xworm | c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79

Analysis

max time kernel
157s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-11-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows10Upgrade9252.exe
Size

3.2MB
MD5

c0b25def4312fbddbcc4f01c6c0f5ba6
SHA1

8d16a183d61233e7d6b6af7b3cafc6645ac2acb1
SHA256

c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79
SHA512

8c67619747bb108dae5661688ec8fa4c62bc6ac38ee6ff14a4691aab04d7ddd870fee4262cb30624a6bd85ac1f7595af05311496b0336f979e7e5f797791bc0e
SSDEEP

98304:GgjXlctych4cCzJ8k2omX8sUf0ht5f/LyXtcH/:JjKtych9CzJqXM32jyX

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:15304

parents-hundred.gl.at.ply.gg:15304

Attributes

Install_directory
%ProgramData%
install_file
dllhost.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/5552-3464-0x0000000000CC0000-0x0000000000CDA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4696	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Windows10Upgrade9252.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	node.exe

Executes dropped EXE 5 IoCs

pid	Process
4976	Windows10UpgraderApp.exe
4724	node.exe
1556	node.exe
6064	node.exe
5552	cmd.exe

Loads dropped DLL 8 IoCs

pid	Process
4976	Windows10UpgraderApp.exe
5772	MsiExec.exe
5772	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
4876	MsiExec.exe
5824	MsiExec.exe
1512	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
75	5288	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Hide Artifacts: Hidden Window 1 TTPs 1 IoCs

Windows that would typically be displayed when an application carries out an operation can be hidden.

defense_evasion

Hidden Window

T1564.003

pid	Process
3208	cmd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
102	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npx.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ansi-styles\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\man\cssesc.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-package-arg\lib\npa.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\normalize-windows-path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\dist\diff.min.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\data\win\large-pdb-shim.cc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\requirements.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-docs.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-explore.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-query.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\asn1\parse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\util\hash-to-segments.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\path-arg.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\index.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\agent\lib\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\unique-slug\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\pattern.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\abbrev\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\esm\escape.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\mode-fix.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-find-dupes.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\fetch-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\fs\lib\cp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\scripts.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\es2015\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\use-native.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarnpkg	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-init.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-stars.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-rebuild.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\workspaces.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-prefix.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\processor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\windows.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\isexe\dist\cjs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\proggy\lib\client.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\lib\body.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-token.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\memoization.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\walker.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-install-checks\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\agent\lib\options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\org.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\@npmcli\agent\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\cacache\lib\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\cjs\src\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\source\vendor\supports-color\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cross-spawn\lib\util\readShebang.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\nopt\lib\debug.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\cli\entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\internal\util.js	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE1.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4B.tmp	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e58ffb8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e58ffba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C78.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ffb8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI130.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3989.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2112	4976	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10Upgrade9252.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows10UpgraderApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759163988431784"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductIcon = "C:\\Windows\\Installer\\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\npm	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductName = "Node.js"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	powershell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Version = "369819648"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\PackageName = "node-v22.11.0-x64.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
5704	msiexec.exe
5704	msiexec.exe
1556	node.exe
1556	node.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2244	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	2244	Windows10Upgrade9252.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeShutdownPrivilege	5288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5288	msiexec.exe
Token: SeShutdownPrivilege	2012	chrome.exe
Token: SeCreatePagefilePrivilege	2012	chrome.exe
Token: SeSecurityPrivilege	5704	msiexec.exe
Token: SeCreateTokenPrivilege	5288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5288	msiexec.exe
Token: SeLockMemoryPrivilege	5288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5288	msiexec.exe
Token: SeMachineAccountPrivilege	5288	msiexec.exe
Token: SeTcbPrivilege	5288	msiexec.exe
Token: SeSecurityPrivilege	5288	msiexec.exe
Token: SeTakeOwnershipPrivilege	5288	msiexec.exe
Token: SeLoadDriverPrivilege	5288	msiexec.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
5288	msiexec.exe
5288	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe
2012	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4976	Windows10UpgraderApp.exe
4976	Windows10UpgraderApp.exe
4976	Windows10UpgraderApp.exe
4976	Windows10UpgraderApp.exe
4976	Windows10UpgraderApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4976	2244	Windows10Upgrade9252.exe	85
PID 2244 wrote to memory of 4976	2244	Windows10Upgrade9252.exe	85
PID 2244 wrote to memory of 4976	2244	Windows10Upgrade9252.exe	85
PID 2012 wrote to memory of 1908	2012	chrome.exe	119
PID 2012 wrote to memory of 1908	2012	chrome.exe	119
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 1488	2012	chrome.exe	120
PID 2012 wrote to memory of 2088	2012	chrome.exe	121
PID 2012 wrote to memory of 2088	2012	chrome.exe	121
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122
PID 2012 wrote to memory of 3472	2012	chrome.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe
"C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4976
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4976 -s 1916
    3⤵
    - Program crash
    PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4976 -ip 4976
1⤵
PID:2204

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff5ea8cc40,0x7fff5ea8cc4c,0x7fff5ea8cc58
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3724,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4836,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4072,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3820 /prefetch:8
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3820 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3664,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4388 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5308,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3216 /prefetch:2
  2⤵
  PID:5744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5300,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5340,i,7720008384375298450,7962815522329545948,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:5380
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\node-v22.11.0-x64.msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5288

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1716

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5704
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 7A0AF8E6861F75E34CD7293BE263BF98 C
  2⤵
  - Loads dropped DLL
  PID:5772
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3824
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 41C451E7F66B28B48718E16FC3DE6C3D
  2⤵
  - Loads dropped DLL
  PID:4876
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8161C1E872A8D8655D587EDAC304E763 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:5824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F53FA8EEEBE9BFC84DBD5B65706E5A9F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:5872

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2920
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5452
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:4724
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i nlhybridfixer
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c node index.js
    3⤵
    PID:5964
  - - C:\Program Files\nodejs\node.exe
      node index.js
      4⤵
      Executes dropped EXE
      PID:6064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\3bb29632c51ff7555aafc556431791f6\execute.bat'" -WindowStyle hidden -Verb runAs"
        5⤵
        Hide Artifacts: Hidden Window
        
        PID:3208
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Start-Process -FilePath "'C:\Users\Admin\AppData\Local\Temp\3bb29632c51ff7555aafc556431791f6\execute.bat'" -WindowStyle hidden -Verb runAs
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3bb29632c51ff7555aafc556431791f6\execute.bat"
        7⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:5168
        
        C:\Users\Admin\AppData\Local\Temp\cmd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
        8⤵
        Executes dropped EXE
        
        PID:5552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\3bb29632c51ff7555aafc556431791f6""
        5⤵
        
        PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Window

T1564.003

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58ffb9.rbs

Filesize
935KB

MD5
76bc1f16a4f6ec3746eea45ae52ed840

SHA1
a7ea3f24359c3f796b8bfd3dca4606c5953f2fa3

SHA256
e84ad8dcadaa13599e703e770a6f543e9c5af21fcb4444ac7cc6f97bd2ac6cb7

SHA512
9f6bbe02106554605e80ef703d8c2ed8364d1df751393b6a777cbac9ca5870adeecd81ad20309aceda388fc218f2101a370a5c322066a87258b3e3ea2eb46ab9

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini

Filesize
27B

MD5
ca22263c7a6f965df18f5c601f5db7ce

SHA1
e4b1a401ed497523a583ae8613646b03778a33a6

SHA256
299fa3043627954c524b6171c26fcc3513790310aa2561e6f012eff15254381c

SHA512
3cd39b438f7cb34b38f32240b1ba6a5010f49e12123db770460cf74217bc6946e2032355376c203b68863ee85596d21aa7b2d77c94da48a54def111d147311f8

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

Filesize
197KB

MD5
5b62ad6ae42f32806062ad1bcb3e2de5

SHA1
8d4a543eac9643931fcb620cd588e2cc1067920a

SHA256
96f7b268820511abeeb6bbfad0918cf9161366bc2f558ef7f011331e7de1d6f3

SHA512
af5bdbc5019b56eb9a32b6d264388e309e36013d43dbe09c61224ba6fabf1ff905371bc5b6ddaa0d5bfedae99cc5a7051f13fbf26cc756793799e568094eabcf

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
ab38a78503d8ad3ce7d69f937d71a99c

SHA1
00b6a6f09dd45e356ef9e2cacd554c728313fa99

SHA256
f635cd1996967c2297e3f20c4838d2f45d1535cfea38971909683e26158fb782

SHA512
fe8e4c6973cb26b863ef97d95a7ae8b1b2dbce14bf3b317d085b38347be27db1adc46f5503c110df43e032911e5b070f3e9139857573fffdafff684f27ef1b8f

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm

Filesize
60KB

MD5
b2a06af2867a2bb3d4b198a22f7936b3

SHA1
98a28e15abdd2d6989d667cc578bf6ab954c29f5

SHA256
40f468006ab37ef4fcc54c5ff25005644f15d696f1269f67b450c9e3ce5e8d23

SHA512
eefc295a7cd517c93bbeadee51ab778f371be8b21a92b0c06339da2e624abd19c34907e0a8965e6bfe81863752c56cc509fcf015a3ee986d208a5fc7cac8bfc5

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png

Filesize
420B

MD5
0968430a52f9f877d83ef2b46b107631

SHA1
c1436477b4ee1ee0b0c81c9036eb228e4038b376

SHA256
b210f3b072c60c2feb959e56c529e24cec77c1fcf933dcadad1f491f974f5e96

SHA512
7a8a15524aecdb48753cc201c215df19bc79950373adc6dd4a8f641e3add53eba31d1309bf671e3b9e696616a3badce65839b211591a2eeebb9306390d81cfcf

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-prefix.js

Filesize
864B

MD5
92dd1b5a463374142271ff420cb473a5

SHA1
a9f946c6a8c6f273f837703acc74c367b7781a99

SHA256
673f620e40137c295f2cf057364468bf3a71653dfc0973be895ebf7a8c368c2e

SHA512
5e0a6e4a9cff4b37acbece070a592a65ed044a78e1b104517eb5bb233d4398f67140b44e986e7a2de16bfb65b0ab7609e831341efea2a6f583258b6a85f70e01

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\index.js

Filesize
29KB

MD5
a2819bc319ade96e220b81c11ba1fd62

SHA1
f711920489d12ac7704e323de4cea98009299e7d

SHA256
9976a7f202a683370a170f8ab053d89cf6450c9d0596d8bed92bb762f0dca92e

SHA512
64b409c59d3e7df84ddd87163fb03f38d1bbed259323392685e01103ff9d2a43b456a5df5812e2bd3de61e0ae61520ccad444a92ea908a15bd871146630edd32

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\package.json

Filesize
1KB

MD5
901e577d669d97e811a11f172dfb6655

SHA1
25d518b50deb389e311821d64d4b0b106618d7c7

SHA256
245d5f0e2a7508229e1cd3ee5f518d93c99eb8280fb35f7df149fe5222bb8af5

SHA512
ead727e7e751b897e060abbfdbc97ffe8d2c3efb9baffaf922ff97d8d6366bd7cc0727e4355cc4679d065bd2892d2550ab3349b235d9b0e6e0475cb6bc59f397

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js

Filesize
7KB

MD5
84b82e208b562cc8c5a48cf65e6ab0f0

SHA1
0adca343dd729beb86ebbb103f9d84e7ebbd17af

SHA256
481b00a4ebbfc83b28b97d32dccd32d7585b29b209930d4db457d91967f172ad

SHA512
377034e60d9d2ef3da96f23cb32f679754a67d3cd5991b1ad899f9f7c1910dcd0d9b0a1b0530046b6016896bd869a1607ef29c99949407959dcece6f9da790f5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\package.json

Filesize
1KB

MD5
5b29ab3cad80b08ec094c8201333ebe8

SHA1
dee99f05b24963959159f1f061926e9075679be8

SHA256
94ebf2db52f15b5da55a809977e04f02b052abf418cb160a8d0719362295d867

SHA512
a6e66ade3de2cd308b1081548d2e58a87aad15baaa236c4dea73d36a946b6de352c3765d188f350c9311ebea0efc8b0068a8a7e0025e3dfdff84b737be4e475a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt.js

Filesize
985B

MD5
f1f7369cd4f213cf2ae9469f4d1ef1f5

SHA1
cd7f1eb598f3ed855eb9033010dafc0198bf70c1

SHA256
10623659120996267168230ef2ffa9cfb7ce00422175d21476074c48d5262c18

SHA512
54b8adf2466118da90b84ecc2faa1c70a043679e542dd8631a50fdda883faef169d14a85cc64e2db33b492ac87c2a781bb9f454326b472cd5c61fe82434d115e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\package.json

Filesize
1KB

MD5
80bdf8901061eac24047d6b001499e89

SHA1
a99d447473406d5e862ae9337b7aee363a8d2f13

SHA256
8d349e100fdd613174f8b3c58149545e3d69a959b7fa3f466d457825575f5b3c

SHA512
b81099e82c23e809a558b8fb164338f3faa784e044d558daa4a09ab26179fc4594e170419f9e3d7b26baafb93d6981f001d2e8d3bab023767d219984b4769f03

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\dist\cjs\index.js

Filesize
474B

MD5
54bd6e9d21ed6021e374d34cfaa3290c

SHA1
e71ef5c7bf958f1599fce51cc98a73f849659380

SHA256
4e86e409d7506477caee910cb50f5bff1dda477878da923bd3888501e1a04036

SHA512
7424455a64824b7ffe72c3ed521684d7ab279b4cabb0fc018e9db04662a92af9187efe30f5a442c3418705895262de6e057858c3cda00c634df3cbc6eebb2407

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\package.json

Filesize
1KB

MD5
e6b2ad09f00a37da8012022f4b9e0461

SHA1
9af557e76ab4036536d792ca9b3c37d4720c0587

SHA256
2d43790293eb562918790e7fe2a786d86ed8e5a95b45d5e36587be0dbc8ddcd4

SHA512
9ea06c09a0837495bbae225d2913f55f53d5f81b4949bc1640d2cb460e3f61d4d39fbb88a959adc56ca7557870a069e1ec2a92b0c759b457731e93ecad8f9eb7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
a635c09a3ba36d76e04158ba070c32e2

SHA1
6bdda03a1e34946e25fced365eb9da0df97e9e29

SHA256
6f1feb793d2cfd5ba2c5c9aebe4cd7dbb2d44a401b99d48b14ea3b54cdef2446

SHA512
cac45d9a50fe2b7b786613b3de9dea31921bce05e2bdf5edf07cc3cb6e4a947486435b5ba7b23a34b8f674b04df5d69628c6954e159e7beb6e59b00893eae818

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
538B

MD5
6895fc6423c97fbf721a71333137d1ca

SHA1
e0a531a3a869f2c3bb1ea91801a8a386d6aaf73e

SHA256
21b46c69ad6e2f231f02a9e120f4ba6c8e75fef5a45637103002eab99f888ab8

SHA512
0cdaa6bbeefeabf676839d88e96a096b13b9176bd936e11665ebf01e57540e131981a7bee4f113d2b5bd6858656f7cb689d29ee81d9f9e8d7f87d2d91e041ac0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
9a991506d06755a35913689b313e2337

SHA1
6bf4ca8b8856b20d25062ec94c930f7bc7e8dc63

SHA256
b413be294aa14be865f49a949eedbb14614e0aa1808808c7d4c864a744797b9f

SHA512
8466d15754005c8da1571070975406f109ed98a2b319287e2edcea33cc6c7aa2749585859187d96bea1ab7dd215c7403b066dc30bcb1164f8282397a8705543f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
134944d57347a59eb78d147b2eef9782

SHA1
c8e6ddff18663e6e55b5bd57856df397a811acbf

SHA256
69aa139c431c6690751ece212ccee8431346f20921e40ea49c66a467e2ac7695

SHA512
4156d0287690ed0c0554e1ecefb89036f3fa6c4ec870353d25a6bdbb3deea4aafd8e14ef2553387a8f502e1e85b4da22da46cca8fba204814c9f52032f558f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
19818ddcac7e6d84edda2d202a8bd6f5

SHA1
078a354358a3ab745489ec949e64e71b73f800a7

SHA256
376fd6fec42ba09d21b131410ebd956b6c768597d3bba28d120060ca8f8ca64c

SHA512
646010ea61958a0af74cf6bf53623fdc233291cdb309b7d92dfc1cce33444e57c693c3186b54ac7e082106fe02a48faefc02ff647a5eb09fc2b945f12d0df36b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
27bafa2a2df6f812ce1f2e8036d1f493

SHA1
380e14bf3ff74d41428715f768099c5c3e157c21

SHA256
1c81409d543f8eae9fd34d70d28bd561d3ca5431183fc2ae0296ffef5d261ec8

SHA512
a6ada5fa6f58ea76ed6c5a75cbecdfb45421dd42ea0db1afa7438f6fecab6cbabca1a3b9f4f7be36b411553d6e6e95d1b8e6a359d68318c855a4567503f84f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
9753403558bbdbb9d4fdc0e993f3f876

SHA1
d1cfad3c0393d121cd452818e4061167bbb6c2dc

SHA256
135f2d5f0deb46c1d6910b4dcdd33ab876f298ab42073791d9f70b96c5e61405

SHA512
4e8e1278e1b9388f993cd3f38cc2456e5fa29f42c6624025ddd540a91edbffb2d495f496dac306118d912202232bc19439b57873eb22fe6223461a34de19d534

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
a52326be1e2473bc36bcd413864cdb4b

SHA1
b8443d6e9e44b3897cdd6cb908042febda1ff652

SHA256
2586ed3cc10321fa066455f12770ca4acc44f49fb8d462263b7a204445dff451

SHA512
812d7578a4bdb38ec6b25a867fb9d4bdc54e6373d69a73e0229ba34f124fa647ca1609b565be5d7ff5f9853a1cc7625415e48b232f7670c4d14ca51a0ba58563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
334ac137299f9f1e54957448c37aa754

SHA1
10977eacc5da2912a26460bf165ec20d5008d281

SHA256
291fadcb2192f80ce02b372a36f2f9f870fa31678644d8b1be48465eb73a1ece

SHA512
cead0b06614cfc51665f24466649c1d1cbe223e6199421eb104eec88446ec6282ed9190f4b9c6dbf8650bebe856afa574b691d85b185bb9778c2f5df4698c98f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
a4b8ac83df4f41c6b9ad8fa5c1a1698f

SHA1
6a2f09ff96dc4dfffe3a29aaf73c247844a15462

SHA256
2ee08badd7e88f37b1c933ac243ce54118bf02be95140c29be14abff97660218

SHA512
d7e96724cdac19a89f299775aa8a9f29a1aa9079218700126dfb6a6aba1b5a9c3f6021f4259ff58f48e6d20d0321395e6254567cb52570be8d258d7f3be1ee9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
da69cd67518757d5d7de1b23e34f0b58

SHA1
83753414d2b0685be3d29af92ac7ef561554597d

SHA256
4aef52ed3083f65239aa5b3469db75c8bf89193843710d49cd4798b2726c006e

SHA512
bcc0f2a201c9c2b031371dcca8a7a0d99311d49612aa85c1ebd8c437ab4153d0e1d25eb22b00c6a109142fa30f5e2480f75315a483c7a44d1b1b8cb86fb0f2c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
c975724a13932d47b9168f64b484f68f

SHA1
6713ec6f83964c0f60c77487636d402ea0de3f84

SHA256
85a7ea6cd28bfd51e8f84f32fcc081d51f9057d4f898f6880bd7b7e63cd94723

SHA512
1921adca1f32278c56e2822c37d2e03de7dee0462b8d7dd83f12c6b069624e353363a0a34b13390cf763bb3d27c06f087093e37763107e9688b06d42d19cba22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b636fe16a86d0b583b06ca9d7305db83

SHA1
baaa96e4cdca55341c7efe482c0fa4e16c58223a

SHA256
506e95520d91ff6b01b1cdecacea90bb2bb237438aca21e48141e95fa2809978

SHA512
8d8207efbf59d3cbe2c227e2fd4cb633519f02a9998c47af274bcd81a846abd328c296516bd88a4728a151025dc2532a847666809079c4d3f922e7781057b9c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
8977326a8ad637c3f7b81bb22a09eb64

SHA1
51c37eebade1259aae5f80cb1e8af4dca9ed8404

SHA256
0a6fc67bff51fe15d3c333cb4bd8cbc41559fe07ba513dcd740d48206ba5d709

SHA512
3638247fcaaa01c22d57621ffe75903d1bc4f2e29974e0e75ce4bea8d359d1f314f6582a8ed96bddfca2502389426d054588247be127a56bc5d671889a0501a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c045792aab1bbe5ef63df514bdc3db58

SHA1
3719ad7dcf022a944a98f99d5e34ea9f7d3975b8

SHA256
ae1f4596711e29e0ce6eb72c91049536dda68060879d85acc14e8490857dc396

SHA512
02fca2c6f24968d6d2667563018670f9a1ec8b248d1a01d31e8f6b8e682cba3c9ead2f4b3f59cafbec594eefb2ef024e6bfad991a56ec1c5800daafbc8f18262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad98dc320b20a7e68f7b1bfd5e0135a7

SHA1
e81d3bdba103bb1c9a78ab63541c32d5dea5911a

SHA256
21f2eff2690571b3889c3b6df9d4bd8366c6f25e762d2ab6aa276f8376e39cff

SHA512
7d4aa0874e7a78b5584d5740a2cd4952ec85da31ca46e9a9f37b1a41bde87d7930247601c52f0c6b71240884ee0caa9a1146f8b71e2bfb3bbbc6985fdf9ff7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc7ec4df0639afb1e6306fc73d6f8a3b

SHA1
33df8c82d8139af9872d525a61cb6c1cc31ce88d

SHA256
89b22d0794ce649b02b8366408ef944755339115b800b3008c48a3c569a6a820

SHA512
a52807372ceeed2d1151f6c2eadab00a6421bf0ce64fc2afbf75173e29843d2fa38bd5d2f670a3cebe7212057357f20346f9d925658eada14885a239ed2582f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70836dc283a576ac49cc7122a67daf47

SHA1
60ad4a2bc7dc098d63751ee5daa36110e352d3ca

SHA256
20345a7ac1399ef03deb50be6c5645ae442c1bcfee21ea03a2ab5ec1cbf480a9

SHA512
6c4718e97abf315a43681046edd1c2a2f6ebdb3f50c39fdc57322f7f213c47cbadc7dbb5996389ad825134678fa11c38347be41263f512c62485b68143ec565b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4acf06d4a37d1861fc21f340cd91d891

SHA1
34ed9cdd6c5642577a75d57cc636db0e071a3889

SHA256
9a79d7de3479fe0dd8a61fbcc2bb2e26d6966ac543d96746bee769bb7996dc81

SHA512
e46829f891754f31a44e8723fcd728658a1fd065913cd7c729b8211a4563d674b0286675c7313b336dd68fa0f4379830be5f911dee2d5de0377753e4c864733e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6f792294c9d58c6a6b113d5ae2cb5186

SHA1
c21614bad2cccd8162a4fe4ed758608dbab40eb3

SHA256
2d268a98a1766a23fdfd431a8ce7741fdc4d180f56373ee8753d389b83e3df06

SHA512
ae8aeda7ed31a34a1a081a9693e6644f429f6f1978f62b2f9dfa6407e0010ac794c2f6f7a1c55d8abc8cd21a1e74e0508b40fadbb3a5c49dc773dd536ddd9d98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1ae05a5d02fdf1eb019d5e6d33c2028

SHA1
75ead8963c4bedae98a9f4d0fd9a9330acc1d66c

SHA256
4fc5bea8bc9c4e3db3f2f84e797bea4f1c900a0678861a9a1c5de86233f779a5

SHA512
22a7af186b328640f4dccd1d1478df953c8fc556c9fc1f00363d9b1feefd2869aac420b37f11219ee9698dd5cbe129a9cd0936bbf713db849d8703cb055273d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6f63e9c5340aa74cdffc6ec8cfeb393d

SHA1
4e889ab4d85d646161862fbe542c2dde215049b9

SHA256
3a485db25eed0cfa0250455e2663e81ef45c52f71a1a042aaf9807a3e5603776

SHA512
9b79e3a96f1706542951f844f7a17bb4f936ee1517d884c77f9f30546e7acce875b50d03f4a02578828a8ce15f50c47ff528f1c40b8469c169130c81621b5191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
b640582f3c48c45fc5b5888229ac1a43

SHA1
7a1e3607af18a2776ef0532fe5f2f370861d66ec

SHA256
bf1447afd261ba769b04d92e43b02279281b4a99ae532c0fe7aa3daa641f6ea0

SHA512
da3105b26ac7e8159aaed9280381dc04bdd400ca0a10cb6b98380b7b9b2644f88828f5379eb1db8c2e5574c9ea0937d6e5468fdae06bbb8ae9902609be8b5855

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
c0c68f1f17e7babf88e741fc6be304fc

SHA1
7264f82b23636eb892884300eaea85f4f2bc52f3

SHA256
9591061cfbd15329d515756e4144e1999126a712c579e4b24ea4860647d61a48

SHA512
85bd1eb422f5be9f3af59c57f4b9179ab4066c814cc40b13f91c5967b98685ccf42b634b21ee2d4a7e7d036b037ee0246fc15f262edee911728618510e7d3f51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
cb1a1f728e30db9da1a475503004be55

SHA1
e206c5a2e4d55ae4ab7679981f45091f233a627b

SHA256
36e13ace01443dee62fc9f6233967b7a8ebdd068315c51e1fa5c11b465a76ca3

SHA512
82a8b3cc07c2513ee09da32128e65841ca330811f661621d5cdb87de19f57a4231a287560dc6d0d6259821bf80ccb3f1c0cdb0d3a88a4e3b08e99691cd36103a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA92C.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA9D8.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU96B2.tmp\appraiserxp.dll

Filesize
363KB

MD5
cbb270591c9a1bfb1b10559ab672f705

SHA1
fed0d59d60709b5b05b9d31030ea7a5422767a7e

SHA256
770a9a15e1eb8e2729f23a3d262b55bef16e4bb7822a2d16eeac3db35a116d7f

SHA512
67c4154d47981f22965966aa823dc0e05872b2f6d8fc7d80b4130f1cdb8bf9f326a20980e29c085e2940fc1f7b033b85d2eb192f5bda2da136364a842ea20f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU96B2.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgofvpls.ug5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2012_660761750\77d8edaf-7945-4e27-ade0-f39cb749f949.tmp

Filesize
132KB

MD5
da75bb05d10acc967eecaac040d3d733

SHA1
95c08e067df713af8992db113f7e9aec84f17181

SHA256
33ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2

SHA512
56533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2012_660761750\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\node-v22.11.0-x64.msi

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
C:\Windows\Installer\MSI3C78.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
66d94d70e09d76f7df71a6e5134cf9d6

SHA1
d046823054de9bded80e638fdae4ef23cfb4f008

SHA256
cf0d585c79780d11ea813cdc01800b5de98cc5a9896e1cc8c36c50c243d49358

SHA512
22979f1959ccc614f79018af28991ce837983e0d360df9026e19f20452270fdecd59dd8476a9944a7252e6a6adfa2f0b19763ea4361eda10392baf3b8f9eb816

Download Submit
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{43431dfd-4f58-4319-8e88-2bd4a3f32ec2}_OnDiskSnapshotProp

Filesize
6KB

MD5
1af74c1e19177a825fd559e742468ec3

SHA1
ad9e187861bdb7ee8523ae23647bd7c6477e3a78

SHA256
09ef6ba08569766968bb0659ea5c65a65a5ac6a1df64beb3a9729323b4fc58b6

SHA512
4bd2f45905a2d4ddff4a6a8437e5ae8cf19c2839eb4a8b91b77d12eee925037bfca4451cd9f0b74076104ae4947b764b2f71d0249d760fb273825b678d4895a0

Download Submit
memory/4696-3460-0x0000024690B60000-0x0000024690B82000-memory.dmp

Filesize
136KB

Download
memory/5552-3464-0x0000000000CC0000-0x0000000000CDA000-memory.dmp

Filesize
104KB

Download