dcrat | 1e1551129f56f0f52da5a7ba675eb1aacc8f0ca28118354d3d14f0ac50362b1c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

3.1MB
MD5

c9d720a4200df5064f655adc3656056f
SHA1

0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256

9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512

f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP

49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1716	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1716	schtasks.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1688	powershell.exe
2808	powershell.exe
1736	powershell.exe
1972	powershell.exe
1864	powershell.exe
2232	powershell.exe
916	powershell.exe
900	powershell.exe
1820	powershell.exe
2712	powershell.exe
568	powershell.exe
1016	powershell.exe
1728	powershell.exe
2060	powershell.exe
932	powershell.exe
1032	powershell.exe
2364	powershell.exe
1656	powershell.exe

Executes dropped EXE 12 IoCs

Processes:

Solaraexecutor.exePerfNET.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
2188	Solaraexecutor.exe
2724	PerfNET.exe
2060	spoolsv.exe
980	spoolsv.exe
1792	spoolsv.exe
1940	spoolsv.exe
2552	spoolsv.exe
1900	spoolsv.exe
2196	spoolsv.exe
1508	spoolsv.exe
444	spoolsv.exe
2512	spoolsv.exe

Loads dropped DLL 3 IoCs

Processes:

BootstrapperV1.19.execmd.exe

pid process

1392 BootstrapperV1.19.exe
2896 cmd.exe
2896 cmd.exe

pid	process
1392	BootstrapperV1.19.exe
2896	cmd.exe
2896	cmd.exe

Drops file in Program Files directory 5 IoCs

Processes:

PerfNET.exe

description	ioc	process
File created	C:\Program Files\Uninstall Information\System.exe	PerfNET.exe
File opened for modification	C:\Program Files\Uninstall Information\System.exe	PerfNET.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	PerfNET.exe
File created	C:\Program Files\Windows Sidebar\en-US\spoolsv.exe	PerfNET.exe
File created	C:\Program Files\Windows Sidebar\en-US\f3b6ecef712a24	PerfNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BootstrapperV1.19.exeSolaraexecutor.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
discovery

Internet Connection Discovery
T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2632 PING.EXE
2872 PING.EXE
2556 PING.EXE
1968 PING.EXE
3068 PING.EXE
2716 PING.EXE
Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid process

2716 PING.EXE
2632 PING.EXE
2872 PING.EXE
2556 PING.EXE
1968 PING.EXE
3068 PING.EXE

pid	process
2632	PING.EXE
2872	PING.EXE
2556	PING.EXE
1968	PING.EXE
3068	PING.EXE
2716	PING.EXE

pid	process
2716	PING.EXE
2632	PING.EXE
2872	PING.EXE
2556	PING.EXE
1968	PING.EXE
3068	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
1964	schtasks.exe
944	schtasks.exe
2404	schtasks.exe
1620	schtasks.exe
2144	schtasks.exe
1984	schtasks.exe
2124	schtasks.exe
1488	schtasks.exe
544	schtasks.exe
1764	schtasks.exe
408	schtasks.exe
2400	schtasks.exe
1384	schtasks.exe
1092	schtasks.exe
2440	schtasks.exe
2880	schtasks.exe
2892	schtasks.exe
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PerfNET.exe

pid	process
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe
2724	PerfNET.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

PerfNET.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process
Token: SeDebugPrivilege	2724	PerfNET.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	2060	spoolsv.exe
Token: SeDebugPrivilege	980	spoolsv.exe
Token: SeDebugPrivilege	1792	spoolsv.exe
Token: SeDebugPrivilege	1940	spoolsv.exe
Token: SeDebugPrivilege	2552	spoolsv.exe
Token: SeDebugPrivilege	1900	spoolsv.exe
Token: SeDebugPrivilege	2196	spoolsv.exe
Token: SeDebugPrivilege	1508	spoolsv.exe
Token: SeDebugPrivilege	444	spoolsv.exe
Token: SeDebugPrivilege	2512	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BootstrapperV1.19.exeSolaraexecutor.exeWScript.execmd.exePerfNET.exe

description	pid	process	target process
PID 1392 wrote to memory of 2188	1392	BootstrapperV1.19.exe	Solaraexecutor.exe
PID 1392 wrote to memory of 2188	1392	BootstrapperV1.19.exe	Solaraexecutor.exe
PID 1392 wrote to memory of 2188	1392	BootstrapperV1.19.exe	Solaraexecutor.exe
PID 1392 wrote to memory of 2188	1392	BootstrapperV1.19.exe	Solaraexecutor.exe
PID 2188 wrote to memory of 2900	2188	Solaraexecutor.exe	WScript.exe
PID 2188 wrote to memory of 2900	2188	Solaraexecutor.exe	WScript.exe
PID 2188 wrote to memory of 2900	2188	Solaraexecutor.exe	WScript.exe
PID 2188 wrote to memory of 2900	2188	Solaraexecutor.exe	WScript.exe
PID 2900 wrote to memory of 2896	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 2896	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 2896	2900	WScript.exe	cmd.exe
PID 2900 wrote to memory of 2896	2900	WScript.exe	cmd.exe
PID 2896 wrote to memory of 2724	2896	cmd.exe	PerfNET.exe
PID 2896 wrote to memory of 2724	2896	cmd.exe	PerfNET.exe
PID 2896 wrote to memory of 2724	2896	cmd.exe	PerfNET.exe
PID 2896 wrote to memory of 2724	2896	cmd.exe	PerfNET.exe
PID 2724 wrote to memory of 2060	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2060	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2060	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1864	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1864	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1864	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1656	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1656	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1656	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1972	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1972	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1972	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2364	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2364	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2364	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1736	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1736	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1736	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1728	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1728	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1728	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 900	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 900	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 900	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 916	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 916	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 916	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1016	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1016	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1016	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1032	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1032	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1032	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 568	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 568	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 568	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 932	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 932	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 932	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2712	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2712	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2712	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2808	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2808	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 2808	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1688	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1688	2724	PerfNET.exe	powershell.exe
PID 2724 wrote to memory of 1688	2724	PerfNET.exe	powershell.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwXArSsp9z.bat"
        6⤵
        
        PID:2172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1488
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2632
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VdpP4GbADJ.bat"
        8⤵
        
        PID:1696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2872
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat"
        10⤵
        
        PID:2696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2556
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\O9J2Ud69mI.bat"
        12⤵
        
        PID:1584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1968
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8H3eknNYNX.bat"
        14⤵
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2408
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        16⤵
        
        PID:2428
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:884
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5L6QW14j7D.bat"
        18⤵
        
        PID:756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2056
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DDMAhpLx8D.bat"
        20⤵
        
        PID:1868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3068
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat"
        22⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2716
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kGGfKLKuQA.bat"
        24⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2080
        
        C:\Program Files\Windows Sidebar\en-US\spoolsv.exe
        
        "C:\Program Files\Windows Sidebar\en-US\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5L6QW14j7D.bat

Filesize
226B

MD5
73224ac1dac35221a0bd31a13640a872

SHA1
b9016a4ff5ca66d7c7d8a586f98297117e6792fa

SHA256
1fa93ea349986c5d9884e9531d2694bb60e9d2e42886e03115db404c7751f61a

SHA512
be0093c8965063dc6d815cc773f91f633f21911b0c41c33cd89fb37e3f3147a63a04d0d93a5ff35153b962a45b4d6001c7bdd0f8586a561c089f8df69d11695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8H3eknNYNX.bat

Filesize
226B

MD5
182e30e393d394fd93442eaf0842fc96

SHA1
e8079905aec6770a01e2f54541a66219e3600b0d

SHA256
d7fcaa737bc0ac17ecb3ec0dce927e5f01eac96ae5efe604afd62e884fa192b7

SHA512
890efefc3e202c6f31b28786fb44bb1d90fd0f0998f67b1d82ecba0f227c0a3f9fa7791cd8d5b23da9f371260e252f59bcf49aaba1c4b08adc70b74cafc9234b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDMAhpLx8D.bat

Filesize
178B

MD5
3a4b40648d8e5b8b937e4541cca942e8

SHA1
36deb8b44912cea14121eb5c39fd0e920c9e1198

SHA256
01b688610edea4fea45a7f218998fc83dcb575874da8b7e01d58f11e3914ceb6

SHA512
d4bc80e9ce9c4c06076beca6fec6f1f599ecd6b06b3f1c975135ce7e4129a471991891a0b90209e909e46df3bb7fe99dd3310a3dea1230973ef1508f4ad1b664

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat

Filesize
178B

MD5
804bc190b0165e4d77283a81a6155fa4

SHA1
7e4c316eccbe98d34d49364911082b39cbde5a87

SHA256
3d6457f684d3bb657153aaebde37f34d7c94843fe21cd2aada3bc63d26f0a485

SHA512
4ebb81047eea74b5dd5c2f8679d57c633552d1726d6638d647fd513a51a24e1a1510013da1455efb1bd61a76e641698d44146811ead0c6058118430cc9b3a43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\O9J2Ud69mI.bat

Filesize
178B

MD5
0469210973c00ab392f1361c5c32211d

SHA1
067102aa561fbcdd1629754016212ad1307d186f

SHA256
212f4f025d98aa52f1a7344a0215f7ad18c015b0a66b612b7a40a8fa39a44b14

SHA512
0a2b655cbef123689271142206f5e24c57ca408da12210f75da9660cb287bcd4686b62cfd4ee01edc251cdd039167dd87f45a52118f1dd077f5f2b218968672c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VdpP4GbADJ.bat

Filesize
178B

MD5
8b4cca3eb724981903c3d678e4866720

SHA1
2e939b51ad33cfb1f3c526a65a1fd4c1656b94a0

SHA256
96ef7bc6c3753de342355b73790844c5ffd870646c0591bb2b7c10f7f9641dc1

SHA512
9be6544a6753afe6d1efa3b2ee126b47d74a174d34c6dcc2b5f38a89f5ac5ee24bc8db7487c87c94b6a0e9e970a4208f63cba12479d0b0b56b2700ab4e85b7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Filesize
211B

MD5
e30ec43c2cef82698f68268735844cc5

SHA1
2ad9967dd2d1087fbe3dc96d79c49f08a17d38f9

SHA256
f6e612f2aa1d27d9c070ea07a69c4c0c9bed6e308198857ee7a1335ad7aef48b

SHA512
94ec05a7ed4f1dc0a59c12e394c651290e31b12b37a0ea80e73c362c8d1aad6bfebb2c6a87790ee9e59164ef3a16f8282695ccf94effa6d4570989621e1caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Filesize
82B

MD5
e76af187b94b636b1c61ac0419e5b8a8

SHA1
03a8761def6fab98121efc99256fef93b3391781

SHA256
ca364ab0bdcea783a389667f2b41ce4ff5ca304172422d398e947d5d6a4e5b20

SHA512
f2beaa0d4472eca942519f56aac4c0da1da13d7e9ced01493adec053b9abc4802fad8a60b7ca2627e2349f16e6f19ca034137c3322ca7167a126856cce1dacec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Filesize
1.8MB

MD5
3c3b7d5864e9f151a77b33d4b9d15e3c

SHA1
d8a0c81c551da2c1e500eb2b56562a2ac0be2c81

SHA256
de07619885cbd439fa402a13cedf8edf1d67b2ae4fb078f8dc18ae7a662a7d23

SHA512
5204b39f1008093e95221b9a7ea14be6bba59a5a47d0447cfdc503c524fef9aa4001785ac0cd333f19817b6d428e2034772f6134bc84493a74f47cca2672d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\fGOYhFobNz.bat

Filesize
178B

MD5
ea36c31a27aa890e63fd410e8abbab8a

SHA1
b98c9b44175cde04fe74ac7b73bca8dd4c58c11f

SHA256
e93dcc56bc65e7e61fa5db9ae0e1694ce62d5117dbc4c769ad12401010bfc5de

SHA512
ec04b587a5830775ca97e443c75c8cb1475496423538ceea5a5031fca5ec598d127afe0e282bb9dd69a8ab5218e01cc3a3cd73d0ada9d6632f0ab7c06b068a62

Download Submit
C:\Users\Admin\AppData\Local\Temp\kGGfKLKuQA.bat

Filesize
226B

MD5
35a383f5e9ff7aaa703208955e71c54b

SHA1
a0d63d0e36af4e8f34fe9bf28391e86c48fc461f

SHA256
65f7dfa22109978817aef487680eac36c12963fcc911b449f47a99614ea82e03

SHA512
f7b326842191134a3212f0b03e01022f0235fe75c13cc6d86fbfd554a3e17117650763aae44810e539f7893fc0f23c4e066c8038e44daedcb95aaf8e689dbe57

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwXArSsp9z.bat

Filesize
178B

MD5
baf9a8ffbdc00786462eda4499ae7218

SHA1
95860f2122a4882860df4a2c822e85f4d446d71e

SHA256
f49149c6f1bacdc63ff56baf4d77da07ff5d0779d850fb746f0c9a4a44a50e70

SHA512
53dc7aa132b7d8046bb172bf68c71dc5b9f02f733e692f15de97714f2d7d447ec648af50d2abdff25dc462d1a160d555f3648bb817161b3338a89668e9d8076b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
226B

MD5
d7e13235a0dcc3385480ddae4814a8e7

SHA1
cc429dd3a95daadd8b5991b04cb9273d5e7b2528

SHA256
95c9ff0416cf1900bc0d3195621a7350b05d71e732aeefa8d982aee74409fdcd

SHA512
0686d77b7789359bdfa120390b803c1cb935c37aa5542a09b8d2209825e815adca863d793600c08aea9197c2912ec7f6bfe8a18bd4001479e2ec8b340acd15b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ea99dbf6ab15add16d989f88078418c

SHA1
af683c258c1011a41d6c442ca67272c9548d3c53

SHA256
678597c6b7362526d058b65af66f7be5398a9a6a35c7a2ba219a55e34da730ff

SHA512
2c7238cb8a125ec9a9a6f0a8ab73c6e1fdbf92eaa25ff46a83043fcddfa09917b801420a5341041351616061ad5e512d793624f951d0f3dcc781c6638256866e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe

Filesize
2.1MB

MD5
b444fec863c995ec2c4810fc308f08c2

SHA1
f8f8cb40daf8054a00fb7b3895babd68c6429161

SHA256
e7cccbe17462fba64687eddc141d99920ac3e890ed1464d17b6110fdca6be7de

SHA512
1472d2a9e95c949a67734af6849f827122a178df799c7c29252cc0221437fb8573bcff0a30e8f1d0e6ab1c39c8fe72c597f863bc192133a10cd6178becc17127

Download Submit
memory/932-71-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/932-72-0x0000000001DC0000-0x0000000001DC8000-memory.dmp

Filesize
32KB

Download
memory/1392-6-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/1792-158-0x0000000000190000-0x000000000036C000-memory.dmp

Filesize
1.9MB

Download
memory/1900-193-0x0000000000B60000-0x0000000000D3C000-memory.dmp

Filesize
1.9MB

Download
memory/1940-170-0x00000000009E0000-0x0000000000BBC000-memory.dmp

Filesize
1.9MB

Download
memory/2060-137-0x0000000000BE0000-0x0000000000DBC000-memory.dmp

Filesize
1.9MB

Download
memory/2196-204-0x0000000001030000-0x000000000120C000-memory.dmp

Filesize
1.9MB

Download
memory/2512-235-0x0000000000370000-0x000000000054C000-memory.dmp

Filesize
1.9MB

Download
memory/2552-181-0x0000000000B30000-0x0000000000D0C000-memory.dmp

Filesize
1.9MB

Download
memory/2724-29-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2724-27-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2724-25-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2724-23-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2724-21-0x0000000001120000-0x00000000012FC000-memory.dmp

Filesize
1.9MB

Download