4235f05b99ae5dabadb5c10c124a0f7f7d4223e52df0857e4c4462b13f19c40e

Analysis

max time kernel
324s
max time network
313s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
21-06-2024 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v20.14.0-x64.msi
Size

25.3MB
MD5

30ac11856e473e7f2e0fba7f2ac241e5
SHA1

7e74eca21c5a8936081ff05cb2c743e17bc466e1
SHA256

4235f05b99ae5dabadb5c10c124a0f7f7d4223e52df0857e4c4462b13f19c40e
SHA512

644e0e3f905c8da9236537b8ce34ef23669ecfbccdf3ffa28ebba71e7258d62d804516fa47b0825ca016b50aaf7f353a12f99b3a3f0d8c08c11ab5da9eddade4
SSDEEP

393216:VGmsMJelABFMciP7d7yivXrokK2YGO/6QLu0YuJhqAphmAtvIQPNY3:nFJe6eDPxj9rYSNpEdhmlQlY3

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow pid process

2 3092 msiexec.exe
3 3092 msiexec.exe

flow	pid	process
2	3092	msiexec.exe
3	3092	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\LICENSE-MIT	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\yarn	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-access.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\asn1\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\windows.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\version.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\shebang-command\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\LICENSE-MIT.txt	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\rfc3161\timestamp.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npm.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-audit.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-user-validate\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\sbcs-data.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmexec\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\lib\path-arg.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\jackspeak\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\negotiator\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\util\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\strip-ansi\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\lines-to-revs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\query\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\identifiers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\search.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-help.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\x509\ext.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\examples\negate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\glob.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff-apply\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-login.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\query.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\has-magic.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-inflight\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\javascript\bindExample.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\universal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\completion.sh	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-fund.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\simple_copy.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\util.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\safe_format.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\safer-buffer\dangerous.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\clean.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\format-diff.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\readme.markdown	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\coerce.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read-package-json-fast\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\logging.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\parse-conflict-json\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\funding.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\unpack.js	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2BCF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA7AD7AA39E04C5E3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A57.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48A1.tmp	msiexec.exe
File created	C:\Windows\Installer\e582a68.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE7A8DB621AFA9782.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e582a66.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\{3754FE15-6D3F-4C6B-ABF5-AE4AEC711CEC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3093.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31BC.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8B12351B024B212C.TMP	msiexec.exe
File created	C:\Windows\Installer\e582a66.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{3754FE15-6D3F-4C6B-ABF5-AE4AEC711CEC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2B70.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3754FE15-6D3F-4C6B-ABF5-AE4AEC711CEC}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF6222D682DBCBE36F.TMP	msiexec.exe

Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid process

576 MsiExec.exe
576 MsiExec.exe
1128 MsiExec.exe
1128 MsiExec.exe
1128 MsiExec.exe
4304 MsiExec.exe
2276 MsiExec.exe
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

3092 msiexec.exe

pid	process
576	MsiExec.exe
576	MsiExec.exe
1128	MsiExec.exe
1128	MsiExec.exe
1128	MsiExec.exe
4304	MsiExec.exe
2276	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000034da22877284b450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000034da2280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900034da228000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d034da228000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000034da22800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies data under HKEY_USERS 5 IoCs

Processes:

msiexec.exechrome.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634561682165461"	chrome.exe

Modifies registry class 29 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\Version = "336461824"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\51EF4573F3D6B6C4BA5FEAA4CE17C1CE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\ProductName = "Node.js"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\PackageCode = "3C5561556F9B7E448B6AEBF3B886BACA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\EnvironmentPath	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\ProductIcon = "C:\\Windows\\Installer\\{3754FE15-6D3F-4C6B-ABF5-AE4AEC711CEC}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList\PackageName = "node-v20.14.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51EF4573F3D6B6C4BA5FEAA4CE17C1CE\SourceList	msiexec.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2208 WINWORD.EXE
2208 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exechrome.exe

pid process

4716 msiexec.exe
4716 msiexec.exe
3184 chrome.exe
3184 chrome.exe
Suspicious behavior: LoadsDriver 14 IoCs

Processes:

pid

4
4
4
4
4
652
4
4
4
4
4
4
4
4
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

3184 chrome.exe
3184 chrome.exe
3184 chrome.exe

pid	process
2208	WINWORD.EXE
2208	WINWORD.EXE

pid	process
4716	msiexec.exe
4716	msiexec.exe
3184	chrome.exe
3184	chrome.exe

pid
4
4
4
4
4
652
4
4
4
4
4
4
4
4

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3092	msiexec.exe
Token: SeSecurityPrivilege	4716	msiexec.exe
Token: SeCreateTokenPrivilege	3092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3092	msiexec.exe
Token: SeLockMemoryPrivilege	3092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3092	msiexec.exe
Token: SeMachineAccountPrivilege	3092	msiexec.exe
Token: SeTcbPrivilege	3092	msiexec.exe
Token: SeSecurityPrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeLoadDriverPrivilege	3092	msiexec.exe
Token: SeSystemProfilePrivilege	3092	msiexec.exe
Token: SeSystemtimePrivilege	3092	msiexec.exe
Token: SeProfSingleProcessPrivilege	3092	msiexec.exe
Token: SeIncBasePriorityPrivilege	3092	msiexec.exe
Token: SeCreatePagefilePrivilege	3092	msiexec.exe
Token: SeCreatePermanentPrivilege	3092	msiexec.exe
Token: SeBackupPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeShutdownPrivilege	3092	msiexec.exe
Token: SeDebugPrivilege	3092	msiexec.exe
Token: SeAuditPrivilege	3092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3092	msiexec.exe
Token: SeChangeNotifyPrivilege	3092	msiexec.exe
Token: SeRemoteShutdownPrivilege	3092	msiexec.exe
Token: SeUndockPrivilege	3092	msiexec.exe
Token: SeSyncAgentPrivilege	3092	msiexec.exe
Token: SeEnableDelegationPrivilege	3092	msiexec.exe
Token: SeManageVolumePrivilege	3092	msiexec.exe
Token: SeImpersonatePrivilege	3092	msiexec.exe
Token: SeCreateGlobalPrivilege	3092	msiexec.exe
Token: SeCreateTokenPrivilege	3092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3092	msiexec.exe
Token: SeLockMemoryPrivilege	3092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3092	msiexec.exe
Token: SeMachineAccountPrivilege	3092	msiexec.exe
Token: SeTcbPrivilege	3092	msiexec.exe
Token: SeSecurityPrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeLoadDriverPrivilege	3092	msiexec.exe
Token: SeSystemProfilePrivilege	3092	msiexec.exe
Token: SeSystemtimePrivilege	3092	msiexec.exe
Token: SeProfSingleProcessPrivilege	3092	msiexec.exe
Token: SeIncBasePriorityPrivilege	3092	msiexec.exe
Token: SeCreatePagefilePrivilege	3092	msiexec.exe
Token: SeCreatePermanentPrivilege	3092	msiexec.exe
Token: SeBackupPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeShutdownPrivilege	3092	msiexec.exe
Token: SeDebugPrivilege	3092	msiexec.exe
Token: SeAuditPrivilege	3092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3092	msiexec.exe
Token: SeChangeNotifyPrivilege	3092	msiexec.exe
Token: SeRemoteShutdownPrivilege	3092	msiexec.exe
Token: SeUndockPrivilege	3092	msiexec.exe
Token: SeSyncAgentPrivilege	3092	msiexec.exe
Token: SeEnableDelegationPrivilege	3092	msiexec.exe
Token: SeManageVolumePrivilege	3092	msiexec.exe
Token: SeImpersonatePrivilege	3092	msiexec.exe
Token: SeCreateGlobalPrivilege	3092	msiexec.exe
Token: SeCreateTokenPrivilege	3092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3092	msiexec.exe
Token: SeLockMemoryPrivilege	3092	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msiexec.exechrome.exe

pid	process
3092	msiexec.exe
3092	msiexec.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	process
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe
3184	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

2208 WINWORD.EXE
2208 WINWORD.EXE
2208 WINWORD.EXE
2208 WINWORD.EXE
2208 WINWORD.EXE
2208 WINWORD.EXE
2208 WINWORD.EXE

pid	process
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE
2208	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exechrome.exe

description	pid	process	target process
PID 4716 wrote to memory of 576	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 576	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 1172	4716	msiexec.exe	srtasks.exe
PID 4716 wrote to memory of 1172	4716	msiexec.exe	srtasks.exe
PID 4716 wrote to memory of 1128	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 1128	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 4304	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 4304	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 2276	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 2276	4716	msiexec.exe	MsiExec.exe
PID 4716 wrote to memory of 2276	4716	msiexec.exe	MsiExec.exe
PID 3184 wrote to memory of 3284	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3284	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 4876	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 2088	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 2088	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe
PID 3184 wrote to memory of 3916	3184	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v20.14.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6E38EF1B90AB766BD72D5E547F7728B1 C
  2⤵
  - Loads dropped DLL
  PID:576
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1172
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3F3888540638D355AA7277A0F99760DB
  2⤵
  - Loads dropped DLL
  PID:1128
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 98483A8F344782937F719E7DA004AB0C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:4304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D435DC820BFE516CC559E62E76A6A7F2
  2⤵
  - Loads dropped DLL
  PID:2276

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1240

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\LockWrite.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8c67fab58,0x7ff8c67fab68,0x7ff8c67fab78
  2⤵
  PID:3284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1624 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:2
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2172 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3164 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3488 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4576 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 --field-trial-handle=1784,i,10654641386900126276,7451470667270793650,131072 /prefetch:8
  2⤵
  PID:1980

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582a67.rbs

Filesize
810KB

MD5
5a3d6dfbc1a7c4d0b5667b0a083d59eb

SHA1
fb755935691d6da9c833a9ede16a0d30480ba780

SHA256
e4c4880bac4284162e43c77da14c32d43bdecde84834eaef045cc95b7aa8b438

SHA512
6a0c69bb9f9f3f47d5f2d6521781910f4c174fe30d23c3ea810b76d56556996e7cfb6002685192e1557c3c3c5196397d6836d59251bf35b0f4b8c56d8d381a5d

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\path-scurry\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
8f744d8f2032ba038fd20caf8db287a4

SHA1
e6af902b70c40cd25ad33250166ca954d8b9d0bd

SHA256
3617bdfccfe671aa541cf0157b403549ffb41d2fc4d34a075a83b8097d6973be

SHA512
5654d8cf41d0ac566eff507b2d735d41875aa8d6788105cb242de473a55288dae3106b19d6b42f1192d21ab9a9e007459e86f0b678cb41c15c05bdab0d3e1d28

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
c102331e468eb05398ed0edac7c36c08

SHA1
4079e9062a246fcafae9223574c3d33cd7f699ab

SHA256
e58d1c15d8b7f32fdd5af1e4de65a4d0fb4a41e28fd6cbec2e1f82d5f29d2f1f

SHA512
fe814bbeaf41fdb4b6d73f1279ebf4b2e5c9d99e0ecac40fb2d4c5135f5faeb34bf6f90ec5b8a4d56dedd47e0a326f4accc4a3d97afaedf737a1e119caee80df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
76ee6fc21dc74f26ba1764bea7aa29d1

SHA1
16591ef338f295467c55a0927fa7954218d5257f

SHA256
6726036d4fc18bb547738c732662bbb05b44d3c7bf7b7c3ddfb9d09be543a782

SHA512
1af67b9ca0567ff4e1a5deaa219e64d57217346eb0877e25a2d1ba1942ca4bfa4d8d1b6b67586ae2e08e5a02a6cbcf5ca153a3d9f6899a5b27d19aa62d224b23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
0b88de29c08617bee5b28b7e00921e0d

SHA1
5ac0c8703b1ffbd892c89ce1f8baaba1392126ea

SHA256
c8633457cf30e01fe5624cc2d3a5cdb24c6fea13fb1ec9a65e746e5741a13e53

SHA512
59e8e92a4e78c377d127a393b98b089ce7880d70f4442b57fdcfff92634ece870960e3b02cc0c478c4c9d46b6ddd1270bff0936ec596b205ef5dce42012f65a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
567aeb827a5b558c8177bef6f45c5fa3

SHA1
4fe44d09239e9f117108db569813916c3e6d77c1

SHA256
4e9a63003f591543726ec4c3b9e3eda72f72f5aa7d951b5b6f3af6cd37bb727d

SHA512
684200aedf58a60e058fd4e7793a6854d236e326a5247a7d5b4fbe2b61b239ceb9e4573db34ae8282743ca9cb7ea1701d45dbd63918b877d8202acd29e06512f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
d687205b4290fd648f37083279f2516a

SHA1
7c4bc8c388d71bdf8691f2311004046f1e854c92

SHA256
14363725ae9c77eca43969db42481fcabf213320c91d70ad7694e72578145c33

SHA512
b307b2725d65e7e6bec36842c44bb98733b02c510e63a382d7670fc6e13dc77b0840685a567d9168d0a746c29368ab4ec08d21711f4eb997eef1d5d4399673ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
f9bb0bc9f7c76fb7b77e242e8adbbf53

SHA1
669ba3723ba6c32b0525c769e0ca49efb5f1c00d

SHA256
d6f379f5f939de068f9729fb81eae57f7943749a6b415ff478f80bee40be0c31

SHA512
b226b56c8f79806113f20be13331d8d0c971e21dd425c2ef91f9b24c7d4883153e7cdde51299192b47950483a42bba14550c4bf6f783625262e8bf9d9270f0c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\59aa29ca-1478-47f4-94b4-8c4325c2244c.tmp

Filesize
16KB

MD5
f5ca3c703c9a867bfbc788a33fada6e4

SHA1
f557b058d1c5d1f9fc6911c876c729fcce3a3987

SHA256
b3a6916afafe7903a0ac42f9553ce970d9ed0f9e88e711871954f9a2884ab39e

SHA512
d899557d1aaf65b14a6ed204e648c561cd9238ea3d1931e3adbb40ad1e7aec4ef032df689f64383a0bdf1f88c2b9927e7301b86ee08121920efc36a8202ce6ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
273370dc55da29dc519dca10ebfa7db2

SHA1
9c75d0c68b8c5ea08c57456531e000cd79d91f9c

SHA256
3ecb3197b5a4faa388e4b67db6355d288a1baaab3817eb81961ec1a9ad8fc512

SHA512
f6f7371b171c5a2716e55f0beb9f76cb31b8edbbf21f21a73264ab0ca20cbe506d13589418c3d8b243131f2d526e87c58a83b8661b69267baf6b5f2d017f5b09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f0317b0f2b6d203872fb7cdf67fd3411

SHA1
c5c6aacde3becaf11ecee3c6c85e57670245b365

SHA256
27a242aecc703f7c21176eee5ffbcd4ebc367f062b159e77bb2d235ca3d1c359

SHA512
13d712b782f5543b70d2be1a2f7eca1a00b6111a26351e14a7dd82f4391d7f551493a1c33b9b218058b138c5b1836d51932187f314e9786d5b4cd85c3b6b3bc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
127b0d881c4c892ba41caebd14d6bd1a

SHA1
64842dc265f100f20153c210e1e2ef7646847f6e

SHA256
ed7e6906be58ad5d226443b4b699adf1a046926a1e2e8353b026437fd67ff743

SHA512
840672fec6730e7e1cff8d34291dad5502302041e2e3ec028dee5be173e6cf8da67482ce8863e2c6863c33b0965b591ad3da48048d0396b91a2a33ab8f79c778

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
1bd84f42e3a877cd2cc9d988974c3c9f

SHA1
89b23c4d33fc2ed05370527fbfcca48c659eec54

SHA256
6069e1d8e3489d48e12dbc23f1eabdbae8b8cb1fb636e439c3aabb1e7295967b

SHA512
0b1fbc9b4c1c7c3098672238800c4df9e77bfe7885a3f4b5483001a7a876d3735535814e342b4dfb00ca6444e2627e4c76d1cd38c8a102f31890f4414b0f5a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
ef454a3dff40b8a76702365084bf8c11

SHA1
58bd4ff46ca88381523f4caf6c9596538bc60655

SHA256
2243d059c03dddead121ccec477aa72c1039c7ed2a82dd115e9299590e8dffff

SHA512
c2d8fe1e41ec6c180be813ef10487642cae8fc68d4949570a5cd76c9f79e2eee710b69a1a945e758403a53338a790db86f4fb462c8ac370593c706291dd3af9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
1c313fcbc3b0b41fc8d78e92e1c64e08

SHA1
d0e5c042eb8cda15d80a6475e26796cd74b14773

SHA256
cc53fbcba585d27a03a5770c0acae89c56a31107bfa824dc108e4ceab0ce3115

SHA512
c0ef6bfb0d666e8127553310e60cb64fdf1a7b0a9aa533b367fc12a1aa5dde899f30139ed7e2881ab8bc96ac864621fdd67f5b60b74c38c0108f90a2a2ba6a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE3D.tmp

Filesize
125KB

MD5
941ce2cb57c63b64b2aaa31d7c6b9d2d

SHA1
d147bf34ab8dd94b9f67a71428c88a274cd8f730

SHA256
560c9715d90c7a0566ed36e952702c5758fcd27b80f99801bfd435fea7e16cb6

SHA512
d8fc9dc3ccaad50a140040500d6bca841b06a26c416819792f5702e719fcc840a30dc8dc96d8e31a45adf6f3231e2f1adc1608febfed75b95674faf802ea805e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICEDA.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCDBBB4.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\Desktop\ApproveCompress.wdp

Filesize
342KB

MD5
8b29fac7c03814dcc9581b93abeee641

SHA1
ac7625f6e84473129d646c2041874c5dfaa428ea

SHA256
0c7015837bb47dc654908f8d5149302422152d52899a3a2e52a8609d1774adf5

SHA512
ebb247245e60c5e4b3215d99746fb27650cd16212fd7f7a0cb5dede0f6c41ff85d45a370a1ca98c21076986a2febf38f7eb9a51475e07c55f2d1f23c772778bc

Download Submit
C:\Users\Admin\Desktop\ApproveDisable.jpeg

Filesize
185KB

MD5
903236a44be79f41b45febfb73293cdc

SHA1
8a6894c292f008359b5ef6ea63fcf1a698d55860

SHA256
5b611f39dc81f94854cf4140765f1a14ca3e69958a0a8c3c70d892fdc653dc0f

SHA512
c3ff3331fce1f25676f0edb02f83b18e30511cbf2e0a73e89d5fde8d7c06532b234f6d5cd28bafc69cb0e1d38d58212b58448ad10b605043eb2f005c53b59d99

Download Submit
C:\Users\Admin\Desktop\ApproveDismount.dib

Filesize
264KB

MD5
09db5942392ec2dd7d3f4c61c58e2792

SHA1
7baee2abeb64b1c1fdc7b25fb6500c4febf4b63b

SHA256
4a70c0057f3bdee091abae5e7e196e9e9242d22d9a3dfacb96c5e4f038bbfd06

SHA512
dc622e741c3af277adde7ff2ecc30484ffae382fd09f03684348669cfd959ff817babbb50c357358aa0f5e0c623245dc32df4a728a84e4e516e739a8e95b70d6

Download Submit
C:\Users\Admin\Desktop\ConvertFromRename.bin

Filesize
275KB

MD5
1080096a41a4cecd56a31f2c021c0eb8

SHA1
fd8827bbb4bdba59386d7740ba06e9012ae214a0

SHA256
ebdad5e32f4ce25d33f0cd191f4838f0d0cf63df2b793b57e1cdcabfaa2c5564

SHA512
c04bb547e9eef6da95a148957e1cf62decbb026cacdbb5abd6f3f74547e025f9a54895589468ad0a49a60df434c6473ef9e9c7ed6d05b9517b54ba2c22e42b61

Download Submit
C:\Users\Admin\Desktop\ConvertFromReset.M2T

Filesize
309KB

MD5
6a826c05714be1848800877026152503

SHA1
c03c7a6e7b7acb135ccd6f12caeac53de6053403

SHA256
07ec6cc4cc4f4af67e40faf63152c6a22199fce13571277177bf4ffcc84aed87

SHA512
e1c1668e59d85fabb57da7988dfa936bd905b550f14426aa9305cfd8093a1de8edbc1d2051e81e1733fae2cf7cc61ab4984483d72bbd7809f275901eef7d9707

Download Submit
C:\Users\Admin\Desktop\CopyWait.odt

Filesize
162KB

MD5
0a4756bde5fca30526ecef6a020614a2

SHA1
4aaa37e26340a76194ea7f0c8d908a5cd261d201

SHA256
4fc19a1413a97b213ad0d3be0066a91e3721bfabae857dc51c7dea56b5f68ae5

SHA512
6a1c728276f6059ee0b4805ebdeb4a45b5c9bde9e77e5b70020ea452e4d6537be1ab613d147e339fff8278c44c6ef87dd9e6506d5a7b22e30882bff9a5367141

Download Submit
C:\Users\Admin\Desktop\DenySkip.pptm

Filesize
174KB

MD5
00a1003d3ceaa43e5093a79c65459de2

SHA1
ec93ae8d3191f711492083cb3ff255fb529538eb

SHA256
d8c463d37e94be5a4170405ac97d26d208d8182d4d1e1bb4576905e5aa8cea85

SHA512
14264b14feade6afc5a9f73c6106e49461c11dd43c93e1a9d3deaf8181e568b0d8cf373108e50045c21a1740fb5256344f0deb3dd698e7fcc76752ed8015cdad

Download Submit
C:\Users\Admin\Desktop\DenyUnpublish.reg

Filesize
252KB

MD5
9cc7f20728f02d05b1926b5e84551cfc

SHA1
1f6313c6440a0b90e6aa282224ae3e0434641fbf

SHA256
88f50ac6045823019eb0013c0de64a18aa76073166ab0785b929367b3a525728

SHA512
ceaf21e34e5830cd37c259161210780af7d5fe5b5e01651ebd8202823f8bdf09421633749f8a5c92713d948f8551f8786ad704cf27de0c907fe4c289e0a21b07

Download Submit
C:\Users\Admin\Desktop\FormatRepair.asx

Filesize
207KB

MD5
37a1645009ffeed6b93fdd395983dff4

SHA1
4930b5e551d62cb5670c0b6eb1eeb4ba8caad5a6

SHA256
85913dd9746bb4653ac1fbbd93e444094778e5dd945da6476fcac2f13439082a

SHA512
f01225d378356a4e30396eee2b0f1eed32605713cb19ae739efca8a1fa5c40a9a17d54c30a1c1183add1611173717e07ee6fc83c35894bf2e865953a603286c3

Download Submit
C:\Users\Admin\Desktop\GetConvert.ico

Filesize
320KB

MD5
85d8904758484cd975bef2f149434e71

SHA1
9d3c12e8b1c60d1940a63f202678034e57e3b81c

SHA256
ca39932d9ace77e8ef4c7c904cfab48bed32f9cedac3b369fbe53b645a15d021

SHA512
7d36716fc709ff26834e405f6eae7af0db3c858e35aabf1b8ca20348a5071a00fdce64c1ca3bb4fe958b647e7447159fa23a960969060d58af7575dd9404acbb

Download Submit
C:\Users\Admin\Desktop\InstallSwitch.m1v

Filesize
376KB

MD5
aae527b666c537fc24add059bf2401db

SHA1
cc75e5b3876cd5a3c5933e9b62ebc3c326f65dd4

SHA256
18ee03cee05a0acd567b45db3a380c9dfaf2eab9b19eeb3e66e58c5b50701e8b

SHA512
7cd33577ba13d49039ac9582bf1a1ab2eb1b9879ed778a9de07066ffc9987fb051be9d13f3153461a30cb4c2d42c246869683dd1e8ffcf40e3d9d5a5880b96f6

Download Submit
C:\Users\Admin\Desktop\InvokeCheckpoint.mp4

Filesize
151KB

MD5
8a2e16275055064331374b1f3a9d4931

SHA1
6d4b85bbb7a58be183c92d3abb0709f260efd103

SHA256
4532d6c93a1552520843cf91e0002ce5b1da9eb9edca3d07369b6003544e6e61

SHA512
f1ca9bec94f0318bf6e4887a114fea32dadf8af3ef274766aa8e12cd4be03b0cdb9cc47a2d705887780ad177d80a0be816c5adfd0218537dbf0ca05373ade6cf

Download Submit
C:\Users\Admin\Desktop\JoinApprove.bmp

Filesize
365KB

MD5
ffa8edd9680bafc05cd026f0b029ad86

SHA1
dbfac0430fd8b95d782350851598c1eb8eab8281

SHA256
937e52201e234d38cf12d62707f17050db8003a81214ed78460a955fed782c28

SHA512
58e60e81454a588335c786ccaca0538641e5c8f5270d75b1a4979635d73147f4a1922253887ccfaf9d90a094b4a01794080f3b8dfcef16c685910a38d5282ba7

Download Submit
C:\Users\Admin\Desktop\OptimizeConvert.ps1xml

Filesize
219KB

MD5
25c3c41ea169645190cab565dd04a8e1

SHA1
dce46f8cae8aef08e6f006d3f5ac2cf68c1994e3

SHA256
c3c48029eb38f166708135cf47a7d0650f443f375c5c7f5238f3d0cbe47b74e6

SHA512
63584decc87cab6e3d056d2af712afa981f949d3fd097487595b843cf8f9adb8a220c0070e7ed2b2dd803e397a8ca072db9f44629855d6a8fbf3539d033b0017

Download Submit
C:\Users\Admin\Desktop\PingImport.xla

Filesize
387KB

MD5
a867ed4ea19db96138933cccebdc9d41

SHA1
e261b13dcbfe4df4f3575629fda57c1d3e85455b

SHA256
a972ee7647a396a9e9712fb904c35afae7a56585bd9a3168231209f4c5c0f01f

SHA512
61243e33b2b48d46dc1b1d902d13503f4940a7d3fd1964ba6f8e3372b58c78785b6f0e5d8028b8f1e23d4bd3aca10de4e2c0a8e53c271d34d5b63959ab8b430f

Download Submit
C:\Users\Admin\Desktop\ReadAssert.rtf

Filesize
230KB

MD5
7329fdecf7d93916775f86c396b31765

SHA1
1fd0626666c6bfd0df32bcd810c08b5db62226cf

SHA256
c3feaace36accff3781e4704ce979d443259ed34a9753cfbfe763800af18d14b

SHA512
3c72104f3b000aad08e824ea4685190cc265221f2efed097e06ed63ce0c4662befec79b3a2b8cbf1c40f841ff47774c960315f2a5d55d7a3608cbf0c0f123969

Download Submit
C:\Users\Admin\Desktop\ReceiveBlock.xhtml

Filesize
286KB

MD5
b082a7b9f3811f774b2dc23c220bd7b6

SHA1
37c0c6e86b27b39ecdf5b0b8d8536ac8d36b5c25

SHA256
2959419e4eb3ae17efa46dfc46f062f836eaccc54bb60253a893d1d3c5f43b29

SHA512
2c4542a0e7b6289e936eed5f0f8a5ea79a1fcf133442453b5aacce38399c55b35c390f3df790ac5e0eebe1153fe536082000b7cd142f36e17d8edf319ed1e69a

Download Submit
C:\Users\Admin\Desktop\ReceiveMount.mpeg3

Filesize
421KB

MD5
2ad6e7352b666a62fb543d318191dac8

SHA1
233fad188d2040d5f7717b3c149d6a951fb9840d

SHA256
c437bb422fb6d904ee7469e851777e6e21fb621b254ba08cca8036ee5338ba0b

SHA512
4c0a0d89087f9706f0c97fe00c6d898103f097507e692d5eb8fe5b9c1bdaeb37cdcaae98be543d50b23a22a0a29e67d3bf6f5c4b1efb8e4f8a4389c14a441b20

Download Submit
C:\Users\Admin\Desktop\ReceiveSuspend.wav

Filesize
595KB

MD5
62d5904c1ea79d8e0e2851f166ea3951

SHA1
f3e0f86a4386db58e241a7940173b01530083fc9

SHA256
5facdd2fde831e69d220f8292f2107a541d38fcaf7a7bee0b7b626feb4eac9f6

SHA512
ce2872de553cfbb1954d87f2039f5a9fbdb5210e81ba03095fb1629f8e109cfa729447c6ea38f29a39d36c655d4b17369e8887dc830be79fbf114d4fbadce138

Download Submit
C:\Users\Admin\Desktop\RenameResume.rar

Filesize
398KB

MD5
09295299f6705e0027766ae40d0d1a24

SHA1
7c2d94bb789cf3e585e1b36296f31d8e5c74909e

SHA256
e88a04d6f739158bd0d48ca31e1bc34071a5a6644d7b24fad0ded32b54da143c

SHA512
e7dcfa135c5a5d79c66fb9429ac6a30608c5aa3b4015159986dce54759323a4bdbd779bd652c1780f79ccf9cce1c1cb4c1274d51e7a49c057a57a2bdf1b55475

Download Submit
C:\Users\Admin\Desktop\RevokeInvoke.zip

Filesize
432KB

MD5
9b2203a7d1c9316a8234c07258072ad3

SHA1
005e672c53572388c563328d6fa2d27e50dc54b8

SHA256
cc5af530b9a9fe58598d7c77b0f37369f8fda3fce1c797b705fa182be450beb8

SHA512
d5f72d72f17cb16457939a249e8f9950f452e0cd660825d7ee0dc7fee03558bcc9b0d9e335ef99096e9c6a463c419651641e8e705d77a42cf85f285edf2a66a3

Download Submit
C:\Users\Admin\Desktop\SearchClear.mht

Filesize
353KB

MD5
01a401aed9651422bf634d38042f1858

SHA1
41eed7ac03978d388e0540803d48a5393546aafe

SHA256
b4cfb59207a02fa20fb6cb54f18516bdaf3d52e160ae47f3096fa5c5afc4f110

SHA512
8b4dd3a09356fb4e643aa8e2b0d73d155e01521b62282342aba8d8d5623fdfd95fc86817b0d90795d315416aa839f7587949930c0a17cd5790def7932f4aef03

Download Submit
C:\Users\Admin\Desktop\SkipMount.lock

Filesize
331KB

MD5
d309da4c73ae8a46bfddaf7e38dab0c8

SHA1
3c37a46b39a577b37047032f7b8768d1a74d91a6

SHA256
b5226f5faf03f3ee5deff165c4fa68275dadbc014a385a491bd80918815393cd

SHA512
a0bb5fecdfbd07d0c6e13b1176262bbd2f4c99c1f5e28c31ed2433b3e9aa05a14fbf8cfff4f8d243416e759401a329c993418066dbbc3bee2a48dcfb3c37516c

Download Submit
C:\Users\Admin\Desktop\StepAssert.potm

Filesize
410KB

MD5
434ecf75fc755aac6f108769a19dd3ca

SHA1
9cbecdd84da0eb2566af5c514188a9a4dfc14ad4

SHA256
16658dc286f0a04bf15fe5ee25ca2d8f1825b33b52b2cada50893fedbb476066

SHA512
e8d0dd73850d36199fac084115ec3671e1fc00afa93672193e5d5ac831650a1de0b957a1eaf7d03e31c348b4866dd90ad6558436a741a1245869cb6c5228c7ae

Download Submit
C:\Users\Admin\Desktop\UnlockOptimize.asp

Filesize
241KB

MD5
c1d4057350541e683dc9dd4b3e3df4fe

SHA1
5d17d62bca78da8250ba4e1c28fde36b1b08930a

SHA256
f40e57272ec02beeb86298397195c309e1e6a12dbddc0b2a1940ed7202c660c3

SHA512
ebd10eb7c534f5f3b36adf6644b794283e62cd7ff22a50e7700165a04472b1790054127497a2999ecbcf1a678f9caf2f2788e7d574040cdd561ad62ce4b6479c

Download Submit
C:\Users\Admin\Desktop\UnlockSync.vst

Filesize
297KB

MD5
2afb89693f625c4eecbdeab8a782b65d

SHA1
195d03d53866a510dad7eab09115ef46702bb5c8

SHA256
0fc8fb916f9ec0fbb0752f78550d1484104dce3ea8308981d942e2c4f6f804cf

SHA512
882893d8de8c90818a0c43e436ee6c4d0ef70f9ae2a4f6960b408bb6d11f5063463d6181ec38f00abcacd87e547015838241ca6c5e49a3aeaddab506874cd823

Download Submit
C:\Users\Admin\Desktop\UnregisterAssert.wmf

Filesize
196KB

MD5
c4d6cf4ebc731c79dc7769c8ccd8b0c2

SHA1
748dff800dcd038dd67ec82e73265435b97fe5a3

SHA256
12e4d2160c8f614b3ab60752c8092ca8eace5ef929ea1afb44d12407f400923f

SHA512
828769dc2342e30883d6a988847afd617f3e6b2457b5391eb4534e26415a2425d1babf5f6c014e343b8483f91216ba25e837eab3360d3e45a45a3794ca92cf2c

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
3332937217e7fc3a5994f76f77e4a494

SHA1
2c41a6c81255c2854ce06fe91595c82d1286960d

SHA256
17773d25ce1e097da6df927e39f80645cec3285f6a1b7ab29bb818e67bf4cc63

SHA512
c42aaa6db3f76a671d3aab8fc4acaa3a6b7825d1a54795639708530fc4ba361c54e004cc1119b72786cdec59eeadcef76752887ba476db84ca66f44993205573

Download Submit
C:\Windows\Installer\MSI4A57.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e582a66.msi

Filesize
25.3MB

MD5
30ac11856e473e7f2e0fba7f2ac241e5

SHA1
7e74eca21c5a8936081ff05cb2c743e17bc466e1

SHA256
4235f05b99ae5dabadb5c10c124a0f7f7d4223e52df0857e4c4462b13f19c40e

SHA512
644e0e3f905c8da9236537b8ce34ef23669ecfbccdf3ffa28ebba71e7258d62d804516fa47b0825ca016b50aaf7f353a12f99b3a3f0d8c08c11ab5da9eddade4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
fa0201a127503a79d7a04206e33915fa

SHA1
81467587881a69fc81f3553570b4143c644b0df2

SHA256
0bbccde4f19ed4a56fc351ba2318019239028340d243a2d79b96b67217c7c094

SHA512
4aba44bba3747673dc875f055a0598b15edd3cc8225c313ebec7702cf58fde4fc2bbc4010783bc8658aa16fe72fb61e7e921e4cf13f68c13875b32f8011814fc

Download Submit
\??\Volume{28a24d03-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2581044f-d609-4b22-991b-503ea0cf640c}_OnDiskSnapshotProp

Filesize
6KB

MD5
e279aa2baf0661201b3215c0246f48aa

SHA1
d2dff9ffbc58672da60f7f7caf8da55b30145d76

SHA256
1990d27d3cdfa66b81fa3bddec9414bf50b77417b9386727237d97c21ea018ba

SHA512
00695c8254f42f60a92ba54e0f56eb575791818a0735317b6ddcc8f59d3b64b58d30855f1278df7c5fe08403a76b6f7241c6858233527488ef21cb32ed83f275

Download Submit
memory/2208-2093-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2602-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2099-0x00007FF8A59F0000-0x00007FF8A5A00000-memory.dmp

Filesize
64KB

Download
memory/2208-2094-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2095-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2096-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2097-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2603-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2604-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2605-0x00007FF8A8590000-0x00007FF8A85A0000-memory.dmp

Filesize
64KB

Download
memory/2208-2098-0x00007FF8A59F0000-0x00007FF8A5A00000-memory.dmp

Filesize
64KB

Download