dcrat | 1e1551129f56f0f52da5a7ba675eb1aacc8f0ca28118354d3d14f0ac50362b1c

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

3.1MB
MD5

c9d720a4200df5064f655adc3656056f
SHA1

0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256

9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512

f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP

49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3808	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	736	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4180	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4848	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	5072	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	5072	schtasks.exe	87

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
4600	powershell.exe
1600	powershell.exe
364	powershell.exe
3212	powershell.exe
2500	powershell.exe
3128	powershell.exe
1352	powershell.exe
4104	powershell.exe
3156	powershell.exe
3536	powershell.exe
4684	powershell.exe
4156	powershell.exe
508	powershell.exe
4940	powershell.exe
4152	powershell.exe
3632	powershell.exe
4992	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeWScript.exeservices.exeservices.exeservices.exeBootstrapperV1.19.exePerfNET.exeSolaraexecutor.exeservices.exeservices.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Solaraexecutor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 16 IoCs

Processes:

Solaraexecutor.exePerfNET.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

pid	Process
1452	Solaraexecutor.exe
3168	PerfNET.exe
1732	services.exe
5260	services.exe
5548	services.exe
5028	services.exe
4744	services.exe
2668	services.exe
5684	services.exe
4452	services.exe
3008	services.exe
3020	services.exe
4288	services.exe
1988	services.exe
5372	services.exe
3364	services.exe

Drops file in Program Files directory 5 IoCs

Processes:

PerfNET.exe

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\886983d96e3d3e	PerfNET.exe
File created	C:\Program Files (x86)\Windows Mail\services.exe	PerfNET.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\services.exe	PerfNET.exe
File created	C:\Program Files (x86)\Windows Mail\c5b4cb5e9653cc	PerfNET.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\csrss.exe	PerfNET.exe

Drops file in Windows directory 2 IoCs

Processes:

PerfNET.exe

description	ioc	Process
File created	C:\Windows\servicing\Editions\wininit.exe	PerfNET.exe
File created	C:\Windows\servicing\Editions\56085415360792	PerfNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

BootstrapperV1.19.exeSolaraexecutor.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
5224	PING.EXE
312	PING.EXE
3532	PING.EXE
916	PING.EXE

Modifies registry class 15 IoCs

Processes:

services.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeSolaraexecutor.exeservices.exeservices.exeservices.exePerfNET.exeservices.exeservices.exeservices.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	Solaraexecutor.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	services.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid	Process
312	PING.EXE
3532	PING.EXE
916	PING.EXE
5224	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
736	schtasks.exe
3080	schtasks.exe
932	schtasks.exe
1604	schtasks.exe
2560	schtasks.exe
1344	schtasks.exe
5104	schtasks.exe
1104	schtasks.exe
1400	schtasks.exe
4180	schtasks.exe
4848	schtasks.exe
2056	schtasks.exe
2460	schtasks.exe
2580	schtasks.exe
3808	schtasks.exe
2040	schtasks.exe
2892	schtasks.exe
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

PerfNET.exe

pid	Process
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe
3168	PerfNET.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

PerfNET.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exeservices.exe

description	pid	Process
Token: SeDebugPrivilege	3168	PerfNET.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	508	powershell.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	364	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	4940	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	1732	services.exe
Token: SeDebugPrivilege	5260	services.exe
Token: SeDebugPrivilege	5548	services.exe
Token: SeDebugPrivilege	5028	services.exe
Token: SeDebugPrivilege	4744	services.exe
Token: SeDebugPrivilege	2668	services.exe
Token: SeDebugPrivilege	5684	services.exe
Token: SeDebugPrivilege	4452	services.exe
Token: SeDebugPrivilege	3008	services.exe
Token: SeDebugPrivilege	3020	services.exe
Token: SeDebugPrivilege	4288	services.exe
Token: SeDebugPrivilege	1988	services.exe
Token: SeDebugPrivilege	5372	services.exe
Token: SeDebugPrivilege	3364	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

BootstrapperV1.19.exeSolaraexecutor.exeWScript.execmd.exePerfNET.execmd.exeservices.execmd.exeservices.execmd.exe

description	pid	Process	procid_target
PID 4664 wrote to memory of 1452	4664	BootstrapperV1.19.exe	82
PID 4664 wrote to memory of 1452	4664	BootstrapperV1.19.exe	82
PID 4664 wrote to memory of 1452	4664	BootstrapperV1.19.exe	82
PID 1452 wrote to memory of 5000	1452	Solaraexecutor.exe	83
PID 1452 wrote to memory of 5000	1452	Solaraexecutor.exe	83
PID 1452 wrote to memory of 5000	1452	Solaraexecutor.exe	83
PID 5000 wrote to memory of 2712	5000	WScript.exe	92
PID 5000 wrote to memory of 2712	5000	WScript.exe	92
PID 5000 wrote to memory of 2712	5000	WScript.exe	92
PID 2712 wrote to memory of 3168	2712	cmd.exe	94
PID 2712 wrote to memory of 3168	2712	cmd.exe	94
PID 3168 wrote to memory of 1352	3168	PerfNET.exe	113
PID 3168 wrote to memory of 1352	3168	PerfNET.exe	113
PID 3168 wrote to memory of 1600	3168	PerfNET.exe	114
PID 3168 wrote to memory of 1600	3168	PerfNET.exe	114
PID 3168 wrote to memory of 4600	3168	PerfNET.exe	115
PID 3168 wrote to memory of 4600	3168	PerfNET.exe	115
PID 3168 wrote to memory of 4152	3168	PerfNET.exe	116
PID 3168 wrote to memory of 4152	3168	PerfNET.exe	116
PID 3168 wrote to memory of 3128	3168	PerfNET.exe	117
PID 3168 wrote to memory of 3128	3168	PerfNET.exe	117
PID 3168 wrote to memory of 508	3168	PerfNET.exe	118
PID 3168 wrote to memory of 508	3168	PerfNET.exe	118
PID 3168 wrote to memory of 2500	3168	PerfNET.exe	121
PID 3168 wrote to memory of 2500	3168	PerfNET.exe	121
PID 3168 wrote to memory of 3536	3168	PerfNET.exe	125
PID 3168 wrote to memory of 3536	3168	PerfNET.exe	125
PID 3168 wrote to memory of 364	3168	PerfNET.exe	126
PID 3168 wrote to memory of 364	3168	PerfNET.exe	126
PID 3168 wrote to memory of 4684	3168	PerfNET.exe	127
PID 3168 wrote to memory of 4684	3168	PerfNET.exe	127
PID 3168 wrote to memory of 3212	3168	PerfNET.exe	128
PID 3168 wrote to memory of 3212	3168	PerfNET.exe	128
PID 3168 wrote to memory of 4156	3168	PerfNET.exe	129
PID 3168 wrote to memory of 4156	3168	PerfNET.exe	129
PID 3168 wrote to memory of 3632	3168	PerfNET.exe	130
PID 3168 wrote to memory of 3632	3168	PerfNET.exe	130
PID 3168 wrote to memory of 4992	3168	PerfNET.exe	131
PID 3168 wrote to memory of 4992	3168	PerfNET.exe	131
PID 3168 wrote to memory of 3156	3168	PerfNET.exe	132
PID 3168 wrote to memory of 3156	3168	PerfNET.exe	132
PID 3168 wrote to memory of 4104	3168	PerfNET.exe	133
PID 3168 wrote to memory of 4104	3168	PerfNET.exe	133
PID 3168 wrote to memory of 4940	3168	PerfNET.exe	140
PID 3168 wrote to memory of 4940	3168	PerfNET.exe	140
PID 3168 wrote to memory of 2080	3168	PerfNET.exe	147
PID 3168 wrote to memory of 2080	3168	PerfNET.exe	147
PID 2080 wrote to memory of 5504	2080	cmd.exe	149
PID 2080 wrote to memory of 5504	2080	cmd.exe	149
PID 2080 wrote to memory of 5916	2080	cmd.exe	150
PID 2080 wrote to memory of 5916	2080	cmd.exe	150
PID 2080 wrote to memory of 1732	2080	cmd.exe	152
PID 2080 wrote to memory of 1732	2080	cmd.exe	152
PID 1732 wrote to memory of 1064	1732	services.exe	153
PID 1732 wrote to memory of 1064	1732	services.exe	153
PID 1064 wrote to memory of 5192	1064	cmd.exe	155
PID 1064 wrote to memory of 5192	1064	cmd.exe	155
PID 1064 wrote to memory of 5224	1064	cmd.exe	156
PID 1064 wrote to memory of 5224	1064	cmd.exe	156
PID 1064 wrote to memory of 5260	1064	cmd.exe	157
PID 1064 wrote to memory of 5260	1064	cmd.exe	157
PID 5260 wrote to memory of 5440	5260	services.exe	158
PID 5260 wrote to memory of 5440	5260	services.exe	158
PID 5440 wrote to memory of 4000	5440	cmd.exe	160

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3168
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:364
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\servicing\Editions\wininit.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\TrustedInstaller.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jcQy5PnTEu.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5916
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ULpxsJz5x7.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5224
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2712
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GJEc11R9oa.bat"
        12⤵
        
        PID:2564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:5624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5908
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat"
        14⤵
        
        PID:4408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5672
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:312
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GJEc11R9oa.bat"
        16⤵
        
        PID:5104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5876
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r3ED9wUyR4.bat"
        18⤵
        
        PID:2984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5764
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3532
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFxSEGDzP3.bat"
        20⤵
        
        PID:4660
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:6080
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat"
        22⤵
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5172
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat"
        24⤵
        
        PID:2032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:5744
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRBFrjfuSR.bat"
        26⤵
        
        PID:3128
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:916
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y3JLLbydWs.bat"
        28⤵
        
        PID:5184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:3432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5180
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oZZxAQVH3E.bat"
        30⤵
        
        PID:5252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:5432
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat"
        32⤵
        
        PID:5444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:5536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:2576
        
        C:\Program Files (x86)\Windows Mail\services.exe
        
        "C:\Program Files (x86)\Windows Mail\services.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\servicing\Editions\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\servicing\Editions\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\servicing\Editions\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 11 /tr "'C:\Users\Public\TrustedInstaller.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Public\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 10 /tr "'C:\Users\Public\TrustedInstaller.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7z2CYqkT7L.bat

Filesize
224B

MD5
7838f9ae46186d32962d332730f85150

SHA1
48fa4277e30bdd69241dcbb61f1a3c9a2d20bcbb

SHA256
b18fb0130c19795c6daae75d97f2f70dc6874c1d99aef446810de78738669277

SHA512
3f6b58684e1a85fe64e05c963c9ace3a1e0dffb3c8b55df735c4c35ea9a32efac1a690a46857606ce1da64fc4139efdc71938aeecf37b49f5916169cc4ff68d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GJEc11R9oa.bat

Filesize
224B

MD5
1a28775d3463f54156f559319d27ee32

SHA1
08b31978eb3b3db8a97472b392e2689eee73db17

SHA256
2c17c5175285ad08e7808ba2364dfe30d7070c4e5345f796cde55c8609196259

SHA512
6a5bc3b1a67401508670231cbb99d32e290ab7491591b29832c27ae0249d022cd05a5a596bfc7891ae0a53002668a3e7b630620c035e34c3ef634c15c8a866a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LFX8y3PYZG.bat

Filesize
224B

MD5
1d182d5f3098dd51ebe93b0326178a0e

SHA1
21b9456fc6da29f59648ecb75b49699967b415da

SHA256
2754f97c914ff91f2edbebc0acb1e1b574ef63c5e8c0baacee5cdd93beaf6bea

SHA512
1db033a57ab0aed9fd7c726521046e3439bc838fbf22489e1cd0f538210c5fcf12fbe7df0fb8837b68f82b07b04a6add48f1ef350f97782769a9dc64d7f2207f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe

Filesize
2.1MB

MD5
b444fec863c995ec2c4810fc308f08c2

SHA1
f8f8cb40daf8054a00fb7b3895babd68c6429161

SHA256
e7cccbe17462fba64687eddc141d99920ac3e890ed1464d17b6110fdca6be7de

SHA512
1472d2a9e95c949a67734af6849f827122a178df799c7c29252cc0221437fb8573bcff0a30e8f1d0e6ab1c39c8fe72c597f863bc192133a10cd6178becc17127

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULpxsJz5x7.bat

Filesize
176B

MD5
0ac816e9755dd8d0995c0d5d578c9a32

SHA1
97a4b954f3590ec501f103ee55aa4de6ea75a5a0

SHA256
1482a22fcbf9ca74855863e62bd99037594778954018629cfe27f4de06d05c8b

SHA512
473251e896f6708765f78c0730bb21183545798ee0a134a17f0472d48a78deadcba00fd715a51b8579eb81924a2b8430fdc710e5c3ac5b2edf75bfb9b9d0d82f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WpUDqpymLx.bat

Filesize
224B

MD5
811245105a8c72da4a99fd760763bf78

SHA1
e63fcade83c486f3d9ad0fffdab0fd0586a2a36f

SHA256
ea12dba69a4b35935879be5bed5fd074b834c121f046eded971534472847c9c2

SHA512
4dce5fb89b47cf7a6957742235846e52889356035c27c3a2966b3b73ff8657f5f7c9f546a5a6db3d1191a2b572420fd2cf1657eaa7a7f769c4cdeae6dfd4ddf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y3JLLbydWs.bat

Filesize
224B

MD5
89368e98e8bf7034aa77fe0ca00f62f9

SHA1
43854c08c72278db8118a10bd98f31297de17fe8

SHA256
b34af412f59faaafb7901fa499363038952dff94a87738ae149bbb405b73ea2e

SHA512
fe90ac978113b3b0e7cf0b65138e43e66557ed12779c1ce9198d9455a8ca518b3bfb2ab1c688b2ddb3e72c36ff64c7a9ac97f9ac9fc2e4d2fdb768e3de34acfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZxWzsCgC4b.bat

Filesize
224B

MD5
e773ceff84e8b724a2417b2b6a9bbb05

SHA1
9a0717990f259b9aa364f6d8845b74ed145e1a84

SHA256
855f43d89109a4edef43895f37345baed1776d615a73877ea175f943deffdfe8

SHA512
9d80fc4f8a098d2c217a5b8ddd796efef047a6ea3e50e399eed535e9370f4f24dea02b602ac3bb206c84baaf76a8339049c2fa1b8a36cfe3499a8202c9439c6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osdnwiuy.wck.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRBFrjfuSR.bat

Filesize
176B

MD5
f733ab6b077b14095a4a2b318f2499bc

SHA1
0812751f0c09cf23ff7d190204c69962a64b6808

SHA256
e421604d0a813ecaf63ef3b829f2ff700407bbf0346933eaa19bb92e309f32ad

SHA512
2b013ca362fdf8213b9ecded82446a74fa8a138a73241adc6a6cb49f624516adc7bb594bf1856d796f93bf1b63af7a6547a204b7e63d4072244a90d0e2abd1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Filesize
211B

MD5
e30ec43c2cef82698f68268735844cc5

SHA1
2ad9967dd2d1087fbe3dc96d79c49f08a17d38f9

SHA256
f6e612f2aa1d27d9c070ea07a69c4c0c9bed6e308198857ee7a1335ad7aef48b

SHA512
94ec05a7ed4f1dc0a59c12e394c651290e31b12b37a0ea80e73c362c8d1aad6bfebb2c6a87790ee9e59164ef3a16f8282695ccf94effa6d4570989621e1caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Filesize
82B

MD5
e76af187b94b636b1c61ac0419e5b8a8

SHA1
03a8761def6fab98121efc99256fef93b3391781

SHA256
ca364ab0bdcea783a389667f2b41ce4ff5ca304172422d398e947d5d6a4e5b20

SHA512
f2beaa0d4472eca942519f56aac4c0da1da13d7e9ced01493adec053b9abc4802fad8a60b7ca2627e2349f16e6f19ca034137c3322ca7167a126856cce1dacec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Filesize
1.8MB

MD5
3c3b7d5864e9f151a77b33d4b9d15e3c

SHA1
d8a0c81c551da2c1e500eb2b56562a2ac0be2c81

SHA256
de07619885cbd439fa402a13cedf8edf1d67b2ae4fb078f8dc18ae7a662a7d23

SHA512
5204b39f1008093e95221b9a7ea14be6bba59a5a47d0447cfdc503c524fef9aa4001785ac0cd333f19817b6d428e2034772f6134bc84493a74f47cca2672d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\df0NLUfleM.bat

Filesize
176B

MD5
561c4b7345d8375649e587788ad254d7

SHA1
fa6a09fc8608a543f38533f7ee48d0b5d4b81ca9

SHA256
879713116c30024a61d513eeb3ffbde10fe3cfa2246ce532d402519769d7ef8b

SHA512
d3624b8810d9f43c045e3c1964bec8a1257798f2a3663f44e0be64a79073d0c24f55a72edf66bedd0d1be9560a5d3d80d39ff4d81e15af8288c902785b755a2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jcQy5PnTEu.bat

Filesize
224B

MD5
754ddb8635052829068d767ec2469076

SHA1
1b694bd79b18321c6a176d5d62e8fcf18df9dc70

SHA256
c798651889db3278882f1953ee2514122fed3bcce0bfa15ade9efb4599ade9dc

SHA512
112d5a07aee723258b6e8aebd2d59ed9b923c488df82f1f0ad0a9d10f26e130121562e4b85c32d0635e317b2bcdb6e89a2db1523772e6d668a4ed161eabdd18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oZZxAQVH3E.bat

Filesize
224B

MD5
4796f114ac6ea6c1325161452a14020d

SHA1
b6b8da33f735d4a32a812f48c53db6da530502e6

SHA256
eeba6d99b53d228063d0082788e45cb169ea10197e966f2160542f4389e621c2

SHA512
195cb4671fc4d9b7fdf8c3ece9a521864e8a2d1d4870a79ea744db0fc59f979fb19240c930d32be1c26e4ca16349e6d0aa9ae172e93cc0a72a1597ef4479631b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFxSEGDzP3.bat

Filesize
224B

MD5
a4d9b674fe736fb62d3719e9a7c38d4a

SHA1
67f7a5fae915295426c226fd9e59e5bf1f5cdfc5

SHA256
a699b56b8aebbbc7f13761661124f54072d36b2869f078f9c2e2799c1fa10cb7

SHA512
c98d54889d09281e533d0acbba34f898269b1e93d12fa743900e9d43309c73d15cb61e3759c11d3434c8b8e3d716adf3dc308bb3e3c743ced0f3fa8fb14dfdb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3ED9wUyR4.bat

Filesize
176B

MD5
91564a35c2273e7b3453126a8e489d9b

SHA1
3ff797c5b37570adfc9ee23adb972a092a154283

SHA256
f45b324782cc73e71359fea27b236ddf5eeea680af5f7b5495c8fb2fb9c6aab0

SHA512
2aaf615e13496267f8d6db0df04c0aa16c134674ee98345d61c927617dd315a911e6c886901b66d365e86ca16de3315920097b67db8ca129e11a316267668c65

Download Submit
memory/1732-247-0x000000001D690000-0x000000001D839000-memory.dmp

Filesize
1.7MB

Download
memory/3168-28-0x000000001B9D0000-0x000000001B9E8000-memory.dmp

Filesize
96KB

Download
memory/3168-30-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/3168-26-0x000000001BD50000-0x000000001BDA0000-memory.dmp

Filesize
320KB

Download
memory/3168-25-0x0000000002F80000-0x0000000002F9C000-memory.dmp

Filesize
112KB

Download
memory/3168-23-0x0000000002E20000-0x0000000002E2E000-memory.dmp

Filesize
56KB

Download
memory/3168-21-0x0000000000B80000-0x0000000000D5C000-memory.dmp

Filesize
1.9MB

Download
memory/4600-53-0x00000262509B0000-0x00000262509D2000-memory.dmp

Filesize
136KB

Download
memory/4664-7-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/5028-281-0x000000001D1E0000-0x000000001D389000-memory.dmp

Filesize
1.7MB

Download
memory/5260-259-0x000000001CF40000-0x000000001D0E9000-memory.dmp

Filesize
1.7MB

Download
memory/5548-270-0x000000001CC90000-0x000000001CE39000-memory.dmp

Filesize
1.7MB

Download