96dbace7c5d636a62634f50bba7097e7ce1af45e279e8d2c7947bc40aa418e1d

Resubmissions

29/01/2024, 15:16

240129-snmrmsebam 7

29/01/2024, 15:16

240129-sng66acfb2 7

29/01/2024, 15:15

240129-sm889acfa8 3

29/01/2024, 15:11

240129-sk3npaeadm 7

Analysis

max time kernel
893s
max time network
876s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dark_Queuebot_2_1_1_1.rar
Size

116KB
MD5

33de80ac7f391390f2844ae8ae04a96d
SHA1

7aa23d55a79e90e1990262edfcf39121f0851242
SHA256

96dbace7c5d636a62634f50bba7097e7ce1af45e279e8d2c7947bc40aa418e1d
SHA512

65472e779e7b2a826bd70996af93b4cf3ef06ad6da3b150b2732cf6ae1e23385558d6c933b485eca04ca67fadade08a8f7e1d4c5b16f145af338aef6a12663e0
SSDEEP

3072:eQZQsF9bPacnhoRsRKjpjyYc7OtGPFFNYbFVUOC+gQC:ekQsFFPaxvc7OtWYpVUOC+gb

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 18 IoCs

pid	Process
4608	node.exe
5516	node.exe
5688	node.exe
5176	node.exe
5868	node.exe
3280	node.exe
5240	node.exe
5220	node.exe
5304	node.exe
5984	node.exe
5624	node.exe
4752	node.exe
2704	node.exe
3620	node.exe
5916	node.exe
852	node.exe
5768	node.exe
4752	node.exe

Loads dropped DLL 12 IoCs

pid	Process
5144	MsiExec.exe
5204	MsiExec.exe
3940	MsiExec.exe
3940	MsiExec.exe
4532	MsiExec.exe
4532	MsiExec.exe
4532	MsiExec.exe
4532	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
5012	MsiExec.exe
3940	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
112	3960	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cmd-shim\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\xcode_ninja.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\http-proxy-agent\dist\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\constants.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-name\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\make-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\minor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\is-windows-bash.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\strip-ansi\readme.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\README	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\winchars.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-package-arg\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\gyp	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scripts.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-outdated.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\logging.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-package-json\read-json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-start.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\simple_copy.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-publish.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\node-gyp\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\core.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-table3\src\cell.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-expression-parse\scan.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\coverage\__root__\index.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp-infer-owner\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\high-level-opt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-cidr\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\get-write-flag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ini\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\restart.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\readme.markdown	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\depd\Readme.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrappy\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\colors\lib\custom\zalgo.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\concat-map\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aproba\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\src\factory.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-team.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\node_modules\strip-ansi\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fs.realpath\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\binary-extensions\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cidr-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-fullwidth-code-point\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\color.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-pack.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-fullwidth-code-point\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promzard\example\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-root.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\fetcher.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-test.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\bin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\index.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\link.js	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC200.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICACB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{366E8C2E-9CE0-4306-ABBB-E32CC4C328A0}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5314.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{366E8C2E-9CE0-4306-ABBB-E32CC4C328A0}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI720A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7537.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF817.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a4ecd.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6343.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDEA3.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a4ecf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI51DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6045.tmp	msiexec.exe
File created	C:\Windows\Installer\{366E8C2E-9CE0-4306-ABBB-E32CC4C328A0}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a4ecd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AC6.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003462af5746133e160000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003462af570000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003462af57000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3462af57000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003462af5700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1220	timeout.exe
2968	timeout.exe
5788	timeout.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\ProductName = "Node.js"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\PackageCode = "1DCA4776775559243A9E7EA47677151B"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\ProductIcon = "C:\\Windows\\Installer\\{366E8C2E-9CE0-4306-ABBB-E32CC4C328A0}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\corepack	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\Version = "285605888"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\E2C8E6630EC96034BABB3EC24C3C820A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E2C8E6630EC96034BABB3EC24C3C820A\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\SourceList\PackageName = "node-v17.6.0-x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E2C8E6630EC96034BABB3EC24C3C820A\DeploymentFlags = "3"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\node-v17.6.0-x64.msi:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3872	NOTEPAD.EXE
416	Notepad.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2708	powershell.exe
2708	powershell.exe
3480	msiexec.exe
3480	msiexec.exe
5960	powershell.exe
5960	powershell.exe
5960	powershell.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
1244	powershell.exe
1244	powershell.exe
1244	powershell.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
1896	powershell.exe
1896	powershell.exe
1896	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
2332	powershell.exe
2332	powershell.exe
2332	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
972	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	972	7zFM.exe
Token: 35	972	7zFM.exe
Token: SeSecurityPrivilege	972	7zFM.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1912	firefox.exe
Token: SeDebugPrivilege	1912	firefox.exe
Token: SeDebugPrivilege	1912	firefox.exe
Token: SeShutdownPrivilege	3960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3960	msiexec.exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeCreateTokenPrivilege	3960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3960	msiexec.exe
Token: SeLockMemoryPrivilege	3960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3960	msiexec.exe
Token: SeMachineAccountPrivilege	3960	msiexec.exe
Token: SeTcbPrivilege	3960	msiexec.exe
Token: SeSecurityPrivilege	3960	msiexec.exe
Token: SeTakeOwnershipPrivilege	3960	msiexec.exe
Token: SeLoadDriverPrivilege	3960	msiexec.exe
Token: SeSystemProfilePrivilege	3960	msiexec.exe
Token: SeSystemtimePrivilege	3960	msiexec.exe
Token: SeProfSingleProcessPrivilege	3960	msiexec.exe
Token: SeIncBasePriorityPrivilege	3960	msiexec.exe
Token: SeCreatePagefilePrivilege	3960	msiexec.exe
Token: SeCreatePermanentPrivilege	3960	msiexec.exe
Token: SeBackupPrivilege	3960	msiexec.exe
Token: SeRestorePrivilege	3960	msiexec.exe
Token: SeShutdownPrivilege	3960	msiexec.exe
Token: SeDebugPrivilege	3960	msiexec.exe
Token: SeAuditPrivilege	3960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3960	msiexec.exe
Token: SeChangeNotifyPrivilege	3960	msiexec.exe
Token: SeRemoteShutdownPrivilege	3960	msiexec.exe
Token: SeUndockPrivilege	3960	msiexec.exe
Token: SeSyncAgentPrivilege	3960	msiexec.exe
Token: SeEnableDelegationPrivilege	3960	msiexec.exe
Token: SeManageVolumePrivilege	3960	msiexec.exe
Token: SeImpersonatePrivilege	3960	msiexec.exe
Token: SeCreateGlobalPrivilege	3960	msiexec.exe
Token: SeCreateTokenPrivilege	3960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3960	msiexec.exe
Token: SeLockMemoryPrivilege	3960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3960	msiexec.exe
Token: SeMachineAccountPrivilege	3960	msiexec.exe
Token: SeTcbPrivilege	3960	msiexec.exe
Token: SeSecurityPrivilege	3960	msiexec.exe
Token: SeTakeOwnershipPrivilege	3960	msiexec.exe
Token: SeLoadDriverPrivilege	3960	msiexec.exe
Token: SeSystemProfilePrivilege	3960	msiexec.exe
Token: SeSystemtimePrivilege	3960	msiexec.exe
Token: SeProfSingleProcessPrivilege	3960	msiexec.exe
Token: SeIncBasePriorityPrivilege	3960	msiexec.exe
Token: SeCreatePagefilePrivilege	3960	msiexec.exe
Token: SeCreatePermanentPrivilege	3960	msiexec.exe
Token: SeBackupPrivilege	3960	msiexec.exe
Token: SeRestorePrivilege	3960	msiexec.exe
Token: SeShutdownPrivilege	3960	msiexec.exe
Token: SeDebugPrivilege	3960	msiexec.exe
Token: SeAuditPrivilege	3960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3960	msiexec.exe
Token: SeChangeNotifyPrivilege	3960	msiexec.exe
Token: SeRemoteShutdownPrivilege	3960	msiexec.exe
Token: SeUndockPrivilege	3960	msiexec.exe
Token: SeSyncAgentPrivilege	3960	msiexec.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
972	7zFM.exe
972	7zFM.exe
972	7zFM.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
3960	msiexec.exe
3960	msiexec.exe
3960	msiexec.exe
3960	msiexec.exe
972	7zFM.exe
972	7zFM.exe
468	7zG.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
3960	msiexec.exe
1912	firefox.exe
1912	firefox.exe
1912	firefox.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe
5716	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 972	5104	cmd.exe	87
PID 5104 wrote to memory of 972	5104	cmd.exe	87
PID 972 wrote to memory of 3428	972	7zFM.exe	95
PID 972 wrote to memory of 3428	972	7zFM.exe	95
PID 3428 wrote to memory of 2708	3428	cmd.exe	97
PID 3428 wrote to memory of 2708	3428	cmd.exe	97
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 2184 wrote to memory of 1912	2184	firefox.exe	102
PID 1912 wrote to memory of 5008	1912	firefox.exe	103
PID 1912 wrote to memory of 5008	1912	firefox.exe	103
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104
PID 1912 wrote to memory of 3168	1912	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1.rar"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOCC39F608\start.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3428
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOCC30941B\start.bat" "
    3⤵
    PID:5888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zOCC3F114C\start.bat" "
    3⤵
    PID:5312
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.0.1633723575\11794407" -parentBuildID 20221007134813 -prefsHandle 1872 -prefMapHandle 1864 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {88d5e007-7805-492c-b839-29b5a486bd75} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 1960 1ebe90d5758 gpu
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.1.1922826890\111871268" -parentBuildID 20221007134813 -prefsHandle 2332 -prefMapHandle 2328 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {72cd6936-8793-408a-9d00-4f83c9043a84} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 2360 1ebe8c33558 socket
    3⤵
    PID:3168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.2.1658036990\481195323" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 2972 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56473253-2ba5-4138-ab94-3553b6e0ac82} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 3144 1ebed0a9058 tab
    3⤵
    PID:4152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.3.1004947133\1768756526" -childID 2 -isForBrowser -prefsHandle 3504 -prefMapHandle 1200 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49b39081-74a8-4543-9648-289f772414f6} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 2504 1ebeb7cf158 tab
    3⤵
    PID:780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.4.1012021549\371917199" -childID 3 -isForBrowser -prefsHandle 3928 -prefMapHandle 3924 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1440bde3-dd67-493a-883f-87f3ba05c310} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 3940 1ebdc862858 tab
    3⤵
    PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.5.1656552868\2068491891" -childID 4 -isForBrowser -prefsHandle 4852 -prefMapHandle 4440 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b990973-c7de-4908-997c-fe43dc135986} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 4872 1ebef438a58 tab
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.7.1372932781\1059719220" -childID 6 -isForBrowser -prefsHandle 5416 -prefMapHandle 5412 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a322657a-2e8c-4c4d-8a0a-a0476ea30795} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 5424 1ebebf4fe58 tab
    3⤵
    PID:5100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.6.1998461206\934399022" -childID 5 -isForBrowser -prefsHandle 5084 -prefMapHandle 3004 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5384a9ab-d177-4d9d-8624-9570eb2b991d} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 2864 1ebebf28058 tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.8.463786415\233966075" -childID 7 -isForBrowser -prefsHandle 5868 -prefMapHandle 5916 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed6b3a9b-787e-4dca-8dbd-9f466c7d6ea1} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 5936 1ebdc86fe58 tab
    3⤵
    PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.9.887383411\673213856" -childID 8 -isForBrowser -prefsHandle 2788 -prefMapHandle 4940 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8635e73b-d27d-41f5-b6d3-a1b49a19309a} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 4768 1ebefbf1e58 tab
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1912.10.965249491\1335043892" -childID 9 -isForBrowser -prefsHandle 4892 -prefMapHandle 6872 -prefsLen 27492 -prefMapSize 233444 -jsInitHandle 1364 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {766e81b0-e440-4290-8e7f-aa2ac12df100} 1912 "\\.\pipe\gecko-crash-server-pipe.1912" 4896 1ebdc85be58 tab
    3⤵
    PID:5996

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v17.6.0-x64.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3960

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3480
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 2BA0F2A82BD1FC3129D6921912B648D0 C
  2⤵
  - Loads dropped DLL
  PID:5144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9B284B4B2488B9D44B57EC2C3E7D1ED7 C
  2⤵
  - Loads dropped DLL
  PID:5204
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4884
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 39A1F190A4672AE4237D2112008DCBC6
  2⤵
  - Loads dropped DLL
  PID:3940
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DFEB65D667898661BCB1A6D4FBBC86A
  2⤵
  - Loads dropped DLL
  PID:4532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E5E2F66402465EE52F63FB44D923248 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5012
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    PID:4756
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:5852

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5440

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4644
- C:\Program Files\nodejs\node.exe
  node
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5624

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\" -spe -an -ai#7zMap5380:122:7zEvent650
1⤵
- Suspicious use of FindShellTrayWindow
PID:468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\start.bat" "
1⤵
PID:5012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:732
- C:\Program Files\nodejs\node.exe
  node -v
  2⤵
  - Executes dropped EXE
  PID:5516
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
  2⤵
  PID:3748
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
    3⤵
    - Executes dropped EXE
    PID:5688
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i
  2⤵
  - Executes dropped EXE
  PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\start.bat" "
1⤵
PID:3732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files\nodejs\node.exe
  node -v
  2⤵
  - Executes dropped EXE
  PID:5868
- C:\Program Files\nodejs\node.exe
  node --no-deprecation --no-warnings index.js
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\system32\timeout.exe
  timeout 60
  2⤵
  - Delays execution with timeout.exe
  PID:1220
- C:\Program Files\nodejs\node.exe
  node --no-deprecation --no-warnings index.js
  2⤵
  - Executes dropped EXE
  PID:5240
- C:\Windows\system32\timeout.exe
  timeout 60
  2⤵
  - Delays execution with timeout.exe
  PID:2968
- C:\Program Files\nodejs\node.exe
  node --no-deprecation --no-warnings index.js
  2⤵
  - Executes dropped EXE
  PID:5220
- C:\Windows\system32\timeout.exe
  timeout 60
  2⤵
  - Delays execution with timeout.exe
  PID:5788

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\index.js
1⤵
- Opens file in notepad (likely ransom note)
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\start.bat" "
1⤵
PID:5356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Program Files\nodejs\node.exe
  node -v
  2⤵
  - Executes dropped EXE
  PID:5304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
  2⤵
  PID:3000
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
    3⤵
    - Executes dropped EXE
    PID:5984
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i
  2⤵
  - Executes dropped EXE
  PID:5624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\start.bat"
1⤵
PID:6128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Add-Type -AssemblyName PresentationFramework;[System.Windows.MessageBox]::Show('The bot only works with nodejs 17.6.0!')"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2332
- C:\Program Files\nodejs\node.exe
  node -v
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
  2⤵
  PID:4376
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
    3⤵
    - Executes dropped EXE
    PID:2704
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i
  2⤵
  - Executes dropped EXE
  PID:3620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5716
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Dark_Queuebot_2_1_1_1\dark_queuebot\package.json
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3872

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
  2⤵
  PID:4908
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
    3⤵
    - Executes dropped EXE
    PID:5916
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install answ3r-utils
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
  2⤵
  PID:5552
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" prefix -g
    3⤵
    - Executes dropped EXE
    PID:5768
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install answ3r-utils axios colors discord-remote-auth discord.js glob moment node-cron node-ssh request
  2⤵
  - Executes dropped EXE
  PID:4752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a4ece.rbs

Filesize
929KB

MD5
55e3e46544a8fc48d86415c3b68a1989

SHA1
f710fd5867b067ba588f2a2c84c741a8e39d68e5

SHA256
797df91bcda7b0d7f8046e0daaad9de746f5601a9c7fad2e7654b40aac0fd7c6

SHA512
5a1909f8534addafc072e648a5764ac42df4c24cad0c09b189a85535da32528c5d1ada8fb2213191e4c4ce06449df0801e2d00cce6719f020e5ce98f064d402c

Download Submit
C:\Program Files\nodejs\node.exe

Filesize
59.6MB

MD5
25ae6a3fbd3c0fdc9ef626c6c48a46e7

SHA1
6269731a4818000bdd7953bfd3c2d6130d28dfcf

SHA256
7b47df21d0f089efdcdf03f1596a7c53414083e84e296cad4119723fed263bab

SHA512
3239e188eb039bc2dbfa7882cf99d4fee08e8b9e212192eb136bc7c481ccd79408a08abe97bbf07aa33326948f28af2abd3fd799a4018777523d58f6e6f3dc3f

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js

Filesize
56B

MD5
4e2eb14252f20eba055e03500ab8539e

SHA1
a4e63b6178ac905afe39ca3cd79516a20a57a798

SHA256
3ce7cba6f5128dd5f54c98b6a5036b0f850496878cc2e21044b675fe3c594e3e

SHA512
085031f9da657ab25df26baddb0b0c1e41ed0a8dbd297f717def0ceb04bc2ce34c143fc7bd46273a3980468be75b1314caf79e42df70c73fcac1668836bcccc4

Download Submit
C:\Program Files\nodejs\node_modules\npm\lib\cli.js

Filesize
2KB

MD5
e3e4058e9e02434504aac19f06b77ea2

SHA1
f45d339bd8b061725d5f59086c500ed6c49eb146

SHA256
2f3226e7382cbafb3d362e35914519e8cc298195eba26177229448adb7963937

SHA512
5331fffeaa5c5eb88e591e191c68451636a77538b063b3b2a6d9d19c6e30f64406355734d6961ffcffb74a23842046445009ff9bf987c0b891b38227ba37c9f8

Download Submit
C:\Program Files\nodejs\node_modules\npm\lib\utils\unsupported.js

Filesize
1KB

MD5
5e0fb7d663ac792a9d6ab10a8502bfd5

SHA1
3f3d4e2b650aef389cc72844340b5b58c8a41c96

SHA256
e3afd4e8aa44cb511917ae529f7d8bcd1a1c5832f215b03722e80c1aa82a8e90

SHA512
ec7651d0aa042b537299d6d6f9f6a1d1d5cf85f7f33e6783e5ae940c5fac57032987afb4842cb0ce8d116674bd6d9d4e881d261476e98d453f3906413dfc1c43

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\inflight\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-pick-manifest\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\semver.js

Filesize
8KB

MD5
ecf3b5b6f3941f2b59a1d1a944566c36

SHA1
8bd5393ffb0884904911c137dbe3a5d0ad5fe3f8

SHA256
0b150ef58ede82cb37a169c3dd0a89698ca5eacfbd7e02ebfe63337f0788d3c8

SHA512
f59a9f780e473de11977552c416786c823417d4e1b2a7f6f82e3117f29c83a2659d4c1014efb4972aa45fa7d23d8ccc300e3cb9bd3140a56b54568dbd03a5f8b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\clean.js

Filesize
197B

MD5
14c2560ea14655f5f34da1dd66dc4d2e

SHA1
de91f9932543d53b57271de75c1dcfa3e58fe559

SHA256
7eb5a0f92108c86d1b710b5e81d93c20394887dc87a2b74744fb63dbad56ce0a

SHA512
6b345c0b3c37000e608925e989d4927e3cf8ae2f6fa871a307d7c505fa8167fd2dac39b06c3edafe15a298cfd13410f8f6349ff3ebedb7c32a7fb8c43fa75caa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\diff.js

Filesize
657B

MD5
9b7791c9d2c40ae6b3d7988cd072dc39

SHA1
a2d5ed539fbf370be7616935d45309611a017fbb

SHA256
099509db3a7b02143e0fa80e412d6b0ab5c3db6deb49ce6ab0fae1a4b995ec3c

SHA512
2c66b73655d3834c28c64bf53956a547a609d4ccbd3e36063bcb44bfe14b71686b5cfcf355987401b15cbe4c1e79a22d5654311b8d2a5ca394cd38205f982065

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\inc.js

Filesize
351B

MD5
34bfa96f5502c1d67bb451e5488d0411

SHA1
1478f55b56e5db38ba5b2032c1ff0107dc658853

SHA256
f6b7f26d077bff526b90ed3c5f13c627fde242a4f1be89a8444aad82ed244465

SHA512
e6de1aecae1ba55cc387f85845fa5b2c8c9b90a90b1c5f1a5fdfefd985de24acb2b9fa440a96c5fd55e7492b5883c496e7ddaa813f80e917d3d04d0d3fca0816

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\parse.js

Filesize
693B

MD5
617f43bfc52c11355c4914dc9aa1aaab

SHA1
25b204de897e1f09e5dc9106ea3072df0ff57069

SHA256
c39dde11ebb3486613c3d4fda0e4d2638d361c2ca196d276368b48a3c4d3fe42

SHA512
67c9b713fbad443c1594c0efba60c860d5f38c95408658b1c3eff096f9d203cb8a979cae3aebae53063f0e57e198b016c4164889d4db5320139047dd152d2048

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js

Filesize
168B

MD5
fc7283ee28a91d78c8e336e34115a423

SHA1
bc78998bd04ce27fd79dd5585ea9d9858fb929cb

SHA256
cc754d3b632ef37a372efa2c98125fa72305a8188c0af4178e7bf52fe65b81d8

SHA512
1e07b012b3fee99e807cceaa20413f5a631871a7d8ef73544f943c3fb8a7f1732f186e9c29715605bc353c21ae39b9dbca5fdc1a02d1769325b40ab992ad8bc4

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\index.js

Filesize
1KB

MD5
42ffbbb317e1f2f5f5ea28aa78c352f7

SHA1
f668bbb57b3b61e4ee44e9bc1015d6fc81137e23

SHA256
db30dd520ee8a8b215171a342f5d50fd18f3204076db90a6290bfaaaa8dcb996

SHA512
3b68f161da8b4a671c6de13c960c1c0b79f7caf9bbdca7de6316e9e8fa50e929075eaebfe5d89fab816b21c147d129bdbb4bd7529dee34d79e5c03eee41e9a7d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\constants.js

Filesize
485B

MD5
e9c9b3bf5d440042df668150883f0c1b

SHA1
9db2e65aeff72e61a99432f00938b8c53e98e9e5

SHA256
d4747881ac7eef2f2a22785d652d47bbf8acd07be31d050a54b64a2f10c76a76

SHA512
93eb9887965c929fc862e3eecaed116c583b1683a8b490ee8688b131a57ce539572770b2fa0ae2d86df295e6bb2adbb9b47b125c9ca0b2e92f1c9e494bcda757

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\debug.js

Filesize
235B

MD5
f7359037c8be03092ca942dec4fb867a

SHA1
3cd23bbd192084c08b9bca4d7c7874baa1198751

SHA256
804aa8e68b8e54c523e260c311d590e6308fa312517696b927f66f84a30f0d9e

SHA512
3c5f7fb7c9979475f17911cc312cef8e7abf7b14cbc496f8571e0fa645138b4d6ea15893b9c46a946fb22067c8d65d44123de51a60c576c21a4a2592a2b07235

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\identifiers.js

Filesize
432B

MD5
cbc1b9c9a344d64984f4da3b2e64f72d

SHA1
c7ef11b4290cfd7d95ba7106782517b18dd84b00

SHA256
bbb18c6662b7c9523fe656841948e8f0ca9c3bee40caab58acea91e3fae5e838

SHA512
618933abccf9a7d37bc6b25afd2c6395e1a3ab16787cc418ddd9b195478c27f35ff46bc3fa62ae042f50f5b22e396e3758f41b6ed5485432033927c0bfb1b67a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\parse-options.js

Filesize
412B

MD5
b3fb8e62c10f1634b7bbe45ade611c3b

SHA1
383ece33b5a4b1f395b093bec19db3e4c288d24f

SHA256
df2f5b738ffbc883a713935f5d889f8bc812cc6de861876173bd39e39ef485e0

SHA512
06c83d6111210fc3695f5622f7005fcd153dd0725454fc7ca2998910588644087b07dce138718a69e28cf2641bcfec0de862c3e6fa744977153e5b5877f3ab3d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\re.js

Filesize
6KB

MD5
33ad3eea70231e16f797c66a6382fd39

SHA1
c76b69f4794cc0e8744e9f75ee5a2d33be592c6b

SHA256
a2e4a423b5c6971a4ad86e775b22a5a10bc72d3df9d5c044029eb3a983d3fc7d

SHA512
a18653bb857bd570412e6c7c2f9e417c0627f8a51b57855a125af227a5deaa41ff2df383f932d414f79151f490cf3def3ee5ff32524d7c385b9372de1451bab2

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\package.json

Filesize
856B

MD5
d9067fd28dbf74269021213bbc7b6ea2

SHA1
dfa3e32fb19ebf9d4e6756f800c89881b3d7f893

SHA256
cd36a92769e0965e675fb9ddb2bc18eae18c5b2655a9dae5080d3694d7b61ef8

SHA512
c961b9f0339da58a7c1944b39b7bcb79ae27d5c1329db55dd3cb376586e41839c7d79e40331f159dc1533725ab06f5efb80559a73092137622416a5b0618263a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
80e14ff09e94cb204f5aef40be99e6b2

SHA1
a2a2118ba580e85b22685ccadcc32615dfe5b4df

SHA256
f68331e91f2ae8dbb0ce63346a2a38b770831126b211b7fde701ae17817e8ce0

SHA512
dda412c686fba93bc8c77d480336b84822028ce195697dc6e1d039dad39318f1440afd98aea901f742e41d363105e762caafaa33603e22c938704d0a5ea84c30

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
483B

MD5
d5b5acb61c9bf69fb8bfc65eba28c6ab

SHA1
eebdd696f7f1aaea15ac4e10f5a6e5aa5a6aca8c

SHA256
afa68b96334ea8493bcb908743af3dbd619cf26be7b44460179abd4d75d849d2

SHA512
69483d7c5e49efdcdf054b3c5d96d9d315e436f60ef3059dd6a80472445d79068655a8a27d868e907f2ebafc49b8f638947b2fb49d42e4a9f427fec74fb58822

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
167B

MD5
11928c4a2e7ef6032632971b81d9a56f

SHA1
57c0335dfc4f07354244759ea979a9a9e2fb811d

SHA256
b2803022d53f59878b418f7be8be95bacbe6de8bd97c7177e7b50c1a5c958b09

SHA512
2d0d0c7701d64281685ae42556f4e6bd680fce6d1cb493131d39ce6d8f5b66b5637ee92696ee30809bdc6736ce07a14d2da6d2759ca6e675dd660dd551e99f93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
471B

MD5
8537ad35984e147ed0889fde515c780d

SHA1
29e03ac3b7b391c7a104dabd21bb1c1aff18bebd

SHA256
700a9839744eec28b3008e238f551cabf5bf1939b1fc1951def9ecf550a85c58

SHA512
310692913e0c5f0ac39361d6c46767914141b6a0683a5c4df25a8fdadad67064065b2064df9b9482a7462b5b6e36617909a1ce65342b9df27f4c7c35a8679754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_CEA48AEE703922244E2530F7A011BBC6

Filesize
471B

MD5
ad5f98e09a6b2e18a30e2c9be4e94955

SHA1
2527e2184c7c70dd667ee44e0b5972f804d00965

SHA256
b11003ec4ca4def32f70e7f330997b77252f74bd1a7f147411e0e8b80e760ef3

SHA512
2f8872286f41b147d4e963fed2e4e1c4926fd3ddfad16589fce8e3cee63e1229e7994c5c610eb1ef35bd05263f27961f5b912ca103b9adb39ea646a9bc2a0447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5

Filesize
404B

MD5
fbb45fe9ad707d4daaed79b5e53969a3

SHA1
f4f419f017bd87ecf54329d01322ea047129ef56

SHA256
94fe4ba3ac418119f869773da5e41ee034e744fd827ca4228e4dd5bc832ae62a

SHA512
169a83f8fd51947e634e1339ecd772601d78267cc4f7f2279bdc82a9cd1967418c4d7f0b06090f66712f743057ecea424c14ed7ee69bb608618b4d98443d8dbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_CEA48AEE703922244E2530F7A011BBC6

Filesize
404B

MD5
0fba8d1924c268d300a4d111a7f6d57f

SHA1
d08ba8eb464b0611343929220f556681888d35bf

SHA256
f741776301b7a131a44f31069269081f8cc8bd06482a8d014d219f570ad40b9e

SHA512
dd4f87380c3ef2e14abf120cec33c13452f3048af3e09ea789592bd300b3c7fedd08fd1babda092daac47e120290199d58f1bfdebaa5dc6dc3db5d09c64097a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
94e865d99f07697306269702125ba932

SHA1
0163f174a13856de2a0f3394e1d80594c6ac0f0b

SHA256
6fe24bb702382039b2a689e254335733c0b468063ad6f041b33189cb805889b6

SHA512
5208e3988d4b1b4fe6a83acd45910a321e2768d7baa2c0d427ddffb20aee8be9438b946ab98b6193c0c19c0096dca8dec8f0bc3e476f07cc2f41770ed4cb0d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dfa9158322ad17366ace2646388f227f

SHA1
8c3630bcaad04fa9d657bab052d5600e57ae2d69

SHA256
74127155a34282bc873561b0f46d1815ab396e4882bc6e768a6eaef5b6b0f000

SHA512
7b13794634813fbf63626f91d97a1747d124f435048469d99758bf7e56fab2341004d37151778f56a1bb797581a956f8b974360c13170c7c93bdf009a6596560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
411dd0ea6d72018e5d83b22ba187fa67

SHA1
3e96104e3893bd31e1dc40f492230707d7e00ff3

SHA256
d1da84000a5e857c143064046c7713355ccf0d8fd0e0a293e523766221ac832f

SHA512
b4f29b56c0d597e27b739a5b3fe4fc44dbe9b84958f2ac73c01a5e254564f86b05624fbb97cec1932617b76d8d623a58a9e5925d22156f2f1acf4a9023ec71f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
52a7af18bb2f10f88243fefae79f778b

SHA1
9df95234c843c4b1ebd02ed45c5c8a40f09f0ebd

SHA256
ca93eb909cb6c777df70fa627c2318207fc669642e9d7369cb224c147ca6c4ce

SHA512
5bc82081f97abdaa06f102968242355ef5d3a2d22e1a1cc42a74d9051713423798934fba7c709fdb38392440e7b5d61ddf2d6b84db99fb8c40368485b05b7ec4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x3x6afp6.default-release\thumbnails\1a9f616dfab82efd5d0532e8751f813e.png

Filesize
8KB

MD5
930e8991118fb40065699ee700060b5f

SHA1
34f45a72d82e72b79f994b1d07c10b3295676832

SHA256
f5104b2add0ae4e22567e9d41a324f3ccc0c8e1a4153497bad02ad8980d55847

SHA512
80b5de771e03fb36e0962f7576dd7f93c5bc014aee4a2666a4b7bb8c93485bbd3f61ca2dfa3da9088f273ea2cdbb36ebd5a81cab5b5aa4e9dd863dfbce2f5c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOCC39F608\start.bat

Filesize
601B

MD5
a020c2692ea8307076e7f2ced6ffadeb

SHA1
eb59ee0f0fc39103e29493efbdd8e428610fb955

SHA256
58d7a19d79b5f4f3270e6154704be7d442184cc552d8d903da07352de0f415d6

SHA512
c9316b94ae668b8207c5518d88a8a51bba2835e29fc3fa5fb5f63e834e00aa13a558e2db21a1c2c55c4cad99a0b622fa0d37adc08429114d364f9e56115599b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1013.tmp

Filesize
122KB

MD5
071dfe9315c62f98b04c2332fc30960f

SHA1
85524d66d341068ce5642b0181488132cf3ce897

SHA256
be7cf4d026821f9888c82e6ce74cc8afa4157d2df2966bb42576e54e6d4041fd

SHA512
ed323ce0c233c5452b8ec88925493d5d1300c907345cc35421f46fa8a4d6d9be396f3f48bd04e47b39de4024c9755f0a046bc99cb0be10b8da26c3f31f60453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI114D.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_euetc5bt.ure.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
49b44d7af3b90de86e9a0597d039e585

SHA1
25c7c3abe44b45db575de52e36e6461a94a9fbe5

SHA256
7df5e583f23ac12d6e3590a935429796d36e03c79da2b4b6563834b9ee00429f

SHA512
60fec05314b7ffc1fdf552cc6692f1e053130983cc69b5965ddc69bc1fe8348aea3525b8f62eef6d647d07e85cd3228df39dba4b2b63790031a1a5bc47c8db62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
f681b52e3a9dbda22bc1925c8f144094

SHA1
e340c32c610047549355ef1dbf6f07e5244b42a2

SHA256
373bd7db828338ee177850b87a139d090b1934cd757e0f823adab18dcfccdbd3

SHA512
64418b9392a5a968640f17a7baa5d7cf7d77d136aabd1624fd1ba89bcc6da4e31a5a92af5d239e394df7baff2a58da9b1f7be4a27f380e14de026ec3543e9e67

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
14KB

MD5
f792975985ac61778ab06a21fbc0b75a

SHA1
612665610589210fcf0378b9fb9580a5dd2b9fa9

SHA256
e59e84453e77b94940493c517898ca4a2ca84308ce15c11e849f5e30f4860e20

SHA512
3089d35752a635f6e71d0f5fedadbd601988a89e0802f4a3c614ebe73eb84e5d943a20d3b0968b8d4aa2d95ded1bce288f4df6515abc7e1673ec78c026395cb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
c1bb2e481070fb9430ee4314b7b2c92e

SHA1
b698cb213562ae8ac2697fbc51136fb2cc05b2da

SHA256
dbd45a69e670393945e552ea6c2c11ff3458ed8e4b9cd2b766683f9b76700a20

SHA512
a71497c9a6ceed7400042febfa0164e376a60afda5cc6a5b65070305bf7b630a2aa656f46d7e738393fc0238046dfba1d10d2a4f8f17418a7646a6638c2473a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
bf7494e0c7ff3c345fddb2105eaeb87a

SHA1
e42f6f0645727b285ea913b02e66be02144c3493

SHA256
b21c362036927d117dcab889b0cf9e6d673eb98a362193ab6bf19894992ae4b3

SHA512
c61673a97ac08e8f0472f72f44ac0e5c6d9a5c175069f2310f712abf19e35ea9c34e159219f7a96c38fe796bbb8d30da2a94cba5b20448c34e59efe797d0b888

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
391b04059fd9f8c0d36f49b94833615a

SHA1
22a1d2914e35165af4f036d82f900b2ed636ba82

SHA256
e39838f7d41025b90fcfc0b45aae5329af50cf982806519ded7fc73dcabf4926

SHA512
e067febf5c657eb27ff6f33f231401e7e24d1a50772d0ffa6f7b03fef62ccf6eaa15a517ebf054bfbd7c1d6615b5dd16001767695bc56be40949ff97ae44b551

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\19a4ce71-0b59-4ea7-8683-f84c08645ee3

Filesize
12KB

MD5
6a9d209ef216bf75da5b34139616572d

SHA1
49fc7f70888596523a88858b5870736fc8b4e616

SHA256
70681ad0e229ebd223af484e8c679fa8a84a9b1dde9333690d6459bbb09fda13

SHA512
bebca8d76db6d85ac4bad0b108e32c57a1dd6b540beeb9a42196cd7eb4004d4ab446711b30c9d56aa7463e1455a693994924379d36d873233b5abcd817bc1418

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\datareporting\glean\pending_pings\650b14ca-1408-4478-ba35-241654909a0f

Filesize
746B

MD5
a6e99cf318f851f158ed8c2d4c034c89

SHA1
6f8b3f9f064c67b2c04d395949cc58337a78a402

SHA256
c31b0499368ae04cec6f31a11e8a0db911bc286205f9c72a3b17543b472665ad

SHA512
1c0a7e164666475a138e93bd16a4be2f1b7fe2c90420cae1f48100fb69efae9c6ee2e5ea105373e5e1b468ce70eb3124bf72862fda7b2b64aba9d4122d559c96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
7KB

MD5
27df11c2b6dc6a68961c1db61a29197e

SHA1
07aa19ca380533fcb6050b56c07902d6575bf143

SHA256
eb88206a86770f4698cfa29c237aa7e33f6b4ec78bc0dfc11a47a190bb2954a1

SHA512
ec4df03833332c6e87333203ad0ba435e357b81d18c6f4c9df6c00e6ff112a5cf784bc4bb10ffae95a557e711a21effd89c4b2bc4a6dc7d73548ff5e77d0d243

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs-1.js

Filesize
6KB

MD5
222bf5f6b98f6be15d10424aeab4930b

SHA1
d5c96d8d8719607985bc8339dc46e5be81dbe852

SHA256
acde3b48b1bac663bdd0cbbf693990da161f3630e59d0305ee704a4b40ded303

SHA512
ade1aaa9d937e5e4d894379294cddc95a9f6ec67bf316f4f97a2e93f20da73bb811f9cdb684935f6aedbc60ed585c54c7d3a4e999c664e0b63d7348981d55b85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs.js

Filesize
6KB

MD5
2381833c310c27ba15937399e9dcc01c

SHA1
ac8b7c487df33f9afd05e26d8f8e6f8e493459c7

SHA256
eaf4df9f0ae361ba595c899908c92922ae101cc9c39aaa9a75eb46ce2e252b2f

SHA512
5c3f1b577dad7eb7cee3f687b261e2a145fad0a0947529b08770aac0c6a16344ac7ffacee0e30f579294f58b9b28b96e1230d71fd079f4e1771ae25da51a0e66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\prefs.js

Filesize
6KB

MD5
2f3fc90dfad37c8aca72bd2728667e27

SHA1
a7892195c8a62cc3ea84abdb78c3080bf35cddcb

SHA256
6640f4b70e7ab638b70aecb00fbd5f8e7faa5a9a2e70d96813e3c9ebc0c4286d

SHA512
973d681c4167937057a7f9b4a00553811ee7043c246d7679d4c9cfeb07afa3649bc290e9c9113b63576630bf4b332822e14416a81eb8faa3990b284d48e3850a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
1d3708ed6b2e269ef0620b6b176f8f8d

SHA1
bf8cd5cf5fadd9d7341d3d220251fdf84be94a5b

SHA256
3282cac1b832c2a9f3bf3e441a1a163a7c34a6de70d3022b36e04cb40e73ca2c

SHA512
745c8dc57af8631db0a3a8f70b51754b1964de55be7b9d1a08ce500a5b5bfdacf56c6c9c2b27d835f4e077987afc97608f9d60f60d897c3b61712c029d51f487

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
c63ad4ff5f38b258da4b03cc63f4b3b4

SHA1
09a1d401ffd149ab05045960fbf58c7db46c7b5a

SHA256
0db5ce6d6edf3c358e194d0ffe41cee784fc18cc2127dbd9213d6e21eb1c3b69

SHA512
889736c25164d0005ea1d22d771f14cefc370844cd8885382d2aacefaf75d2f37e4e4fdf9137386b505a12b8425cb7a28ea861d517ae12a30af71e94e368d6b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
a08ed41642fcb471ca5d4454c8c418b7

SHA1
120114ed968c4afaa928332af8e75f04d8a61329

SHA256
db051198ebf6bf2e4f1ab80a819b8552e493d08a6a5715e20a4dc1924b287fd2

SHA512
0931c12c81cbc24ca7f8357e542ca9230a539416fdabbdcac57caec4866ec42456dbf87f74cbd1806a56d46b1d50a5cf88335a79a0c8940a73a2ef3637476ae6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
7489e311146cb01bd6aafd48bc3de8a5

SHA1
b15c5e313923a640e490031b2c134ec3eca01f84

SHA256
487fe4c62188863109cd58e86f7fcb11bdc52073dfa2272c1f4c033553b0f771

SHA512
6722544d26c7f1a4d45cc2222fa53f4570190be4e64ef5650e3eed15ddfe0ae0e0afeb74378093b78251e25dae7f65324d880b95590ff9082f63ebc6b433dcfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
bf0d86d29b583ee4181f205aa9f01454

SHA1
ede5be9d4a8c56278045bf669af2ab70a9025f8b

SHA256
00a8f024ab3117452b466c2a192939430c1abf256da4660d8bef2a4a48c795d1

SHA512
5c0d94d8d6b472800a589c891411a7eead9723d99ecfe28a7b915de886b17a7b23e9f71db87d2ea59f94d10e5be725e63a3df91993138377c489983eef88e151

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
fdf639b41c30ba0de6ad36f9d2e8ab5a

SHA1
3ee051435b40b1bf7b845644893ac76ead574e40

SHA256
dd760556915c989a564ecfa62c5e821bb5ab710f8071eb094bdc7e783b16046e

SHA512
7a5c780b7472b61038c9779b4402ad6d0c9ff277738b57ef7fec52f0f8350314e1f00e2648d8b3b54202511a4933c5d2bd7d9beaf25c4be93fd34ae50d30e913

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
6bf7929588e45b6aa2efffa21850e967

SHA1
289dec4d24522e64b0c54ae2a6ad1b48074906b8

SHA256
d3158535698d32ebf24b65681f28bf24c4f398d7818a3be1224615c7c7791331

SHA512
e16f37586c95d3497d75fbe28aa9c2431442beed99b2c1a50a87d20b793dae91b47d4a4f9fc1895bbfd6988bb530942377989416662a2c8b8db4140de5e69af0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
66ccd078d373770cedc20ef1db98e481

SHA1
f1ee311036602eeede279084a0feb27c9407b566

SHA256
95d104bf09dde4c979a0b82216dd74d55f749fd4b8358f4d30a24493a58062c4

SHA512
850a385ac5cff287527f15639c794a9df88108356fe051a1e35a60c60f4c8cb8f0592382ded6642513dcf3869f7e0c1ad0851a0eb327eea834a5413028455f91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
08b45c1d1b28c6b15988fa05a0e15b3b

SHA1
f167c8a793055b4ebf20fc98bc80d2d3f3b4535e

SHA256
a23bc7aeff4a17afb06d715c37a73b31d9eec2a8faa18dd74163224e7ef458fd

SHA512
61644c66a507a6503f29d53172a312be14036ed435492113f2892ed6d62f14a63f5087cc27014d0489081885e775aca832feac28ca0a8c4f626abbb64eebf7c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e7d6460a5541236e32e558a35537ede1

SHA1
aa8d0025c8091d44e83146a9937799be57d492f4

SHA256
6b92997aa06627d9e3204ecebed80df34b50013b5e8aaf69820e758806ee1133

SHA512
baa475d64ee9c4acce1c1668ef0c3e7bd1e2fdf913bc727f5a1e57f14a0a53a8fec7b256d8a8bfd63fbfc2325c44a48b24e1905dc630a00d16e4d611ab476bbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x3x6afp6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
0ddf2d28fa95f84ee16e6c140c508b33

SHA1
cdbadda1221ca26490fee0759c3d18848b90f8de

SHA256
8241c153009637225940f5c17bbd182f9573b461bd3af4a97a41d90d3892a174

SHA512
c928a6085184f4424ea52aeca3524f1c16cbc3f490e19abe689c5ecf3a8ea4b1a2215155a0d0d1d52f576ba119c5717318097dd6659df0c51671581956a54662

Download Submit
C:\Users\Admin\Downloads\node-v17.6.0-x64.msi

Filesize
27.7MB

MD5
6d92bf25f62c9c31c0fbc0670966a52d

SHA1
4d8004e517be89d6fac4b4b909f73f5eb83c22ff

SHA256
ef3f0172f25a3868f053ebaf18a9286c23c602b3a8dabab9dd773a7265023b68

SHA512
487808896526081edddc16139428df8b0144974d2e150a08c58c78d62e2904e391695cf6b4bc21a6aa9513e69c99d6a083f7bf2b5690180b3f71d6f0a59a4abf

Download Submit
C:\Users\Admin\Downloads\node-v17.6c8E4ZxB.6.0-x64.msi.part

Filesize
1.4MB

MD5
8db8411db15abde7d3969a63f5d34f98

SHA1
dc515717ad18bf6adffa9a7fde1f0f1816c5f6ad

SHA256
be7ef62116200d8bd2fdf4dc83b402a5d9c88900f44985735210bd250ac9f729

SHA512
7a5b23ed24b8cb84cd49c9c22fca4c18c04c282bc25e33d60fb2aa0cf4148f943cf0c313d2540ef53f333b8f84bd66e83f22330921d4b60bf8db599116ba0e83

Download Submit
C:\Windows\Installer\MSI6045.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\MSI720A.tmp

Filesize
192KB

MD5
6fc16fea8bf4f0ade0ff4ef90fb4470c

SHA1
8a85be41808621cc28f0f49ab8df3feffbc72cf8

SHA256
dc9a0fb0f1a46618a0f7d8d33a9c1873575eb102e1a4301f0da206c69b5542d0

SHA512
7209c62ce8183e43072b1534b3616ac205c0b3695adb3775328b5557dcc5d289e08ec2bcb82967c7c252b0e202d00d152cb6e78f9ba4d0d29dfb69ec2929704f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
12ce1d46bbb252e7e56fdd037c5829f1

SHA1
f8d1816036db934a4c1a00dd7bfda97a1c7bdb50

SHA256
122aa9231fd16bbf19d6eddf8c0f3b394919460dcfd9e09c9c38af9e96aa9d87

SHA512
5aedbe030ca7bfa5367c581bf253cc6d2128ac0111e70c6abf7f1e1a26806c5165f06a87a0af4926caf78a5078231a185516d1e3d69c31a3c1ec8de3a4541226

Download Submit
\??\Volume{57af6234-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{738cc165-e8f1-4e3a-857f-0417942f8a80}_OnDiskSnapshotProp

Filesize
6KB

MD5
a3fbf8086ae8baa4ded2e8ef79363361

SHA1
0d115d4243664ed13ec429f5083d083bc61c6180

SHA256
aea1714c6db3f32547836f3a79f646ebb3546d90df5471c194eb27a188522ef2

SHA512
1bb18fc7664a926fe6fa494e3997f0d9c52de4ec65e7892a327df0a3726e3a0e1b85e7a385da819fce357d24dfeb257de5919944ceca57902f46a69d7ada770c

Download Submit
memory/732-2692-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/732-2720-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/732-2694-0x000001B16EDC0000-0x000001B16EDD0000-memory.dmp

Filesize
64KB

Download
memory/732-2695-0x000001B16EDC0000-0x000001B16EDD0000-memory.dmp

Filesize
64KB

Download
memory/1244-2527-0x0000023FC2E40000-0x0000023FC2E50000-memory.dmp

Filesize
64KB

Download
memory/1244-2526-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/1244-2529-0x0000023FC2E40000-0x0000023FC2E50000-memory.dmp

Filesize
64KB

Download
memory/1244-2531-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-2730-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/1896-2732-0x000002449D050000-0x000002449D060000-memory.dmp

Filesize
64KB

Download
memory/1896-2733-0x000002449D050000-0x000002449D060000-memory.dmp

Filesize
64KB

Download
memory/1896-2731-0x000002449D050000-0x000002449D060000-memory.dmp

Filesize
64KB

Download
memory/1896-2739-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-2841-0x00007FFEBB910000-0x00007FFEBC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-2845-0x00007FFEBB910000-0x00007FFEBC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-2843-0x0000016A86BE0000-0x0000016A86BF0000-memory.dmp

Filesize
64KB

Download
memory/1988-2842-0x0000016A86BE0000-0x0000016A86BF0000-memory.dmp

Filesize
64KB

Download
memory/2332-2888-0x00007FFEBB910000-0x00007FFEBC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2332-2886-0x000002CEC7630000-0x000002CEC7640000-memory.dmp

Filesize
64KB

Download
memory/2332-2885-0x00007FFEBB910000-0x00007FFEBC3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2708-16-0x000002500A210000-0x000002500A220000-memory.dmp

Filesize
64KB

Download
memory/2708-17-0x000002500A210000-0x000002500A220000-memory.dmp

Filesize
64KB

Download
memory/2708-18-0x000002500A210000-0x000002500A220000-memory.dmp

Filesize
64KB

Download
memory/2708-15-0x00007FFEBC960000-0x00007FFEBD421000-memory.dmp

Filesize
10.8MB

Download
memory/2708-14-0x0000025026130000-0x0000025026152000-memory.dmp

Filesize
136KB

Download
memory/2708-21-0x00007FFEBC960000-0x00007FFEBD421000-memory.dmp

Filesize
10.8MB

Download
memory/5960-2495-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/5960-2490-0x00007FFEBB8F0000-0x00007FFEBC3B1000-memory.dmp

Filesize
10.8MB

Download
memory/5960-2493-0x0000029776590000-0x00000297765A0000-memory.dmp

Filesize
64KB

Download
memory/5960-2491-0x0000029776590000-0x00000297765A0000-memory.dmp

Filesize
64KB

Download