dcrat | 9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BootstrapperV1.19.exe
Size

3.1MB
MD5

c9d720a4200df5064f655adc3656056f
SHA1

0dc179cfc3cf564ea1e9c85e012ac9bda3b40464
SHA256

9cd19cf01e1d8c64caa0dffcd07dfb3304fc7257a1c468c0f3d4df1ad696319f
SHA512

f0628313d0bccdd94795d649f1f6eda194b97fe991fb1755d9525cf944b310569a6dc0a155caf17dc4e49fda4c5eaf42063443bb67abc19a079f934570136852
SSDEEP

49152:ivotkNjg/lhqZvGyBJa+U5kzXDFrO0iTb0bzveEX99h:i5ZvGko+U8XBgseE5

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3692	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4520	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	4500	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	4500	schtasks.exe	90

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4876	powershell.exe
4680	powershell.exe
2512	powershell.exe
2784	powershell.exe
4632	powershell.exe
4428	powershell.exe
1900	powershell.exe
3836	powershell.exe
1504	powershell.exe
3316	powershell.exe
1408	powershell.exe
2520	powershell.exe
4628	powershell.exe
3488	powershell.exe
2584	powershell.exe
2332	powershell.exe
2344	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	BootstrapperV1.19.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	PerfNET.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Solaraexecutor.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
5060	Solaraexecutor.exe
4548	PerfNET.exe
6136	RuntimeBroker.exe
5240	RuntimeBroker.exe
5912	RuntimeBroker.exe
5592	RuntimeBroker.exe
5924	RuntimeBroker.exe
3548	RuntimeBroker.exe
5092	RuntimeBroker.exe
4948	RuntimeBroker.exe
6084	RuntimeBroker.exe
6136	RuntimeBroker.exe
5552	RuntimeBroker.exe
1524	RuntimeBroker.exe
5560	RuntimeBroker.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	PerfNET.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	PerfNET.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	PerfNET.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\RuntimeBroker.exe	PerfNET.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\9e8d7a4ca61bd9	PerfNET.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\SearchApp.exe	PerfNET.exe
File created	C:\Windows\Microsoft.NET\Framework64\38384e6a620884	PerfNET.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperV1.19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solaraexecutor.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2236	PING.EXE
2092	PING.EXE
1852	PING.EXE
3612	PING.EXE
1716	PING.EXE
5280	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Solaraexecutor.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	PerfNET.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2236	PING.EXE
2092	PING.EXE
1852	PING.EXE
3612	PING.EXE
1716	PING.EXE
5280	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe
3860	schtasks.exe
1784	schtasks.exe
4928	schtasks.exe
5052	schtasks.exe
840	schtasks.exe
4772	schtasks.exe
3692	schtasks.exe
4620	schtasks.exe
4016	schtasks.exe
3664	schtasks.exe
4596	schtasks.exe
3620	schtasks.exe
4780	schtasks.exe
4520	schtasks.exe
4280	schtasks.exe
3580	schtasks.exe
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
4548	PerfNET.exe
3836	powershell.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	PerfNET.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	3316	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	3488	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	6136	RuntimeBroker.exe
Token: SeDebugPrivilege	5240	RuntimeBroker.exe
Token: SeDebugPrivilege	5912	RuntimeBroker.exe
Token: SeDebugPrivilege	5592	RuntimeBroker.exe
Token: SeDebugPrivilege	5924	RuntimeBroker.exe
Token: SeDebugPrivilege	3548	RuntimeBroker.exe
Token: SeDebugPrivilege	5092	RuntimeBroker.exe
Token: SeDebugPrivilege	4948	RuntimeBroker.exe
Token: SeDebugPrivilege	6084	RuntimeBroker.exe
Token: SeDebugPrivilege	6136	RuntimeBroker.exe
Token: SeDebugPrivilege	5552	RuntimeBroker.exe
Token: SeDebugPrivilege	1524	RuntimeBroker.exe
Token: SeDebugPrivilege	5560	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 5060	1600	BootstrapperV1.19.exe	83
PID 1600 wrote to memory of 5060	1600	BootstrapperV1.19.exe	83
PID 1600 wrote to memory of 5060	1600	BootstrapperV1.19.exe	83
PID 5060 wrote to memory of 1788	5060	Solaraexecutor.exe	84
PID 5060 wrote to memory of 1788	5060	Solaraexecutor.exe	84
PID 5060 wrote to memory of 1788	5060	Solaraexecutor.exe	84
PID 1788 wrote to memory of 1448	1788	WScript.exe	99
PID 1788 wrote to memory of 1448	1788	WScript.exe	99
PID 1788 wrote to memory of 1448	1788	WScript.exe	99
PID 1448 wrote to memory of 4548	1448	cmd.exe	102
PID 1448 wrote to memory of 4548	1448	cmd.exe	102
PID 4548 wrote to memory of 4428	4548	PerfNET.exe	122
PID 4548 wrote to memory of 4428	4548	PerfNET.exe	122
PID 4548 wrote to memory of 2520	4548	PerfNET.exe	123
PID 4548 wrote to memory of 2520	4548	PerfNET.exe	123
PID 4548 wrote to memory of 2784	4548	PerfNET.exe	124
PID 4548 wrote to memory of 2784	4548	PerfNET.exe	124
PID 4548 wrote to memory of 3836	4548	PerfNET.exe	125
PID 4548 wrote to memory of 3836	4548	PerfNET.exe	125
PID 4548 wrote to memory of 1408	4548	PerfNET.exe	126
PID 4548 wrote to memory of 1408	4548	PerfNET.exe	126
PID 4548 wrote to memory of 4632	4548	PerfNET.exe	127
PID 4548 wrote to memory of 4632	4548	PerfNET.exe	127
PID 4548 wrote to memory of 2584	4548	PerfNET.exe	128
PID 4548 wrote to memory of 2584	4548	PerfNET.exe	128
PID 4548 wrote to memory of 2332	4548	PerfNET.exe	129
PID 4548 wrote to memory of 2332	4548	PerfNET.exe	129
PID 4548 wrote to memory of 1900	4548	PerfNET.exe	130
PID 4548 wrote to memory of 1900	4548	PerfNET.exe	130
PID 4548 wrote to memory of 2512	4548	PerfNET.exe	131
PID 4548 wrote to memory of 2512	4548	PerfNET.exe	131
PID 4548 wrote to memory of 3488	4548	PerfNET.exe	132
PID 4548 wrote to memory of 3488	4548	PerfNET.exe	132
PID 4548 wrote to memory of 3316	4548	PerfNET.exe	133
PID 4548 wrote to memory of 3316	4548	PerfNET.exe	133
PID 4548 wrote to memory of 2344	4548	PerfNET.exe	135
PID 4548 wrote to memory of 2344	4548	PerfNET.exe	135
PID 4548 wrote to memory of 4680	4548	PerfNET.exe	136
PID 4548 wrote to memory of 4680	4548	PerfNET.exe	136
PID 4548 wrote to memory of 4876	4548	PerfNET.exe	138
PID 4548 wrote to memory of 4876	4548	PerfNET.exe	138
PID 4548 wrote to memory of 1504	4548	PerfNET.exe	139
PID 4548 wrote to memory of 1504	4548	PerfNET.exe	139
PID 4548 wrote to memory of 4628	4548	PerfNET.exe	140
PID 4548 wrote to memory of 4628	4548	PerfNET.exe	140
PID 4548 wrote to memory of 4896	4548	PerfNET.exe	155
PID 4548 wrote to memory of 4896	4548	PerfNET.exe	155
PID 4896 wrote to memory of 5444	4896	cmd.exe	158
PID 4896 wrote to memory of 5444	4896	cmd.exe	158
PID 4896 wrote to memory of 5724	4896	cmd.exe	159
PID 4896 wrote to memory of 5724	4896	cmd.exe	159
PID 4896 wrote to memory of 6136	4896	cmd.exe	162
PID 4896 wrote to memory of 6136	4896	cmd.exe	162
PID 6136 wrote to memory of 5152	6136	RuntimeBroker.exe	164
PID 6136 wrote to memory of 5152	6136	RuntimeBroker.exe	164
PID 5152 wrote to memory of 5144	5152	cmd.exe	166
PID 5152 wrote to memory of 5144	5152	cmd.exe	166
PID 5152 wrote to memory of 5200	5152	cmd.exe	167
PID 5152 wrote to memory of 5200	5152	cmd.exe	167
PID 5152 wrote to memory of 5240	5152	cmd.exe	169
PID 5152 wrote to memory of 5240	5152	cmd.exe	169
PID 5240 wrote to memory of 4776	5240	RuntimeBroker.exe	171
PID 5240 wrote to memory of 4776	5240	RuntimeBroker.exe	171
PID 4776 wrote to memory of 5452	4776	cmd.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe
"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.19.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe
  "C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet/PerfNET.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4632
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3488
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework64\SearchApp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\ar\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4680
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\taskhostw.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\smss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4628
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2BajXw9ttr.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5724
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:5144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5200
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:5452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:5460
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat"
        12⤵
        
        PID:5468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:1016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3612
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat"
        14⤵
        
        PID:5860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1332
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AcAxalUZZX.bat"
        16⤵
        
        PID:4416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1716
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat"
        18⤵
        
        PID:2576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3276
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat"
        20⤵
        
        PID:856
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5280
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I19jVKSgi3.bat"
        22⤵
        
        PID:3940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:5892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4680
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat"
        24⤵
        
        PID:2356
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2236
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8MPHA9c1U6.bat"
        26⤵
        
        PID:5292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:5296
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lf01uW6718.bat"
        28⤵
        
        PID:1984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:5536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:5956
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat"
        30⤵
        
        PID:4644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat"
        32⤵
        
        PID:4196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework64\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework64\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\locale\ar\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\ar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\ar\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNET" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "PerfNETP" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\2BajXw9ttr.bat

Filesize
215B

MD5
f5a56e23bb358d25c977168ac1cd15f8

SHA1
eb20ba569f3aec5ddac758feeee9b7601db9deab

SHA256
5a3465e86158d5282411a9d5abf24d889c2f9a1f651c400d32cfb349b7846329

SHA512
7ecd16ba5c4e30c720adbb5b77188a369a630fa43e8b0a3d5421118a3fff9bff6fe709afa1fb04f62a3982a9a3537f7b110922b00b3aa34bc1e730f77664f70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3P5lE7dbjQ.bat

Filesize
215B

MD5
fbcab3185203d395ee3107ce709922f6

SHA1
669ecfe32d7b338a96e77e5c74166641bbcb4650

SHA256
99eba2f753a381466332918290d477d5f63866cd2a256706ab56f58fd87605c0

SHA512
cfcacf0f5af9a8e6fa59909506702ab5363ba9db7cedd232258a66bad1cf434cf06a7c85b2676594dd7e9205cdfd1b3fb516d10e0cd696d479aa07ca706887dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8MPHA9c1U6.bat

Filesize
215B

MD5
b4669c657d5156b5c6d95febb06f5c83

SHA1
10d8f3bfd7c83ab7c48889f3c2b7a11f622d8729

SHA256
aedafbb3781eb3e085cefa7cc4ff4ac9eb2ecdfdf713b65f66e5241aa8fb7c2b

SHA512
32208267d508f0611981ab44c483fedb2665b819fb9e1f5bb73cbe0453760d74c75560292a33a40e7a5edce88c8ef953372da70ff746cfdfd3b57f7c7c059dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9NLp60UiOc.bat

Filesize
167B

MD5
e81bb13cbf4b6b6b782945e527a9a854

SHA1
ecd1a0269af2f5216a8b2c08378e73a774611207

SHA256
0e05cb3dae150d5b1083424547863b0959f7df896cbc75281b1a1f602fc370fd

SHA512
f9a8ac42549f2de0682f8da60c2e725752320f3995ae79474aa966f727d8157aa8e58ac47386fe0dabce2d9aa8e93591d66f69e7a176620a1d44ab2dfcaa9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcAxalUZZX.bat

Filesize
167B

MD5
cf213e63e3240f41bca644a43c5c55da

SHA1
ef791423044defe2ed073d15a5ca26412f4f514e

SHA256
2749209b7c01a9c389d512112e9f2d36d00411c6ddcb9d5cfedaf9ec3e0d1e0d

SHA512
8dedf2996a90e64699d6e46113a911e32685c021f494db6d6a1aa13f1efb83826bd05707680a6cb6efbcfc79e16dbc7b91404348e5cf307459aebdfa72bb762a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cq054WUQlS.bat

Filesize
215B

MD5
f39d2888790c45b4f8eb291cf15eb399

SHA1
0c35610da8c93eedc9ebfb98b65051ab0969be14

SHA256
366b550c65940f6d8a1ef6d33fdffdeeec9beccc58b66e42eb0ff610ff80aadd

SHA512
f24a89bb251ad33397ac5ae3229d7efcec9352091775b51e09ecf115543bb10ff7592a21c241afdb2efe05136a256a58ab3fe3d1f3304766e2bd8423c7e410b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FYUTXnTyLD.bat

Filesize
167B

MD5
0abf9707bf6e40574f60adc931c2bb56

SHA1
5ff19a2ae8b9fb51a959d8ab96ad34cd4e42fd43

SHA256
285915dc3e1c5e95aa43489ef7599e5002f926c66ddc24fb51d7d1dca9d276cb

SHA512
6a59e5f7b817a4110892aa0c93bfb228c7a49e17d910812de06b9e6f34bf7b5f3ae489e8d8fa995787c39394c5636fd4984b03a68c80e3128cae1b512fd18c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\I19jVKSgi3.bat

Filesize
215B

MD5
66f604825b851a2a9a1a9c8cfda5a9b3

SHA1
da422961572369f1c1316d27209c5f5438de59da

SHA256
db8b584407a2453f1d2706b29ea03278ac327ddabc1abfa8254ab911bdf4cede

SHA512
a84c1dd20a30248129b300719687951cce52ee155046735066705f914ed15e9b17c861bb7d0e7fada8d0a1b592ab56b0cc2fcd111b5ed6ba012cd19248e9122a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KvMN3vAFGm.bat

Filesize
215B

MD5
74ead6be3c673bd3a5ed9cfc0eadd9c8

SHA1
00cfc6cb122f1a3383dc00226e4f33b84b8b2c66

SHA256
be3dd4305118838674caa22f22517a2a0c853d99b1355e572f43bd41f5a5f112

SHA512
665bc8c169f6be89054165da81d04bb0f575c56b32dce3d48f97847ca9ae699083afde7bed5530826699ebda55799721b48cfc137679eda936f45230dc668093

Download Submit
C:\Users\Admin\AppData\Local\Temp\QmsWYasDZC.bat

Filesize
167B

MD5
81be4dc19acb7b318cf43a4278345cda

SHA1
1c6eedf892df8469d0e62c45890717616127718f

SHA256
dcc3e1b700ccd3423e192ba3e39eda9da53896a2c35b822dd19f3a7ca0b500ea

SHA512
f85bf8b157796013a1dbb45b01c479a6e0a76dccf0257a6c3fc850014dbecbfc6d95f49396af1d3c69f815f3581362f2ae7a92da7f0aa44111178479cad7a450

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solaraexecutor.exe

Filesize
2.1MB

MD5
b444fec863c995ec2c4810fc308f08c2

SHA1
f8f8cb40daf8054a00fb7b3895babd68c6429161

SHA256
e7cccbe17462fba64687eddc141d99920ac3e890ed1464d17b6110fdca6be7de

SHA512
1472d2a9e95c949a67734af6849f827122a178df799c7c29252cc0221437fb8573bcff0a30e8f1d0e6ab1c39c8fe72c597f863bc192133a10cd6178becc17127

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_34dswmis.2er.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5gB39wu8IXigNc9ZhKusMAzQLCwBZT1eKBOl5LOAKM0nqJLoLFIRPlM05a.vbe

Filesize
211B

MD5
e30ec43c2cef82698f68268735844cc5

SHA1
2ad9967dd2d1087fbe3dc96d79c49f08a17d38f9

SHA256
f6e612f2aa1d27d9c070ea07a69c4c0c9bed6e308198857ee7a1335ad7aef48b

SHA512
94ec05a7ed4f1dc0a59c12e394c651290e31b12b37a0ea80e73c362c8d1aad6bfebb2c6a87790ee9e59164ef3a16f8282695ccf94effa6d4570989621e1caec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\5sOqbfN.bat

Filesize
82B

MD5
e76af187b94b636b1c61ac0419e5b8a8

SHA1
03a8761def6fab98121efc99256fef93b3391781

SHA256
ca364ab0bdcea783a389667f2b41ce4ff5ca304172422d398e947d5d6a4e5b20

SHA512
f2beaa0d4472eca942519f56aac4c0da1da13d7e9ced01493adec053b9abc4802fad8a60b7ca2627e2349f16e6f19ca034137c3322ca7167a126856cce1dacec

Download Submit
C:\Users\Admin\AppData\Local\Temp\chainbrowserReviewNet\PerfNET.exe

Filesize
1.8MB

MD5
3c3b7d5864e9f151a77b33d4b9d15e3c

SHA1
d8a0c81c551da2c1e500eb2b56562a2ac0be2c81

SHA256
de07619885cbd439fa402a13cedf8edf1d67b2ae4fb078f8dc18ae7a662a7d23

SHA512
5204b39f1008093e95221b9a7ea14be6bba59a5a47d0447cfdc503c524fef9aa4001785ac0cd333f19817b6d428e2034772f6134bc84493a74f47cca2672d642

Download Submit
C:\Users\Admin\AppData\Local\Temp\e96MM2hRMu.bat

Filesize
167B

MD5
08a418c989848801e1572731a3fda4df

SHA1
d28e7af801849f1d51b7d323a97a1489c0bfe2ba

SHA256
94dfc516b2a967a4289a75bc0bd0239d25401929b7dde3fe3baa020fa4baa7b2

SHA512
c9f6d177e58121c32f86514b3c30ec8148e985a040d9e2368b786d5ae40a9a680614fdf4562bde424d13f3fe868c10612be12a72505f641f83f5ae8addc1588a

Download Submit
C:\Users\Admin\AppData\Local\Temp\l0cWqgOPfJ.bat

Filesize
215B

MD5
e34d7dc293008ddcd3ac7e97fceff899

SHA1
76b2bb0fb0838bd88fcbc8e2d4466578eeb8774b

SHA256
b218035d91471ff8e84dac2108fa8915433a1e270a75d851455b64c5a5c5e417

SHA512
7e8eb6256e4ff76faf0063237db80d4818ec265f944a304ad67c7d03ae1e107c2060e644afb19904d8f4a6626a460b0b549e4c26f64934a503cf29e2400dfe65

Download Submit
C:\Users\Admin\AppData\Local\Temp\lf01uW6718.bat

Filesize
215B

MD5
21788cab10a1ee6f2abce6ce9da207e5

SHA1
485b1eda176ebb31bca24e752f6bc896ae24f7a6

SHA256
6ed8d20c0a692f9a4b26a75f2a15c62859fd1f729d77550b289e62d9e21a3992

SHA512
ce4928a36532c713fce382b94b6a9d6268d28802679688b6458241538e128bf91a7c1092611a188e65927aa564c6a688cada0a23a38da499c3884b5d6e6a61db

Download Submit
C:\Users\Admin\AppData\Local\Temp\pNUPMo5gat.bat

Filesize
167B

MD5
d9338fd04f9f92fe77ef620c9095eb44

SHA1
b9b14f77d163f08e057271207975198366eafbbb

SHA256
8ea2592b1e158ed8a66bbd74beb382f31698288234b8bd4910bfa9b52238b0eb

SHA512
a0e954733bff72bcd4fa7b2d6c525a16eb1cf812798423d4f68878a07baac51862b26aa40c22ab793ab5455a1a91497cda745b54560a861358d410930e4deac9

Download Submit
memory/1600-7-0x0000000000400000-0x0000000000720000-memory.dmp

Filesize
3.1MB

Download
memory/2332-48-0x0000017835E20000-0x0000017835E42000-memory.dmp

Filesize
136KB

Download
memory/4548-21-0x00000000003E0000-0x00000000005BC000-memory.dmp

Filesize
1.9MB

Download
memory/4548-23-0x000000001B0B0000-0x000000001B0BE000-memory.dmp

Filesize
56KB

Download
memory/4548-25-0x000000001B100000-0x000000001B11C000-memory.dmp

Filesize
112KB

Download
memory/4548-26-0x000000001B5B0000-0x000000001B600000-memory.dmp

Filesize
320KB

Download
memory/4548-28-0x000000001B120000-0x000000001B138000-memory.dmp

Filesize
96KB

Download
memory/4548-30-0x000000001B0C0000-0x000000001B0CC000-memory.dmp

Filesize
48KB

Download