c54f5f7e2416e826fd84e878f28e3b53363ae9c3f60a140af4434b2453b5ae89

Analysis

max time kernel
358s
max time network
315s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/03/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v20.11.1-x64.msi
Size

25.4MB
MD5

ddc3834ba30017c8b403f48f802c2566
SHA1

7460683828f21069a33e694801a85557434cefcf
SHA256

c54f5f7e2416e826fd84e878f28e3b53363ae9c3f60a140af4434b2453b5ae89
SHA512

94bb61b403d42ba362d470809e7d4167e1df55280ed5daf96c65861ab031718dce1851838d4b7e3cc873da8dda7b461c39b91edff9af4e7ad6f697c46528ffdc
SSDEEP

786432:EntWLjqcJLYchxisdIfXnqZs+zAabBT/So8:Entiz88iskXnqZs4bh

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	4328	msiexec.exe
16	4328	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\web-auth.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\external\rekor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\node_modules\lru-cache\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\constants.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\Makefile	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\outdated.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-doctor.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abbrev\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-cmd-shim\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\bundle\dist\serialized.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\translations\es.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wcwidth\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\get-prefix.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\diff\character.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-name\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\explore.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\node_modules\strip-ansi\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\coerce.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\strip-ansi-cjs\node_modules\ansi-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\lib\wide-truncate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi-cjs\node_modules\strip-ansi\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\check-bin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\clone.iml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\num-args.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\verify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\developers.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\agent\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\defaults\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string_decoder\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\corepack.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\identity\ci.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.umd.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\CONTRIBUTING.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string-width-cjs\node_modules\strip-ansi\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\API.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\write-entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man5\package-lock-json.5	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\make-spawn-args.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\bundler\bundle.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\text.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\safe_format.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\replace.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\extract_description.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\processor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\npmrc.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-owner.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\remove-all-listeners.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\reset-dep-flags.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\bundle\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\width.js	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI487F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F6F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58466a.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4EF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI52B2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B76.tmp	msiexec.exe
File created	C:\Windows\Installer\e58466c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4801.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DA5C7599-681B-43F8-B8A6-20D986C704F9}	msiexec.exe
File created	C:\Windows\Installer\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e58466a.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
1228	node.exe

Loads dropped DLL 7 IoCs

pid	Process
4712	MsiExec.exe
4712	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
2364	MsiExec.exe
4888	MsiExec.exe
116	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c2cf76efb8a5767e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c2cf76ef0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c2cf76ef000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc2cf76ef000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c2cf76ef00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Version = "336265217"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\PackageCode = "048BAA490FC47FE48B7B9F53EE26ADCC"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\ProductIcon = "C:\\Windows\\Installer\\{DA5C7599-681B-43F8-B8A6-20D986C704F9}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9957C5ADB1868F348B6A029D687C409F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\SourceList\PackageName = "node-v20.11.1-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9957C5ADB1868F348B6A029D687C409F\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9957C5ADB1868F348B6A029D687C409F\Language = "1033"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4880	msiexec.exe
4880	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4880	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4328	msiexec.exe
4328	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4712	4880	msiexec.exe	94
PID 4880 wrote to memory of 4712	4880	msiexec.exe	94
PID 4880 wrote to memory of 1524	4880	msiexec.exe	108
PID 4880 wrote to memory of 1524	4880	msiexec.exe	108
PID 4880 wrote to memory of 2364	4880	msiexec.exe	110
PID 4880 wrote to memory of 2364	4880	msiexec.exe	110
PID 4880 wrote to memory of 4888	4880	msiexec.exe	115
PID 4880 wrote to memory of 4888	4880	msiexec.exe	115
PID 4880 wrote to memory of 116	4880	msiexec.exe	117
PID 4880 wrote to memory of 116	4880	msiexec.exe	117
PID 4880 wrote to memory of 116	4880	msiexec.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v20.11.1-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C294D0EA76370A745BEC526BC1B7E85B C
  2⤵
  - Loads dropped DLL
  PID:4712
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1524
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B136B08A9754920A1E2607EB4C47D576
  2⤵
  - Loads dropped DLL
  PID:2364
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D2052E20D8C3739735B710A5D9F9E59B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8C47EE88783B54A17EB1DE53C9D74AF0
  2⤵
  - Loads dropped DLL
  PID:116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:744

C:\Program Files\nodejs\node.exe
"C:\Program Files\nodejs\node.exe"
1⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58466b.rbs

Filesize
844KB

MD5
a79242b7a026692d577f95834a843c11

SHA1
7199230bc6be4059900fb01e32517a69fa163d1a

SHA256
bc7aa8e6eb2121aa679eeb0f08e835b79ebbc1551b925edab7964f294bb3544e

SHA512
8dd169c03548f62ce6be1b000339d5f187ce43dd27ec4a432ae755d51724024bf05ace3e5a89845b07643fda722a3ca83bf24837eaac6216505fbc11878e49d2

Download Submit
C:\Program Files\nodejs\node.exe

Filesize
16.1MB

MD5
41622d83ec483f9fe60580d8a8c3548e

SHA1
9aa433ba3a938c681b833ac7efc1f74b39236161

SHA256
946b44d09ae823bb58f3b9ce9437a63089f648719ffbd9f493bc360781e7a8d6

SHA512
7aa984b956e8b9f21d14e5b68759d94d08a146fbc4a10119d982e343072f1518421c813ec6a7242be71716b48dcd5cbda30a72005c89f7888de4241fca6e558a

Download Submit
C:\Program Files\nodejs\node.exe

Filesize
16.6MB

MD5
9a30d8c7112886215b7f746c2acf2bb9

SHA1
40478aa8dc8ca9508399f7f992b48510c3cfbd16

SHA256
74c29eaf30117bb499878d7326dca4326f204c875453cee5c72207e107cc415b

SHA512
1a3a773543cc97febbe3c8aac8943cc0775027ed163f181942594dcda158b11ecd6d56b89ff922161bbfdb261e0f691868ebcfa3e84d37b2a53f8ca9d73e134d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\utils\types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cli-columns\node_modules\strip-ansi\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\LICENSE

Filesize
11KB

MD5
0ba5044c64ef53cb0189c9546081e228

SHA1
c8bc7df08db9dd3b39c2c2259a163a36cf2f6808

SHA256
49bbe9114e49214df2ccc324cb3ac8d1d1aa1c3a0947f94c286765e86647b32e

SHA512
a7ce8c7f21c031e4e6d037f4eabe8b200b8f1470731c05ea86028171f2964310dadc5def814d2d65164fbd23d720ecfd4d479ff5e269e519c787b4db96c7724f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ip-regex\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-sized\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\ansi-regex\index.js

Filesize
360B

MD5
a20c210b6e40f32c74581046a72637fa

SHA1
ff290036409fd67472b634e36afca346db5c2ffc

SHA256
4c603af42ee01f6fa43775a6162f6dbbcca897bc2912d19db2974992190363cf

SHA512
0cd4fbdf682b6e3e735ee390c463ffa9aa5dd22d38ab312a0731676e95bac37dab9f0d638d8f9c1ab6cdafd15f04ea2864c8702e82f18ca70f86dbb03549ce4d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\ansi-regex\package.json

Filesize
896B

MD5
f7fb47cf242d265b2497e3a6ac213617

SHA1
1a09448abf0524c9342c5723b60ba3810af10326

SHA256
a1b5721b315f84a5e2e28f3209eb92831537eb778e9e978502696e6235d71644

SHA512
6118a9b8efa277e46c065a097a4c9f18623ebee5cd6c170015bc40a222e2ffd2e6e72ce2c3c259a79698901a5f04b4b6b1980541e136ac1ecfb08f23513cd2a7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\strip-ansi\index.js

Filesize
158B

MD5
3f03b6fe5c918ae1b49ed36f4581762f

SHA1
1dc3afa3b08728017bdff8105d7424fc8951902f

SHA256
ee7638c432f16042a7c64c40b4bf326e44b7d6d9b7add19806637240c246a6a6

SHA512
b271511f7fd29719d06dbd162ac5259355c682675316aa4c8c513f30f8c390974948a4c02f383a43757c66c2247047f80dc88c2ebf261d9b3dfe0138f1a3c7d7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\node_modules\strip-ansi\package.json

Filesize
852B

MD5
d59bf9acae68d3368565b2c4302d1c82

SHA1
dc8dd3a6928631b912f6dbb9471b43e9a15117ae

SHA256
dec16b172e99984a3c913a9ec30d854da58467ae1fbde1b43a1d8f9562b80ed8

SHA512
b74620e60f75f889654c57c5a8c3a1a69d003523f78a539085ab521c599e905c0038e958533d6a38643d6ecee3dfed97190e595f1309d775fd41e29487162a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
8ffc28655646cd69abee60c0ff8f7626

SHA1
b9b32e3fa1d5d42c60bf4a4035c1bd5fca9cb75c

SHA256
490ca1df20d922f35de50f301279b0b55f3096cf54cbc58c4954297db056aae8

SHA512
295f8b9c2dea878e260ba98402aee8dffe180213b3edf06de12297571843c959b1f582e38769b8b066ef1a1fc1cf4af3a70bced1dac20c755fd5a5509a6bc5c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
656018322dd4a0a1d0d45d6e1afd9aa8

SHA1
50c52d392a825057aaa8cdf7487767983dc4049d

SHA256
59b0d523749dff91a8eb4424146519ec4421b3740c253dbb04c04500d1c39087

SHA512
876ccc4d2fc518b2e85270d455817f57abcc8adb7897aa1f219c751d996379062ac9a4c2284b0aa15ced977a638441447db5b2d97ec6a41b9b7c601535f95de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
f1d1c37c8383749dd5fe235e73ac8007

SHA1
5fa163668bb648a9a359231592785e7d6d258a75

SHA256
68cd19dc97a8f143ab67e63ce6a33ddb6f2af4ef18c826900479776558441a57

SHA512
e315e70edcb21e3e22dc97eca387f231e54228b0f2cfed25b5587e83498ac8a1a1e72b09892a3cc774bcf4847272195d4a8cb85049b2cff2ce578fe46403e8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7bf3c086147542fbe29b478d9e9290ae

SHA1
c0b4d97e034c77bc38ab515bb0c2f9c8799b7b8f

SHA256
f97c9d2eb3c47d04ff22be0a1d74279cbd436200fb5678d1fd84e30faf143825

SHA512
1af4a1e322a26a2bd7af4c02cfcc517a098757d45700e8c7fe577dda133bdf2d8e3810a1acb0561d7c9378507ffb3e1a7abefc63214e519b8039b6a10a661d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
84d9f9b1226393a58258202aa3f1cb1a

SHA1
378f799367ab7ff1b06cbffe125842f9a4f1be6c

SHA256
ae4d7d70249aaedb54258edcfc5117135d7a82457400bba245865f8df1ae5ffb

SHA512
6874adca3f55999d050f8566543b98df887deec81c980bceecbafb9228c16e1428d91679a783e9dfe84b9d21490427c21699979a00941e35cb6b52e8f00fdc24

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
23181fc0e75480ba2cb45bd5f8bc2c8a

SHA1
103d736d563bc47a7811a9348c79ca4266fb29bc

SHA256
f67c621cc7b52057142863b13c89a40ffd53b994e07f4b0f526f880b49dc20fe

SHA512
a4f80a1aa159cdc2272c32031cfe08943164b9c40f255f3e451bff45b45581ad2fa27906faabdfdc293192bef5731351aae7eb8eea49c15129ffb1c93e33e52b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
f6506fdaebace98621a297f702d3a190

SHA1
fbe294fd41ff4de094a7e83254647529b6d720c7

SHA256
56cc915fb9817cc2e57b36356f26214d91dba01c3849580fbbf11ec905bbb1c3

SHA512
8338ff5bf2792fbc0878edb404ceced1b65c4dd7e4973989b5eddbbed78e60640413f1fd7f590b8273f49e69556f1089e1aa493f5b71174330282d71d1acb7e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI71A6.tmp

Filesize
125KB

MD5
688822a69ee8f8e24181504edb51aa47

SHA1
ceb32e307a5b7e73ab739f659ecf193ac035a6d1

SHA256
de921f3c5c5e50a362cf6df681bfe72d166968a212d4d73a20e346161d5151d8

SHA512
d936a4323b5738b3d40a402c0e2718e3f65e538f164bd7440bef6bca1666de48d41b6ef954e68396e8cacb79c54f2acf318b5edcaea92a7f8a9a110fc6813a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7291.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Windows\Installer\MSI8F6F.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e58466a.msi

Filesize
18.1MB

MD5
c100a128beb3b2352cd7a85b5717db2d

SHA1
9db053864804ac8b3bfed3b574d939c17265a598

SHA256
9bd06f93896bda31edb12e3d4b4c03f134ae78d21be713243068e7f251bb66c3

SHA512
eeba03027102e1bd5b12e2cec1bccf6d4687d779e38a7df742a427525a7f03ffdb436c4b0f85be9472f3d81afc014d9464b324d2227a535e0a32199fd901853e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
c9f2eb9a31df372d74908346c7504e45

SHA1
75365ae0e5b96c980bd0777595e5e614628b3fbf

SHA256
618930e3e1770544e6eee022a2b2c6aa82a5ac5d7baf527485bbe655bbddede9

SHA512
28dbfafd14021a475065560a7240dc64878d90ba16a388bd69777445d28d70c68cc14983a796bbe84b9beabb30b1d36306a93b5696fd01b96f7f76a71ffa49c6

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b24f0366-41da-4aab-bf14-8fb15583449f}_OnDiskSnapshotProp

Filesize
6KB

MD5
82cf0f4f24205dbb01d10e462dfb4283

SHA1
e36ed4b85135b053e1ecb0bfaaf50223c6360da9

SHA256
c738e16a379bc1ce846ff79f646ec40ca6cdd59729eaf285a37cbb5e6d40f52a

SHA512
b6dc32b3a6e0b3f49cec02a956a3388183da9bb64b30824785fec82919907c699d1539ebfe2997e36d355c963bb6635f01652f6cd56d7a2c1df706651729e86c

Download Submit