wmic.exe
Token: SeRemoteShutdownPrivilege	5136	wmic.exe
Token: SeUndockPrivilege	5136	wmic.exe
Token: SeManageVolumePrivilege	5136	wmic.exe
Token: 33	5136	wmic.exe
Token: 34	5136	wmic.exe
Token: 35	5136	wmic.exe
Token: 36	5136	wmic.exe
Token: SeIncreaseQuotaPrivilege	5136	wmic.exe
Token: SeSecurityPrivilege	5136	wmic.exe
Token: SeTakeOwnershipPrivilege	5136	wmic.exe
Token: SeLoadDriverPrivilege	5136	wmic.exe
Token: SeSystemProfilePrivilege	5136	wmic.exe
Token: SeSystemtimePrivilege	5136	wmic.exe
Token: SeProfSingleProcessPrivilege	5136	wmic.exe
Token: SeIncBasePriorityPrivilege	5136	wmic.exe
Token: SeCreatePagefilePrivilege	5136	wmic.exe
Token: SeBackupPrivilege	5136	wmic.exe
Token: SeRestorePrivilege	5136	wmic.exe
Token: SeShutdownPrivilege	5136	wmic.exe
Token: SeDebugPrivilege	5136	wmic.exe
Token: SeSystemEnvironmentPrivilege	5136	wmic.exe
Token: SeRemoteShutdownPrivilege	5136	wmic.exe
Token: SeUndockPrivilege	5136	wmic.exe
Token: SeManageVolumePrivilege	5136	wmic.exe
Token: 33	5136	wmic.exe
Token: 34	5136	wmic.exe
Token: 35	5136	wmic.exe
Token: 36	5136	wmic.exe
Token: SeIncreaseQuotaPrivilege	5276	wmic.exe
Token: SeSecurityPrivilege	5276	wmic.exe
Token: SeTakeOwnershipPrivilege	5276	wmic.exe
Token: SeLoadDriverPrivilege	5276	wmic.exe
Token: SeSystemProfilePrivilege	5276	wmic.exe
Token: SeSystemtimePrivilege	5276	wmic.exe
Token: SeProfSingleProcessPrivilege	5276	wmic.exe
Token: SeIncBasePriorityPrivilege	5276	wmic.exe
Token: SeCreatePagefilePrivilege	5276	wmic.exe
Token: SeBackupPrivilege	5276	wmic.exe
Token: SeRestorePrivilege	5276	wmic.exe
Token: SeShutdownPrivilege	5276	wmic.exe
Token: SeDebugPrivilege	5276	wmic.exe
Token: SeSystemEnvironmentPrivilege	5276	wmic.exe
Token: SeRemoteShutdownPrivilege	5276	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zFM.exe

pid	process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3640	7zFM.exe
3640	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe
3476	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

Solara Excutor.exejavaw.exeWinHelper32.exeGameHack.exe

pid process

4332 Solara Excutor.exe
4396 javaw.exe
5648 WinHelper32.exe
5912 GameHack.exe

pid	process
4332	Solara Excutor.exe
4396	javaw.exe
5648	WinHelper32.exe
5912	GameHack.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3476 wrote to memory of 2800	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 2800	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3020	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 2500	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 2500	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe
PID 3476 wrote to memory of 3612	3476	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://excutor-solara.yzz.me/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffdc9046f8,0x7fffdc904708,0x7fffdc904718
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,17719797071600701021,10455555301024689125,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:944

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3544

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\SolaraLoader.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3640

C:\Users\Admin\Desktop\Solara Excutor\Solara Excutor.exe
"C:\Users\Admin\Desktop\Solara Excutor\Solara Excutor.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4332
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\Desktop\Solara Excutor\Solara Excutor.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetWindowsHookEx
  PID:4396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:SystemDrive) -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1628
- - C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
    C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:5648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5812
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat" "
        5⤵
        
        PID:5844
      - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe
        
        "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor/runtimesvc.exe"
        6⤵
        
        PID:5956
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxixvpy4\gxixvpy4.cmdline"
        7⤵
        
        PID:5476
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21EB.tmp" "c:\Recovery\WindowsRE\CSCC36EBE1FD669424CA5C810AD3A6EC24F.TMP"
        8⤵
        
        PID:5804
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nscjgaow\nscjgaow.cmdline"
        7⤵
        
        PID:2980
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2863.tmp" "c:\Windows\System32\CSCCD3C537142A40F0BA50F29F5882D942.TMP"
        8⤵
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\containerRuntime.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\fontdrvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zQGAJ8LT1Z.bat"
        7⤵
        
        PID:1288
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5480
  - - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe
      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5868
    - - C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
        
        "C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5156
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:5468
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:5476
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:5484
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        
        PID:5496
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5500
  - - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe
      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:5912
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat" "
        6⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe
        
        "C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe"
        7⤵
        
        PID:6068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\explorer.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Favorites\msedge.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gYxBGqXNwI.bat"
        8⤵
        
        PID:5632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5556
        
        C:\Recovery\WindowsRE\explorer.exe
        
        "C:\Recovery\WindowsRE\explorer.exe"
        9⤵
        
        PID:2896
        
        C:\Recovery\WindowsRE\explorer.exe.exe
        
        "C:\Recovery\WindowsRE\explorer.exe.exe"
        10⤵
        
        PID:2172
        
        C:\Recovery\WindowsRE\containerRuntime.exe
        
        "C:\Recovery\WindowsRE\containerRuntime.exe"
        10⤵
        
        PID:3300
  - - C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe
      "C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5972
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic diskdrive get model,serialnumber
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5136
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path Win32_Keyboard get Description,DeviceID
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5276
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path Win32_PointingDevice get Description,PNPDeviceID
        5⤵
        
        PID:5304
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path Win32_PointingDevice get Description,PNPDeviceID
        5⤵
        
        PID:5200
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path Win32_DesktopMonitor get Description,PNPDeviceID
        5⤵
        
        PID:5540
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic get name
        5⤵
        
        PID:2768

C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe
1⤵
PID:5456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\msedge.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\msedge.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\uninstall\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "runtimesvcr" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\explorer.exe

Filesize
4KB

MD5
6dcbf76ffb344518fd43a0ef29341fce

SHA1
26fbc122e618fd8be6a69921ed73d3d76efe54bc

SHA256
ac3626d68cbc5145c33fd357cb2d267db4b2e22d26ecc998f2356eb3410b8886

SHA512
4f81ce52ad4ed8d3d3403ca9fb533d3d19fc44312e8e417c9782ea57ce7344fc6fc1491d34e91d9dadd129894c08d07901384bdda3f530fce82ed41c477fa7ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MpDefenderCoreProtion.exe.log

Filesize
1KB

MD5
663b8d5469caa4489d463aa9bc18124f

SHA1
e57123a7d969115853ea631a3b33826335025d28

SHA256
7b4fa505452f0b8ac74bb31f5a03b13342836318018fb18d224ae2ff11b1a7e8

SHA512
45e373295125a629fcc0b19609608d969c9106514918bfac5d6b8e340e407434577b825741b8fa6a043c8f3f5c1a030ba8857da5f4e8ef15a551ce3c5fe03b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
be9d601348c62ca55eb374b508817e88

SHA1
e254d91eed6e0e2c78d4aabc6f7adba1f51839ac

SHA256
156b10ed19d949a28739fa09dfbb6aa505cbe6d3fb3e75bdf7ad0bdc855ade12

SHA512
13825229e694ded72a46edd38f5fbf79433a4e670b8daf5120c16cf533f1fc3f65083b0ff9b5eab77913a7a777a74cc81e20007735550dc3bbbbc039c198e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
1f3211442ebcada5dddba28363750395

SHA1
561dd1dd30891fa30467b7838217718fc53ca685

SHA256
788725ad9e0969f1c12aa33c08e4b47b3d835af402d4a5ff5b568acf5c08e903

SHA512
200be76bff556a22793e77d6e023f39a7e2b32538eb554223ca9e33489484b4e856cbc5f1539257ae24dc441d7fd06eef0fdf214370e6043ef208c5b2ee92bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9667e45b8689f21e82b89d8507000896

SHA1
b9caf7a9415b333b10d26a66c23c0f662f16d3c7

SHA256
befff11550c92d35e0750808e0737456cf08cb3dfe09a5fd78de882e850728ef

SHA512
5d1c0fee9f000ad907df7434ded99c385bec5fccc62c4e363a99cc2af3707f2d9df1c37b55babe3fe38d6fb52e4c02e443952e7ca32788f3eff7921c1ae1523e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94e26ce1f1361b66461f01c81e52121c

SHA1
42e3897f1fab01bfdae341554cd6a2a4f49e06b6

SHA256
b2a8131dc360a4ccb545a5e14c139129fa78b71cfcf44b16bd58b43909905974

SHA512
cc2d8b2d3c897e6cbcfaf1e2d0ce6579d97551f6079b6ddb98e79417d425e064b15c0d5ac99f06792b937e0cf12e3f85fd224e38d8835404c39641e87abd209f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8a7cb2b050a5e6dd4a62317ef2b5142

SHA1
b79a84362f32984a1eb764a396e9209a266952c7

SHA256
b6a5754300744322208bcd590f0849dee91075fc33d1ca9c41670a4207f1ee87

SHA512
52fe1cb894c91b19d2c83bbe812703eb705d13da3cb6848648298a597dba6195542678bbb0970ac00421500851463306bfef4bf87601ee57530ec671f0455dc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73b6187f5b626089a768a2390fd8f58e

SHA1
a861d26aa7bf5925cd23a436ac63f573c67c7407

SHA256
5b2e1ff0f9d702a759710da49b9ea2b6b2a17d12ee499803af1ae30ac1dbe4ca

SHA512
b23fde824197db0a4fd54cff7fc9285851255541f9dd076376e46cf322911c2e135e21e48ce17ea70cb01c9ad254bce3e772b7265214c6a6d6a0771dddad26eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a629fe00abc36b905a30d15e4297421

SHA1
abba221e09170dc113c982ea0c92c355920a4c6b

SHA256
3edc81371394c9daa11807e1e5f6433b949b9525aae4d6f92fe74dd5f8f30ad4

SHA512
7644d04911f7822d997821ae62ee97734692643726f6c19f68a2d4b816ed3433415603445e5f966b286f71850ae6d66959b58cbc04866600e482caab9a4e3c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c23c24fc266ef9b16ffcdccef1e2a0f

SHA1
232aaaffc737023b5baa249012dd687997272887

SHA256
5cd9f09e283da9cbbb2540895c6c67246cc2f8a4a787d71a5cc88cbf2145bb3d

SHA512
dfda6a3862081277c6dd7ae8ba102defa13d715dec1ab1e8b11643246edd171b6e2580173359f70c0f3867f2b2e88572e5837f1b95bd098dee3b331717efc67c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
995b3f155017b2155615b5e7cefd2450

SHA1
209fb1d1c01c91591b5cd8771160e99f1e1f6ef7

SHA256
d52a48041724b19b0d6eb70de298e9c75ce21a6fc7b0ce774fec9ebfd1ef6568

SHA512
3a4b574177ad0383df045452d42a87afadbf0a9984360d48b245d1473701e35f47afeca4e4483a63b6bea6a6926b4c133e7ceabb434b4093cc0dd4b18f4f9200

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES21EB.tmp

Filesize
1KB

MD5
2fcfd4b7fdfd42f944fb7a09ae905517

SHA1
7660c8dd10d593583be7b75ffb199b0848f0cea7

SHA256
04730fb718f20da4c214c8fe04c03675b3cb85d119f7c93028d3b74edb07a68a

SHA512
905ddd12793e71092b492de31c808df60d0da4c95d017be39d9d5990e096c10764ca9a1882960a33e5de94da5d26192522b28e265e50c1ede3bd3c031f855f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2863.tmp

Filesize
1KB

MD5
c1d7aaca9f16707459b4439692a477b0

SHA1
f8583ed5acbeb2c6a5d3b541124e79da828d3cb2

SHA256
fe567974cbd03ea2af2e2c678ece0e1edf8aca5a7411476dea69c644088a17f7

SHA512
75e826319b5695bfade47615b408a44901df80fad7ea044cb568a3bf0fe6616704983cb90585b75743bf201b4fedf5ec4817b5c376618bc9b58c0cda87b1e748

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0bify1x1.pya.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYxBGqXNwI.bat

Filesize
199B

MD5
1a3cfa137ffe1009d79c50a11601165c

SHA1
71e07cfb2c5e271084c68f23ac70c45af066980c

SHA256
e1045a94beb1f5cdcdbe75aee6af669e5d12831d12d7afee2c2e5abd37400e59

SHA512
d012286ad4d660db291eecc81254e43bcbdd3c349b216f7cb3312adbafb86f3c1cd24bf80b6ce24428853fb5236fbf8ef233cf3e07b6fc2231e64f3fb4993621

Download Submit
C:\Users\Admin\AppData\Local\Temp\zQGAJ8LT1Z.bat

Filesize
166B

MD5
1aeafebb8d70e09eddf91bf9c146778f

SHA1
4a5d03c9511c3b8af4922cc753c2080ce6b828d8

SHA256
b8f096fd1588eb3fee1415846bbb9c0dd6d8c59dfb318d919082e6b3edd259c8

SHA512
6754b8ca38711e6a6bee729e46c965eb9e34dd4aa60bcb2a5669699649f86764497acc56a1056093d586f8ee57bf1df139a40ad2638312bf6f31788684b1d28b

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\DaJttDh54LCmoatNZvevDoWyEmexKWgun1WAXP2cdZM0egnWJQQpZtVxW.bat

Filesize
104B

MD5
fbef3b76368e503dca520965bb79565f

SHA1
9a1a27526b8b9bdaae81c5301cd23eb613ea62ba

SHA256
bcb2af67a4ea1e6aa341cf3141941dbe7b17f1911e7f20aba46552571f99c9f3

SHA512
2b99bc9a945b6d9a2c0d3206dce9221eb7f4a2040c5096909d60c3278254c52b39a28dd18dd4e005eff0ebd7e7cba6dd3a6a94ea8a7d7598da3001da174db3f5

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\GameHack.exe

Filesize
1.6MB

MD5
bc7804fca6dd09b4f16e86d80b8d28fa

SHA1
a04800b90db1f435dd1ac723c054b14d6dd16c8a

SHA256
1628864ab0bafe8afea2ad70956b653550dab3db7c4cdf6f405e93a6c2441dce

SHA512
7534ac0a215f02af85bdf2b414e23face0570943f8820e7bfe97ea274ccd1a01618556e93b7465c2d9fbb0bcde5e97fab9e9b6bddd366554277ef308cde3a83c

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\MpDefenderProtector.exe

Filesize
3.0MB

MD5
10e817a4d5e216279a8de8ed71c91044

SHA1
97c6fb42791be24d12bd74819ef67fa8f3d21724

SHA256
c60f74f6e164049e683a5f01b8cfea24aa85cbf6c7b31b765cbad16d8ab0d7b2

SHA512
34421a517f5f1909afd694d24e22cafad9930725df964ba9c80666e9f0f2dcfdd2a254dcf6699e5797296ec3ae611593563779df05e3a617c7f8679a154dfd37

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\Solara.exe

Filesize
4.6MB

MD5
e8c32cc88db9fef57fd9e2bb6d20f70b

SHA1
e732b91cd8ac16fa4ce8ad9e639bf21d69f6bb45

SHA256
f787ce198538b1c0b2bfce8ce5297e34152cf6deebe559df6887f65c72a081a4

SHA512
077307d42438f2b72d62ce9e35c67c09e1375c2e203e6d6d455c6c8861c6442b3d82f1345b6c76940f5e8015fe93491158a59b102fabd139c742d75c2c42ba7a

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\VaCm6yonii0zLXLvCqreXRVqw1.vbe

Filesize
263B

MD5
a05e26d89c5be7e2c6408b09cd05cf74

SHA1
c24231c6301f499b35441615b63db6969a1762fd

SHA256
05628dfff22e15b219a711cf52a2c87521170853979f00fcd014cf164656418e

SHA512
8c8733f12dd71cfafd2edbfad487279d6ed971eb119b1cde92a905f4658a9b090f831f42ef2228a4f6c64071a1f54fb74708438b4361e317e36016897577913d

Download Submit
C:\Users\Admin\AppData\Roaming\WinRuntimePerfMonitor\runtimesvc.exe

Filesize
556KB

MD5
00c4245522082b7f87721f9a26e96ba4

SHA1
993a8aa88436b6c62b74bb399c09b8d45d9fb85b

SHA256
a728f531427d89c5b7691f989e886df57d46f90d934448e6dabf29d64d0662bf

SHA512
fdd8d2444b28883face793f6ea77913c2096a425e6101202536ea001c3df5e76a60a01673ee7a52eae827a12299b2727002895395315db190ec82ae11a68559f

Download Submit
C:\Users\Admin\AppData\Roaming\WinSFXConnectDevicesPlatform\WinHelper32.exe

Filesize
9.0MB

MD5
35a0fbec2fc6d2a550a569719406d58d

SHA1
bc73001a0600313803d3594dc51d3d0813dbdec1

SHA256
221ec8caee4804b4c9e4ced2e1f03be897bc1993d7898b2bdc00f90a093eb87d

SHA512
2f4d71eaa62dded749f82660fd7ee90da422048459d63faa79f518c3c10b7343c482e95cf81cea6bfb4710ef07f53d2d7f835dd3f191029da38da2e9a7beb00f

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\Defender\MpDefenderCoreProtion.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\LJrjU6BhAd6hMsY1uw5hl2I0p3Jh.bat

Filesize
48B

MD5
2fa8decc3dafe6f196f6c28769192e7c

SHA1
69f4e0cf41b927634a38b77a8816ca58c0bfb2de

SHA256
7e40eb542d164397c0bf17a47c8f0db79e7028299e9f180d38505220fd2cfb30

SHA512
c9fb6c2ac2441ff14673ccaa3f1d5e703356c093353992d302d34df6c9e26a85aba6760c3b98f0cd0ada45183c55b2e5cabc09978ca084077dd71743ca9fdbc1

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\containerRuntime.exe

Filesize
1.3MB

MD5
52c95032ff8b8c3d4dfd98e51d8f6f58

SHA1
e841a32cb07adaad4db35b1f87b5df6e019eb9af

SHA256
39b35293e7efaa4cb94028e59872013bef4065788fef9fe3cd3206a8aee711e4

SHA512
a1177740ffbb476fb11f8112d98cabe3012ee3d54f2f848bb22ea99b53bd3526bf59065951fb6ef29f29408ab2fd90c942de65fe16d66a098abce8ba5d7d4e00

Download Submit
C:\Users\Admin\AppData\Roaming\chainReviewdhcp\mJEJ7PbY35CMaAu5227dvHv.vbe

Filesize
227B

MD5
d47062c8738a534fc931c0f341a61773

SHA1
c1175037a0e96363da56bc9d8abdb726cddc74fc

SHA256
484cc22b88e1eaae619f948e96812ebf70275f9e6408e2e3dbd8af827ac5199a

SHA512
9de6dcf7944ec9f2ff44c8fdbe562a6755c2af9800028b01fb0969921e6ef969c1ecc6e2ab129f191ac5feeaa9aa30cf436489dfee8e94433d6678a9942ffe39

Download Submit
C:\Users\Admin\Desktop\Solara Excutor\Solara Excutor.exe

Filesize
116KB

MD5
1f3ae6c55fca3d5355b91f623566e754

SHA1
388820cb8e764584a33f54ba6328b7fffafd94f8

SHA256
888fe046f0dacd3104944d0da2582758f12f11695c305950dc73bdb648e09888

SHA512
31a5294e78ffa2b4a62276d1d4d35af85bc1459e1a0096ed7ee0fb1795b4a0813fc979c70f843d2b35015e7b71377503187f9f6e3350d670abfee9c1c1fe40b3

Download Submit
C:\Users\Admin\Downloads\SolaraLoader.rar

Filesize
2.0MB

MD5
6fc58ccb646f44fc23b62d7faa4d6a81

SHA1
dbcdbd2f3c172afef7249f636821f7dd1d5e33d4

SHA256
a9cd69e668e464f8b1c92228fd82c1dbe4bb474d74bd18a48766a7a7ab80f8e3

SHA512
dd52d7eef56b7d303ef558889c9dcd4fef688c5779ad61139df962d5df2b2b8b3cdba1ec4f43cd3ec0e2a7657a28071b4ab34daf511116bf0f6a332f97c48413

Download Submit
\??\c:\Recovery\WindowsRE\CSCC36EBE1FD669424CA5C810AD3A6EC24F.TMP

Filesize
1KB

MD5
24ddc362e8473a13bb30f177c6ea6a64

SHA1
1ed07e313ff2c661adcfd0972d87f30abed92919

SHA256
11079c0a166ad0def6a6296df3a834dd5ab35b2cec50dcc70437178de250400d

SHA512
2889f83edbdcd874931f4f271c459c287df2e2bc45414117577b40ac4160dce11c0f10cb455b29f6cd26ffa9e693a7c9b05293e7e33d736ac5231e459f9c6bf3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gxixvpy4\gxixvpy4.0.cs

Filesize
378B

MD5
af69c79e60788b97672fdc22c4dc9595

SHA1
7c9752df97eef84e2c73c7e9a9739fc075a6d032

SHA256
3fb94d0866f4bb2b6fac434a3fa39314ad272fb7ac939a82782d0ceea276ab13

SHA512
f86a974cde9b7015072546582e16c2a64e1f5d9a4e9fb02825a44db71507840f2b84303c1590e531d7859123f96e81945d87bf143c01a10899907ee75904b2f9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gxixvpy4\gxixvpy4.cmdline

Filesize
239B

MD5
0758949513885de89c3ff941536edfd1

SHA1
0035067788a5ba73534576ec06ecb36fd1fc2fb6

SHA256
0cc5cbd9e6ec917e326b7645d3467eb7d82f51e6f65033bf81301b2f11847c1e

SHA512
d0b4b8d0c38f5d8c6e0659d62fb696fe4c59852da32b6045a9a59f006d8039309a1318b974100af887ea9e40dcf87ca95902a5d9552592c27a2f28b6f0d1b482

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nscjgaow\nscjgaow.0.cs

Filesize
374B

MD5
44b5cbc9aceda9eb449f2935982dbde9

SHA1
e4504cd96a70f475b06ef7878a43b2051c906c09

SHA256
eb6eac94f1a1f3d64ee505e75477f3bf059b590ad9c9dac4f9a6cc4dedf7050c

SHA512
3f7d8d4c7c6c98fe23e13510c274f5449eb19db53a8d1ace3e4672f640eb98c850b4d2ff865b41be26df57ca91154dc64640c21a19dc446da68cbe2ef5f1832e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nscjgaow\nscjgaow.cmdline

Filesize
235B

MD5
f94b4d8811177e40b4e770be147753d6

SHA1
61c9eff8386dd62cdbf166f048082fdd8ac80699

SHA256
3645fd798633448d671fe124ed9600a10900afe438ad2361df1dba43c6df690b

SHA512
3dc9b3a9abdc315c2cc26ee5a2d7440c09558f465c29678e603fde09d093de78b85df8a2086b31294326eb7250dcf92e3eacc83d0d1c42c55e4cc783e12dadc7

Download Submit
\??\c:\Windows\System32\CSCCD3C537142A40F0BA50F29F5882D942.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
\??\pipe\LOCAL\crashpad_3476_QIFRKGZCZLLSMHKR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1628-151-0x000001EFEE060000-0x000001EFEE082000-memory.dmp

Filesize
136KB

Download
memory/2896-552-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2980-443-0x000001F714DA0000-0x000001F715861000-memory.dmp

Filesize
10.8MB

Download
memory/4332-271-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4396-263-0x0000022B66490000-0x0000022B66491000-memory.dmp

Filesize
4KB

Download
memory/4396-224-0x0000022B66490000-0x0000022B66491000-memory.dmp

Filesize
4KB

Download
memory/4396-203-0x0000022B66490000-0x0000022B66491000-memory.dmp

Filesize
4KB

Download
memory/4396-170-0x0000022B66490000-0x0000022B66491000-memory.dmp

Filesize
4KB

Download
memory/5156-298-0x0000000005FC0000-0x000000000605C000-memory.dmp

Filesize
624KB

Download
memory/5156-297-0x0000000005660000-0x00000000056AE000-memory.dmp

Filesize
312KB

Download
memory/5156-296-0x0000000005020000-0x0000000005032000-memory.dmp

Filesize
72KB

Download
memory/5476-384-0x000001A0B5B90000-0x000001A0B6651000-memory.dmp

Filesize
10.8MB

Download
memory/5500-368-0x00000000072D0000-0x000000000731C000-memory.dmp

Filesize
304KB

Download
memory/5500-362-0x0000000007820000-0x0000000007E38000-memory.dmp

Filesize
6.1MB

Download
memory/5500-371-0x0000000007460000-0x000000000756A000-memory.dmp

Filesize
1.0MB

Download
memory/5500-381-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/5500-363-0x0000000007230000-0x0000000007242000-memory.dmp

Filesize
72KB

Download
memory/5500-367-0x0000000007290000-0x00000000072CC000-memory.dmp

Filesize
240KB

Download
memory/5500-378-0x0000000007E40000-0x0000000008002000-memory.dmp

Filesize
1.8MB

Download
memory/5500-387-0x0000000008260000-0x00000000082B0000-memory.dmp

Filesize
320KB

Download
memory/5500-301-0x0000000005D40000-0x0000000005D58000-memory.dmp

Filesize
96KB

Download
memory/5500-303-0x0000000005DE0000-0x0000000005DF0000-memory.dmp

Filesize
64KB

Download
memory/5500-304-0x0000000006A00000-0x0000000006A0A000-memory.dmp

Filesize
40KB

Download
memory/5500-306-0x0000000007190000-0x00000000071F6000-memory.dmp

Filesize
408KB

Download
memory/5868-280-0x00000000051B0000-0x00000000051C2000-memory.dmp

Filesize
72KB

Download
memory/5868-276-0x0000000002A10000-0x0000000002A1E000-memory.dmp

Filesize
56KB

Download
memory/5868-279-0x00000000052B0000-0x0000000005342000-memory.dmp

Filesize
584KB

Download
memory/5868-278-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/5868-277-0x0000000005100000-0x000000000515C000-memory.dmp

Filesize
368KB

Download
memory/5868-274-0x0000000000250000-0x000000000054E000-memory.dmp

Filesize
3.0MB

Download
memory/5956-317-0x00000000023C0000-0x0000000002410000-memory.dmp

Filesize
320KB

Download
memory/5956-334-0x000000001AE10000-0x000000001AE1C000-memory.dmp

Filesize
48KB

Download
memory/5956-316-0x0000000000970000-0x000000000098C000-memory.dmp

Filesize
112KB

Download
memory/5956-319-0x0000000000990000-0x00000000009A8000-memory.dmp

Filesize
96KB

Download
memory/5956-321-0x0000000000930000-0x000000000093E000-memory.dmp

Filesize
56KB

Download
memory/5956-314-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/5956-312-0x000000001AD10000-0x000000001AE14000-memory.dmp

Filesize
1.0MB

Download
memory/5956-328-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/5956-311-0x0000000000160000-0x0000000000168000-memory.dmp

Filesize
32KB

Download
memory/5956-330-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/5956-332-0x0000000002420000-0x000000000242E000-memory.dmp

Filesize
56KB

Download
memory/5956-326-0x0000000000960000-0x000000000096E000-memory.dmp

Filesize
56KB

Download
memory/5956-323-0x0000000000950000-0x000000000095C000-memory.dmp

Filesize
48KB

Download
memory/5972-473-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/5972-487-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/5972-264-0x0000000000400000-0x0000000000DF4000-memory.dmp

Filesize
10.0MB

Download
memory/6068-338-0x0000000000800000-0x000000000095A000-memory.dmp

Filesize
1.4MB

Download
memory/6068-350-0x0000000001120000-0x000000000113C000-memory.dmp

Filesize
112KB

Download
memory/6068-351-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

Filesize
88KB

Download
memory/6068-352-0x00000000011A0000-0x00000000011B0000-memory.dmp

Filesize
64KB

Download
memory/6068-354-0x0000000002AD0000-0x0000000002ADC000-memory.dmp

Filesize
48KB

Download
memory/6068-353-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

Filesize
56KB

Download