dcrat | 44825fbcd6990e29a1a3c36fc9645978c17dfdde5f5355b3d5aa778e8b8fadec

Analysis

max time kernel
59s
max time network
57s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB/Solara/SolaraBootstrapper.exe
Size

3.6MB
MD5

1084103f4bd706bf885d41afea903c6d
SHA1

13d1b69e8d5beb8da4a7064dba7d170d1a038659
SHA256

a79d06166220bed4b1f1db64c211e0b8ae442d053ad3428cb7bc4a802bcb0c18
SHA512

9affc2ce5813e810d686bd5f4faf70e3b4062a07da470ce8ea1214b11b078fd4c41a8c59bd49bb64505ac209b3bb91ed32ee49e8cc69617178701e6ed8390ff4
SSDEEP

98304:ZqwBaxdtHuWZIJ0iDZkTBo2UYndDXJzATh:Zqw0xdtHutJ08uTBZUYnpQ

Score

10^/10

dcrat evasion infostealer rat themida trojan

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3536	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3548	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4688	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3228	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3224	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4516	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3100	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	5048	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	5048	schtasks.exe

UAC bypass 3 TTPs 18 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

bridgebrowserFont.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe	dcrat
C:\bridgeChainsvc\bridgebrowserFont.exe	dcrat
behavioral2/memory/2148-1498-0x00000000001C0000-0x000000000053E000-memory.dmp	dcrat

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Idle.exeIdle.exeDCRatBuild.exeSolaraBootstrapper.exebridgebrowserFont.exeIdle.exeSolaraBootstrapper.exeWScript.exeIdle.exeIdle.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	bridgebrowserFont.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	Idle.exe

Executes dropped EXE 13 IoCs

Processes:

DCRatBuild.exeSolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exebridgebrowserFont.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

pid	process
1704	DCRatBuild.exe
2076	SolaraBootstrapper.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2148	bridgebrowserFont.exe
2100	Idle.exe
4400	Idle.exe
1424	Idle.exe
4040	Idle.exe
4232	Idle.exe
4656	Idle.exe
4664	Idle.exe
4044	Idle.exe
4312	Idle.exe

Loads dropped DLL 5 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid	process
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll	themida
behavioral2/memory/1520-1561-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral2/memory/1520-1581-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 13 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

bridgebrowserFont.exeIdle.exeIdle.execd57e4c171d6e8f5ea8b8f824a6a7316.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgebrowserFont.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bridgebrowserFont.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service
T1102

Processes:

flow ioc

20 raw.githubusercontent.com
36 pastebin.com
37 pastebin.com
19 raw.githubusercontent.com
31 raw.githubusercontent.com
33 raw.githubusercontent.com
41 pastebin.com
53 pastebin.com
54 pastebin.com

flow	ioc
20	raw.githubusercontent.com
36	pastebin.com
37	pastebin.com
19	raw.githubusercontent.com
31	raw.githubusercontent.com
33	raw.githubusercontent.com
41	pastebin.com
53	pastebin.com
54	pastebin.com

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Drops file in Program Files directory 13 IoCs

Processes:

bridgebrowserFont.exe

description	ioc	process
File created	C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe	bridgebrowserFont.exe
File created	C:\Program Files\Windows Portable Devices\Registry.exe	bridgebrowserFont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\lsass.exe	bridgebrowserFont.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\lsass.exe	bridgebrowserFont.exe
File created	C:\Program Files\VideoLAN\VLC\e6c9b481da804f	bridgebrowserFont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	bridgebrowserFont.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe	bridgebrowserFont.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792	bridgebrowserFont.exe
File created	C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe	bridgebrowserFont.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	bridgebrowserFont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\6203df4a6bafc7	bridgebrowserFont.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\9e8d7a4ca61bd9	bridgebrowserFont.exe
File created	C:\Program Files\Windows Portable Devices\ee2ad38f3d4382	bridgebrowserFont.exe

Drops file in Windows directory 6 IoCs

Processes:

bridgebrowserFont.exe

description	ioc	process
File created	C:\Windows\addins\MoUsoCoreWorker.exe	bridgebrowserFont.exe
File created	C:\Windows\addins\1f93f77a7f4778	bridgebrowserFont.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\explorer.exe	bridgebrowserFont.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\7a0fd90576e088	bridgebrowserFont.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	bridgebrowserFont.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	bridgebrowserFont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 8 IoCs

Processes:

bridgebrowserFont.exeIdle.exeIdle.exeIdle.exeIdle.exemspaint.exeIdle.exeDCRatBuild.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	bridgebrowserFont.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
3312	schtasks.exe
4656	schtasks.exe
4632	schtasks.exe
1624	schtasks.exe
2956	schtasks.exe
5056	schtasks.exe
1484	schtasks.exe
1108	schtasks.exe
4736	schtasks.exe
2028	schtasks.exe
4688	schtasks.exe
1600	schtasks.exe
3224	schtasks.exe
4880	schtasks.exe
4740	schtasks.exe
3280	schtasks.exe
3100	schtasks.exe
3548	schtasks.exe
4488	schtasks.exe
3536	schtasks.exe
2032	schtasks.exe
2904	schtasks.exe
2240	schtasks.exe
4556	schtasks.exe
4504	schtasks.exe
1196	schtasks.exe
3152	schtasks.exe
4412	schtasks.exe
2832	schtasks.exe
4216	schtasks.exe
4028	schtasks.exe
4516	schtasks.exe
2652	schtasks.exe
3368	schtasks.exe
3228	schtasks.exe
3772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

SolaraBootstrapper.exebridgebrowserFont.execd57e4c171d6e8f5ea8b8f824a6a7316.exeIdle.exeIdle.exeIdle.exeIdle.exemspaint.exeIdle.exe

pid	process
2076	SolaraBootstrapper.exe
2076	SolaraBootstrapper.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
2148	bridgebrowserFont.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
2100	Idle.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4400	Idle.exe
1424	Idle.exe
4656	Idle.exe
1840	mspaint.exe
1840	mspaint.exe
4044	Idle.exe
4044	Idle.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

SolaraBootstrapper.exebridgebrowserFont.execd57e4c171d6e8f5ea8b8f824a6a7316.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	pid	process
Token: SeDebugPrivilege	2076	SolaraBootstrapper.exe
Token: SeDebugPrivilege	2148	bridgebrowserFont.exe
Token: SeDebugPrivilege	1520	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Token: SeDebugPrivilege	2100	Idle.exe
Token: SeDebugPrivilege	4400	Idle.exe
Token: SeDebugPrivilege	1424	Idle.exe
Token: SeDebugPrivilege	4232	Idle.exe
Token: SeDebugPrivilege	4040	Idle.exe
Token: SeDebugPrivilege	4656	Idle.exe
Token: SeDebugPrivilege	4664	Idle.exe
Token: SeDebugPrivilege	4044	Idle.exe
Token: SeDebugPrivilege	4312	Idle.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mspaint.exeOpenWith.exe

pid process

1840 mspaint.exe
4880 OpenWith.exe

pid	process
1840	mspaint.exe
4880	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

SolaraBootstrapper.exeDCRatBuild.exeSolaraBootstrapper.exeWScript.execmd.exebridgebrowserFont.execmd.exeIdle.execmd.exeWScript.exeIdle.execmd.exeIdle.exeWScript.execmd.exeWScript.exeIdle.exe

description	pid	process	target process
PID 2396 wrote to memory of 1704	2396	SolaraBootstrapper.exe	DCRatBuild.exe
PID 2396 wrote to memory of 1704	2396	SolaraBootstrapper.exe	DCRatBuild.exe
PID 2396 wrote to memory of 1704	2396	SolaraBootstrapper.exe	DCRatBuild.exe
PID 2396 wrote to memory of 2076	2396	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 2396 wrote to memory of 2076	2396	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 2396 wrote to memory of 2076	2396	SolaraBootstrapper.exe	SolaraBootstrapper.exe
PID 1704 wrote to memory of 4316	1704	DCRatBuild.exe	WScript.exe
PID 1704 wrote to memory of 4316	1704	DCRatBuild.exe	WScript.exe
PID 1704 wrote to memory of 4316	1704	DCRatBuild.exe	WScript.exe
PID 2076 wrote to memory of 1520	2076	SolaraBootstrapper.exe	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 2076 wrote to memory of 1520	2076	SolaraBootstrapper.exe	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
PID 4316 wrote to memory of 2160	4316	WScript.exe	cmd.exe
PID 4316 wrote to memory of 2160	4316	WScript.exe	cmd.exe
PID 4316 wrote to memory of 2160	4316	WScript.exe	cmd.exe
PID 2160 wrote to memory of 2148	2160	cmd.exe	bridgebrowserFont.exe
PID 2160 wrote to memory of 2148	2160	cmd.exe	bridgebrowserFont.exe
PID 2148 wrote to memory of 868	2148	bridgebrowserFont.exe	cmd.exe
PID 2148 wrote to memory of 868	2148	bridgebrowserFont.exe	cmd.exe
PID 868 wrote to memory of 4292	868	cmd.exe	w32tm.exe
PID 868 wrote to memory of 4292	868	cmd.exe	w32tm.exe
PID 868 wrote to memory of 2100	868	cmd.exe	Idle.exe
PID 868 wrote to memory of 2100	868	cmd.exe	Idle.exe
PID 2100 wrote to memory of 1080	2100	Idle.exe	WScript.exe
PID 2100 wrote to memory of 1080	2100	Idle.exe	WScript.exe
PID 2100 wrote to memory of 836	2100	Idle.exe	WScript.exe
PID 2100 wrote to memory of 836	2100	Idle.exe	WScript.exe
PID 2100 wrote to memory of 3736	2100	Idle.exe	cmd.exe
PID 2100 wrote to memory of 3736	2100	Idle.exe	cmd.exe
PID 3736 wrote to memory of 2416	3736	cmd.exe	w32tm.exe
PID 3736 wrote to memory of 2416	3736	cmd.exe	w32tm.exe
PID 1080 wrote to memory of 4400	1080	WScript.exe	Idle.exe
PID 1080 wrote to memory of 4400	1080	WScript.exe	Idle.exe
PID 4400 wrote to memory of 1472	4400	Idle.exe	WScript.exe
PID 4400 wrote to memory of 1472	4400	Idle.exe	WScript.exe
PID 4400 wrote to memory of 3580	4400	Idle.exe	WScript.exe
PID 4400 wrote to memory of 3580	4400	Idle.exe	WScript.exe
PID 4400 wrote to memory of 4312	4400	Idle.exe	cmd.exe
PID 4400 wrote to memory of 4312	4400	Idle.exe	cmd.exe
PID 4312 wrote to memory of 4556	4312	cmd.exe	w32tm.exe
PID 4312 wrote to memory of 4556	4312	cmd.exe	w32tm.exe
PID 3736 wrote to memory of 1424	3736	cmd.exe	Idle.exe
PID 3736 wrote to memory of 1424	3736	cmd.exe	Idle.exe
PID 1424 wrote to memory of 440	1424	Idle.exe	WScript.exe
PID 1424 wrote to memory of 440	1424	Idle.exe	WScript.exe
PID 1424 wrote to memory of 2912	1424	Idle.exe	WScript.exe
PID 1424 wrote to memory of 2912	1424	Idle.exe	WScript.exe
PID 4312 wrote to memory of 4040	4312	cmd.exe	Idle.exe
PID 4312 wrote to memory of 4040	4312	cmd.exe	Idle.exe
PID 1472 wrote to memory of 4232	1472	WScript.exe	Idle.exe
PID 1472 wrote to memory of 4232	1472	WScript.exe	Idle.exe
PID 1424 wrote to memory of 2496	1424	Idle.exe	cmd.exe
PID 1424 wrote to memory of 2496	1424	Idle.exe	cmd.exe
PID 2496 wrote to memory of 2076	2496	cmd.exe	w32tm.exe
PID 2496 wrote to memory of 2076	2496	cmd.exe	w32tm.exe
PID 440 wrote to memory of 4656	440	WScript.exe	Idle.exe
PID 440 wrote to memory of 4656	440	WScript.exe	Idle.exe
PID 4656 wrote to memory of 5084	4656	Idle.exe	WScript.exe
PID 4656 wrote to memory of 5084	4656	Idle.exe	WScript.exe
PID 4656 wrote to memory of 4688	4656	Idle.exe	WScript.exe
PID 4656 wrote to memory of 4688	4656	Idle.exe	WScript.exe
PID 2496 wrote to memory of 4664	2496	cmd.exe	Idle.exe
PID 2496 wrote to memory of 4664	2496	cmd.exe	Idle.exe
PID 4656 wrote to memory of 4632	4656	Idle.exe	cmd.exe
PID 4656 wrote to memory of 4632	4656	Idle.exe	cmd.exe

System policy modification 1 TTPs 18 IoCs

evasion

Modify Registry

T1112

Processes:

bridgebrowserFont.exeIdle.exeIdle.exeIdle.exeIdle.exeIdle.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	bridgebrowserFont.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Idle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Idle.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeChainsvc\ynBPrYHpb0rGVZHVTyIGwU9XZ.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgeChainsvc\nDhZWkZlJyEO.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\bridgeChainsvc\bridgebrowserFont.exe
"C:\bridgeChainsvc\bridgebrowserFont.exe"
5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TQCIBmL527.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:4292

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13df84e-abd8-435a-80b2-067ec8c16492.vbs"
8⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8218a83b-2988-4f7e-b0a9-091c7c7601ce.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:1472

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5457a3b6-11f7-4aff-9a1b-deeca8d7ccf4.vbs"
10⤵
PID:3580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:4556

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35b61c7-f095-4b3a-98a8-3c3c907f02ed.vbs"
8⤵
PID:836

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:2416

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef732983-4cf3-44fb-ae2c-3f78f9d56828.vbs"
10⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a8ff88-15e2-43a7-92a8-67387157f4ac.vbs"
12⤵
PID:5084

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4fee81-79a5-47e3-bd4d-5f165f1e0f2e.vbs"
14⤵
PID:1720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9070fd1-e6e5-41cc-848e-45bae0ca6d78.vbs"
14⤵
PID:4844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a7fe9-dbb2-48eb-a0f8-96911f97ad45.vbs"
12⤵
PID:4688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
12⤵
PID:4632

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:1928

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65bcc87-431a-4f9f-a16f-97537da1f799.vbs"
10⤵
PID:2912

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:2496

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2076

C:\Users\Admin\Saved Games\Idle.exe
"C:\Users\Admin\Saved Games\Idle.exe"
11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3360

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ConvertUpdate.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1840

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log
Filesize
1KB

MD5
4a667f150a4d1d02f53a9f24d89d53d1

SHA1
306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97

SHA256
414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd

SHA512
4edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a4fee81-79a5-47e3-bd4d-5f165f1e0f2e.vbs
Filesize
711B

MD5
5471f73c6c2b50c48d60354989750557

SHA1
64ad1a391e3e6ee25e4a025401447f0860b31f58

SHA256
2c6cd55dc17c2e0497026a3dbde4706ec59396eaed909953d62f689e0e63d232

SHA512
2d5b02755b53cb190854b8cded2168625d7954b572dce0c636257a8210cb8a3d0c1394e6fc4ed47e45daaf9472d213c779b96c62f1f41e7b2eeb849bc5661b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\8218a83b-2988-4f7e-b0a9-091c7c7601ce.vbs
Filesize
711B

MD5
48761047e736ccf9f9348beba25f16d6

SHA1
fcb595d6bbcc2506b9eec9e76c6e22fde202f89f

SHA256
fbd88ad24b723decf2250c003535c75c6745a92dc27394c5c3cd0885e53842c3

SHA512
aa26786e764d69d8d2c397178ba2b456771d6190463c44a669319a66786e4dbc282c0c29bc49466d67775462439eea4cf9f2fd8203f4499a953016a02c5ad395

Download Submit
C:\Users\Admin\AppData\Local\Temp\83a8ff88-15e2-43a7-92a8-67387157f4ac.vbs
Filesize
711B

MD5
412020e434bfaf49090f75df5d563290

SHA1
181448ec97b5d621560913376aa662e44499222a

SHA256
cc43433000044c32712e20d252ececa798d0b3a367eeed8bb1d87d1980d23144

SHA512
7ee7b6a5d1d6b3a9b04e9a603ee874d7719b4f3f7fd0e525248cf4e92e1235e2bdd0536e20c80c1a5b5c8291bc1ae2cdb8d7f308adaf04d1a55312cb85882abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
Filesize
3.8MB

MD5
ac7ea6f1952a9c6ffded545097f283e2

SHA1
1fb8cc03c0f6492ada6d85efc02050bff041398a

SHA256
1b11cc0e9e5b2805295211c1511687fb909c349bcfe5b98a705dd18820b89704

SHA512
964c000d6ad3e7a74ca1123e230bb4ce79b19cacb6195b8728d791081ca6fd2ac0b483ed0ccee7e43fa19a566de6943f88a8274946eb4f795a33f4a622a586ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Core.dll
Filesize
488KB

MD5
851fee9a41856b588847cf8272645f58

SHA1
ee185a1ff257c86eb19d30a191bf0695d5ac72a1

SHA256
5e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca

SHA512
cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.WinForms.dll
Filesize
37KB

MD5
4cf94ffa50fd9bdc0bb93cceaede0629

SHA1
3e30eca720f4c2a708ec53fd7f1ba9e778b4f95f

SHA256
50b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6

SHA512
dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Microsoft.Web.WebView2.Wpf.dll
Filesize
43KB

MD5
34ec990ed346ec6a4f14841b12280c20

SHA1
6587164274a1ae7f47bdb9d71d066b83241576f0

SHA256
1e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409

SHA512
b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\WebView2Loader.dll
Filesize
133KB

MD5
a0bd0d1a66e7c7f1d97aedecdafb933f

SHA1
dd109ac34beb8289030e4ec0a026297b793f64a3

SHA256
79d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36

SHA512
2a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Wpf.Ui.dll
Filesize
5.2MB

MD5
aead90ab96e2853f59be27c4ec1e4853

SHA1
43cdedde26488d3209e17efff9a51e1f944eb35f

SHA256
46cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed

SHA512
f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\bin\path.txt
Filesize
34B

MD5
0e2184f1c7464b6617329fb18f107b4f

SHA1
6f22f98471e33c9db10d6f6f1728e98852e25b8f

SHA256
dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb

SHA512
8e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.dll
Filesize
4.2MB

MD5
f71b342220b8f8935abe5ea0b1e5f30c

SHA1
a70d41dbc456d548e790af717575b1f83e3f38b5

SHA256
dec8c51c89452b183201e58e4cfceffb0924c4c1f7729841a739086711ff021f

SHA512
d6ba2d0eecb2bd70ea727c7bd86cce75fe535e4a7688eb6fc6334e30f568d24d0b6661b8873ddb88c1bb75dbf772fae215b101545ff85e6461a2b05b85dfe05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\libcurl.dll
Filesize
522KB

MD5
e31f5136d91bad0fcbce053aac798a30

SHA1
ee785d2546aec4803bcae08cdebfd5d168c42337

SHA256
ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671

SHA512
a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\vcruntime140.dll
Filesize
99KB

MD5
7a2b8cfcd543f6e4ebca43162b67d610

SHA1
c1c45a326249bf0ccd2be2fbd412f1a62fb67024

SHA256
7d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f

SHA512
e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\zlib1.dll
Filesize
113KB

MD5
75365924730b0b2c1a6ee9028ef07685

SHA1
a10687c37deb2ce5422140b541a64ac15534250f

SHA256
945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b

SHA512
c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TQCIBmL527.bat
Filesize
200B

MD5
b3b5ed925c7ecd79002f3dd29f0e01f1

SHA1
c951817da294b42acfa76c4d3a558df2ac55e089

SHA256
3de6992dd5afb5aa98e9f7cc79af034d00e18ce295d972f036dad548ea8ba9ab

SHA512
315f1ac2169b40332b417494d5cbb3f535b7c219aefef19b42abce83c370a51796168808ea309881a449dc81017b6130f25c3639c926e496b2a8b2779fba5c5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c35b61c7-f095-4b3a-98a8-3c3c907f02ed.vbs
Filesize
487B

MD5
4ce81cc859b3b25c344b6825a7dbce12

SHA1
1940e75e511d2326daf042c936022f758b5964f0

SHA256
585155355da6bc3f2d0830fa5b6fc118d82027a6f58fa42dcc64ff79b93fe949

SHA512
03f79305a14c1019dbb350ca5a8fbf9141fc2555450b9a411bbe1f182f0b7900c2128cfd294034b4de6d8e6f303913083e1e17d94771f921cce14bc969b6b8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\e13df84e-abd8-435a-80b2-067ec8c16492.vbs
Filesize
711B

MD5
0f5893f7246fe44be025c9cc75181a7e

SHA1
dad989a1277b0755c0df10fab98ac86dd08ca1ab

SHA256
fa1584a7385bb0588750cd110af9c1e272b10b737744484e2b3d9edfcce347ab

SHA512
a9da85deb0dd69ad7ffbc0c2df78dac67bb3752f85fc21250fc944b4590cb94408f61ec180756bcfc33085a02667a957c6fd2ad8527ad5c51bcdbfddcb52d14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef732983-4cf3-44fb-ae2c-3f78f9d56828.vbs
Filesize
711B

MD5
bdbd524e40e955ee5bbec1b327d796b9

SHA1
361298b120e999cfeefffdc11d4c97bc7253a5af

SHA256
2df74e9513f4a9a584005c752f2645f5c7006f477d0ad7da5ccbdc52834df086

SHA512
53ac7721c33de1831a4d1557d2291fa357cc2be9f418a9d6d6a3ccd6a9fcad8be420a236175349126c3a57dee2b4b15a5bf57a6683dff1394369182ab6bc9d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat
Filesize
200B

MD5
9d916e08116f4974b147e2bf334905c3

SHA1
cada6e5bb84a60679b90d28eb5cc50ade1c4d3b8

SHA256
211222d82217c76ddf8ccc3d41a3efce1415c90d9e0d0680cd6d3dc5a5a6c6dd

SHA512
43cd986ee69c5ec42ca492fc8487af264e199de6b1cf9d439cf3ebcbc52739f6e6b3fb0bf252cc757b4e573045d213e2cf18c82e1889ca363ac254c0a3484eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat
Filesize
200B

MD5
423a749790ca69e98ca385ae0478073a

SHA1
7436de94b38a3958b0bc6550ebf9f1d92103f498

SHA256
83cb7230328b7792258678a48cd65c92261e1cc66c12e1bce100c2b49f932d76

SHA512
8b3f5d804b1e9895f034476fad322f5baf67681bcb3215abe2d712320e94e7dfdde523fe49fede410e4aba5dfdc96b756180426f156c1583ed47c9329805a261

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat
Filesize
200B

MD5
080b1c08eb3d3e3c2d181e36e5b2a5aa

SHA1
198319923426003ac51f1702a642debd4285b635

SHA256
8f5ed1595f5cfd012cc0ca404e348b6f260eafb900b03c2277d7d764d2ca296d

SHA512
fd583d29136df07780ef1ddcbd35aba8dfe90232611440f0298c55261d4fc570a2eac1d5d47b747234ba11b4fa791e8cc784353b00d59eaf2a122f3af7437084

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat
Filesize
200B

MD5
4ddb953176a81eb25406bc0899918baa

SHA1
a0121fc7f9468bc2549d73c0fd01be679400b2a1

SHA256
b16b1a8cf7be570d1fd56fd7e2bce1f0567b22a10aa99d8cf2fbbc88627be989

SHA512
385e1d0d6ff585676dcecf5152e5ccc0da169cbe4ba92ee514121ecf1e7fce557c94783e44167933ff6d3907360f8198d659477b4a82119ede83a24829666a10

Download Submit
C:\bridgeChainsvc\bridgebrowserFont.exe
Filesize
3.5MB

MD5
465620a95a01b3dec2415522ec5177a8

SHA1
54318e9baafead2d79d33b1486f7cd766dae4574

SHA256
765d071ffdca507a3d8d95077b36133051bc0177b9928cc02daddc3bd216cea3

SHA512
9ba068ddc64c7eb15eedf628eba23196ccf6a11efc1ee13de95a29477820509beff96a49c2d92207f0501f66f1bc413955e2de48bc12d81b57fa70c5bc27de27

Download Submit
C:\bridgeChainsvc\nDhZWkZlJyEO.bat
Filesize
41B

MD5
4061dbe3e62277593371c237a23a7d47

SHA1
8a5cedfa5f14dfb48d037b0aaf8b2985113b7d8e

SHA256
d80ee6aed5b1fab9709e19cfa35c071859ce80f58021d4389b0a751e6f78dd22

SHA512
cb16bfa29fe059d1d771c53bd7e3e24ecebb38044b8642ac043e052843e46c27ec3988c8a6b7ecae65b8095a33de35009512514f48762ff2bc23cbef396605cf

Download Submit
C:\bridgeChainsvc\ynBPrYHpb0rGVZHVTyIGwU9XZ.vbe
Filesize
203B

MD5
b8859a57b36802480a471ea20554a2f5

SHA1
0296f757bf7e952d7bff605bd2e0237bb13ecb59

SHA256
c30fc00d5cc6a249fa1e8179d06a8aa4c278936c8f6d8bc6ac17ad8b0a019d16

SHA512
084f06faf410869285161912ac77ab29b62a7ebfa777d2cf5c3bf51252dc875f93c847b56a22cf02ffcacff878516cad2a5869954153474d5da1e2c3d37d5b8b

Download Submit
memory/1424-1606-0x000000001BA10000-0x000000001BA22000-memory.dmp

Filesize
72KB

Download
memory/1520-1499-0x0000023FBEA60000-0x0000023FBEB1A000-memory.dmp

Filesize
744KB

Download
memory/1520-1511-0x0000023FBEA20000-0x0000023FBEA2E000-memory.dmp

Filesize
56KB

Download
memory/1520-1566-0x0000023FBF880000-0x0000023FBF8B8000-memory.dmp

Filesize
224KB

Download
memory/1520-1565-0x0000023FBEDD0000-0x0000023FBEDD8000-memory.dmp

Filesize
32KB

Download
memory/1520-1581-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/1520-1522-0x0000023FBF630000-0x0000023FBF6AE000-memory.dmp

Filesize
504KB

Download
memory/1520-1561-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/1520-1491-0x0000023FA2BC0000-0x0000023FA2BDA000-memory.dmp

Filesize
104KB

Download
memory/1520-1496-0x0000023FBEDF0000-0x0000023FBF32C000-memory.dmp

Filesize
5.2MB

Download
memory/1520-1567-0x0000023FBF850000-0x0000023FBF85E000-memory.dmp

Filesize
56KB

Download
memory/1520-1507-0x0000023FBEA30000-0x0000023FBEA52000-memory.dmp

Filesize
136KB

Download
memory/1520-1501-0x0000023FBEB20000-0x0000023FBEBD2000-memory.dmp

Filesize
712KB

Download
memory/2076-33-0x00000000057A0000-0x00000000057B2000-memory.dmp

Filesize
72KB

Download
memory/2076-30-0x00000000032A0000-0x00000000032AA000-memory.dmp

Filesize
40KB

Download
memory/2076-22-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/2076-21-0x000000007458E000-0x000000007458F000-memory.dmp

Filesize
4KB

Download
memory/2100-1571-0x000000001AF00000-0x000000001AF56000-memory.dmp

Filesize
344KB

Download
memory/2148-1508-0x0000000002810000-0x000000000281C000-memory.dmp

Filesize
48KB

Download
memory/2148-1517-0x000000001BAC0000-0x000000001BAC8000-memory.dmp

Filesize
32KB

Download
memory/2148-1505-0x0000000002610000-0x000000000261A000-memory.dmp

Filesize
40KB

Download
memory/2148-1504-0x000000001B240000-0x000000001B256000-memory.dmp

Filesize
88KB

Download
memory/2148-1509-0x000000001B2B0000-0x000000001B2C2000-memory.dmp

Filesize
72KB

Download
memory/2148-1503-0x000000001B1F0000-0x000000001B240000-memory.dmp

Filesize
320KB

Download
memory/2148-1502-0x0000000002780000-0x000000000279C000-memory.dmp

Filesize
112KB

Download
memory/2148-1516-0x000000001BAB0000-0x000000001BAB8000-memory.dmp

Filesize
32KB

Download
memory/2148-1498-0x00000000001C0000-0x000000000053E000-memory.dmp

Filesize
3.5MB

Download
memory/2148-1512-0x000000001BF70000-0x000000001C498000-memory.dmp

Filesize
5.2MB

Download
memory/2148-1514-0x000000001BA90000-0x000000001BA9A000-memory.dmp

Filesize
40KB

Download
memory/2148-1518-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/2148-1515-0x000000001BAA0000-0x000000001BAAE000-memory.dmp

Filesize
56KB

Download
memory/2148-1506-0x000000001B260000-0x000000001B2B6000-memory.dmp

Filesize
344KB

Download
memory/2148-1513-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/3928-1641-0x00000172A73A0000-0x00000172A73B0000-memory.dmp

Filesize
64KB

Download
memory/3928-1648-0x00000172AF680000-0x00000172AF681000-memory.dmp

Filesize
4KB

Download
memory/3928-1650-0x00000172AF700000-0x00000172AF701000-memory.dmp

Filesize
4KB

Download
memory/3928-1652-0x00000172AF700000-0x00000172AF701000-memory.dmp

Filesize
4KB

Download
memory/3928-1653-0x00000172AF790000-0x00000172AF791000-memory.dmp

Filesize
4KB

Download
memory/3928-1654-0x00000172AF790000-0x00000172AF791000-memory.dmp

Filesize
4KB

Download
memory/3928-1655-0x00000172AF7A0000-0x00000172AF7A1000-memory.dmp

Filesize
4KB

Download
memory/3928-1656-0x00000172AF7A0000-0x00000172AF7A1000-memory.dmp

Filesize
4KB

Download
memory/3928-1637-0x00000172A7360000-0x00000172A7370000-memory.dmp

Filesize
64KB

Download
memory/4044-1665-0x0000000001970000-0x0000000001982000-memory.dmp

Filesize
72KB

Download
memory/4656-1625-0x00000000028F0000-0x0000000002946000-memory.dmp

Filesize
344KB

Download