82d2db2c2f0b34fab402d175cda0f8cddf588a585496e6575ec4e122a59ad7dd

Analysis

max time kernel
801s
max time network
439s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lanos v3 rewrite/LanosLanguageLoader.bat
Size

2KB
MD5

1b32d8900e2c80f9005ecd4f11c7499f
SHA1

65bee3ad153e6938ae735a3be59e7a6b495d8b83
SHA256

a69470aedafb18133ba2ae7f940a63a90d2a559f101511cc3864e51209fda775
SHA512

99522b53b0cdb0cf39623fdafac0987757f327eb3bb51bec84de7b55588cf23ea2af08d0f538887bec01452d6b714952cdca910fc50642a6dcc7f69bd51c3f46

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exemsiexec.exe

flow pid process

2 3080 powershell.exe
4 2108 msiexec.exe
5 2108 msiexec.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3080 powershell.exe
Loads dropped DLL 7 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exe

pid process

3756 MsiExec.exe
3756 MsiExec.exe
1616 MsiExec.exe
1616 MsiExec.exe
1616 MsiExec.exe
3144 MsiExec.exe
1928 MsiExec.exe

flow	pid	process
2	3080	powershell.exe
4	2108	msiexec.exe
5	2108	msiexec.exe

pid	process
3080	powershell.exe

pid	process
3756	MsiExec.exe
3756	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
1616	MsiExec.exe
3144	MsiExec.exe
1928	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\dist\mjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\npm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-token.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-query.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\signer\signer.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\brace-expansion\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\download.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ssri\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\get-write-flag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-ls.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abbrev\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\shrinkwrap.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\binary-extensions\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-name\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\json.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\build.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sprintf-js\CONTRIBUTORS.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\translations\de.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\pnpx.ps1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-access.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\glob.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-root.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-view.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-star.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\scope.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\set-envs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\has-magic.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\cp950.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\data\win\large-pdb-shim.cc	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\write-entry.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-fund.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\common.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\mod.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\chownr.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\processor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\trust\filter.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\query-selector-all.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\utils\guard.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\install.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@isaacs\cliui\node_modules\emoji-regex\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\rsort.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\witness\tsa\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\example\basic.png	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\yallist\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\workspaces.md	msiexec.exe

Drops file in Windows directory 19 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI219.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI799.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F3A57DD0-5D8B-4A74-A055-670A7BAA4176}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2825.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5900d1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI911.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF714209E93E43D3DA.TMP	msiexec.exe
File created	C:\Windows\Installer\e5900d1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB9FC60D069057ABC.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F3A57DD0-5D8B-4A74-A055-670A7BAA4176}	msiexec.exe
File created	C:\Windows\Installer\{F3A57DD0-5D8B-4A74-A055-670A7BAA4176}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0C127F37169E8C95.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3CFEB58D8D1F3E36.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25B3.tmp	msiexec.exe
File created	C:\Windows\Installer\e5900d3.msi	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

MsiExec.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000235a573f571b962e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000235a573f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900235a573f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d235a573f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000235a573f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 29 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Lanos v3 rewrite\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Lanos v3 rewrite\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\PackageCode = "820BE0D89D2A0314EAB96123A497F31D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\ProductIcon = "C:\\Windows\\Installer\\{F3A57DD0-5D8B-4A74-A055-670A7BAA4176}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\Version = "336723968"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\SourceList\PackageName = "node-v20.18.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\ProductName = "Node.js"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0DD75A3FB8D547A40A5576A0B7AA1467\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0DD75A3FB8D547A40A5576A0B7AA1467\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\0DD75A3FB8D547A40A5576A0B7AA1467	msiexec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exemsiexec.exe

pid process

3080 powershell.exe
3080 powershell.exe
3692 msiexec.exe
3692 msiexec.exe

pid	process
3080	powershell.exe
3080	powershell.exe
3692	msiexec.exe
3692	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeShutdownPrivilege	2108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2108	msiexec.exe
Token: SeSecurityPrivilege	3692	msiexec.exe
Token: SeCreateTokenPrivilege	2108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2108	msiexec.exe
Token: SeLockMemoryPrivilege	2108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2108	msiexec.exe
Token: SeMachineAccountPrivilege	2108	msiexec.exe
Token: SeTcbPrivilege	2108	msiexec.exe
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeTakeOwnershipPrivilege	2108	msiexec.exe
Token: SeLoadDriverPrivilege	2108	msiexec.exe
Token: SeSystemProfilePrivilege	2108	msiexec.exe
Token: SeSystemtimePrivilege	2108	msiexec.exe
Token: SeProfSingleProcessPrivilege	2108	msiexec.exe
Token: SeIncBasePriorityPrivilege	2108	msiexec.exe
Token: SeCreatePagefilePrivilege	2108	msiexec.exe
Token: SeCreatePermanentPrivilege	2108	msiexec.exe
Token: SeBackupPrivilege	2108	msiexec.exe
Token: SeRestorePrivilege	2108	msiexec.exe
Token: SeShutdownPrivilege	2108	msiexec.exe
Token: SeDebugPrivilege	2108	msiexec.exe
Token: SeAuditPrivilege	2108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2108	msiexec.exe
Token: SeChangeNotifyPrivilege	2108	msiexec.exe
Token: SeRemoteShutdownPrivilege	2108	msiexec.exe
Token: SeUndockPrivilege	2108	msiexec.exe
Token: SeSyncAgentPrivilege	2108	msiexec.exe
Token: SeEnableDelegationPrivilege	2108	msiexec.exe
Token: SeManageVolumePrivilege	2108	msiexec.exe
Token: SeImpersonatePrivilege	2108	msiexec.exe
Token: SeCreateGlobalPrivilege	2108	msiexec.exe
Token: SeCreateTokenPrivilege	2108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2108	msiexec.exe
Token: SeLockMemoryPrivilege	2108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2108	msiexec.exe
Token: SeMachineAccountPrivilege	2108	msiexec.exe
Token: SeTcbPrivilege	2108	msiexec.exe
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeTakeOwnershipPrivilege	2108	msiexec.exe
Token: SeLoadDriverPrivilege	2108	msiexec.exe
Token: SeSystemProfilePrivilege	2108	msiexec.exe
Token: SeSystemtimePrivilege	2108	msiexec.exe
Token: SeProfSingleProcessPrivilege	2108	msiexec.exe
Token: SeIncBasePriorityPrivilege	2108	msiexec.exe
Token: SeCreatePagefilePrivilege	2108	msiexec.exe
Token: SeCreatePermanentPrivilege	2108	msiexec.exe
Token: SeBackupPrivilege	2108	msiexec.exe
Token: SeRestorePrivilege	2108	msiexec.exe
Token: SeShutdownPrivilege	2108	msiexec.exe
Token: SeDebugPrivilege	2108	msiexec.exe
Token: SeAuditPrivilege	2108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2108	msiexec.exe
Token: SeChangeNotifyPrivilege	2108	msiexec.exe
Token: SeRemoteShutdownPrivilege	2108	msiexec.exe
Token: SeUndockPrivilege	2108	msiexec.exe
Token: SeSyncAgentPrivilege	2108	msiexec.exe
Token: SeEnableDelegationPrivilege	2108	msiexec.exe
Token: SeManageVolumePrivilege	2108	msiexec.exe
Token: SeImpersonatePrivilege	2108	msiexec.exe
Token: SeCreateGlobalPrivilege	2108	msiexec.exe
Token: SeCreateTokenPrivilege	2108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2108	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2108 msiexec.exe
2108 msiexec.exe

pid	process
2108	msiexec.exe
2108	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

cmd.exemsiexec.exe

description	pid	process	target process
PID 5052 wrote to memory of 2960	5052	cmd.exe	openfiles.exe
PID 5052 wrote to memory of 2960	5052	cmd.exe	openfiles.exe
PID 5052 wrote to memory of 3080	5052	cmd.exe	powershell.exe
PID 5052 wrote to memory of 3080	5052	cmd.exe	powershell.exe
PID 5052 wrote to memory of 2108	5052	cmd.exe	msiexec.exe
PID 5052 wrote to memory of 2108	5052	cmd.exe	msiexec.exe
PID 3692 wrote to memory of 3756	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 3756	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 4064	3692	msiexec.exe	srtasks.exe
PID 3692 wrote to memory of 4064	3692	msiexec.exe	srtasks.exe
PID 3692 wrote to memory of 1616	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 1616	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 3144	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 3144	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 1928	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 1928	3692	msiexec.exe	MsiExec.exe
PID 3692 wrote to memory of 1928	3692	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Lanos v3 rewrite\LanosLanguageLoader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\system32\openfiles.exe
  openfiles
  2⤵
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Invoke-WebRequest -Uri https://nodejs.org/dist/v20.18.0/node-v20.18.0-x64.msi -OutFile node-v20.18.0-x64.msi"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\system32\msiexec.exe
  msiexec /i node-v20.18.0-x64.msi /norestart
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F6FC1BBB5E5620869F2757B8D772B2C8 C
  2⤵
  - Loads dropped DLL
  PID:3756
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4064
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8E31BACC1FD65F2A66BAB6B231877C48
  2⤵
  - Loads dropped DLL
  PID:1616
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 5CF0AEC15F97CBB3127ACC5E518D6659 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4B206072DF6050C0566B23B3E87EF031
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5900d2.rbs

Filesize
808KB

MD5
bd5817fd20081b84d267c91ba47d801c

SHA1
c4362fbabd06dccbe29518ededd45e7f8b9cf6c3

SHA256
63a6aee4ce399417ead34d35d43ebac2491778d267a8677522421f47ad3e5ad5

SHA512
a1a9b0a64c97d8832ce18a8b7136bc0eb4c45b9af74107a992e1580c585e9b0027ed2108798971fb6913bbd3d22b93e53e159d2422cbbab19055bd22e83429b0

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
fb64b6f0ff0e18bcd411828ea1d63152

SHA1
e9fc72f8d9297ceb6b727b02649557c49ef025cf

SHA256
5fed8922ae39caf2d60fa13ee66dbda1532adb40dfbec77cabb68908ced62ee6

SHA512
bb1b7038397fa8628ad4e61797fca28f4a8e565359d52a771c5177587a81e430991c0c689bd1278a519fa4f29c8c79fe651393a967357847e1243c8db2102b24

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
e345bae0f37d21fdf0fa6773be296d58

SHA1
d895854d36d1143afa8b7c72f652cc7234070bda

SHA256
b2189e3d1cc2c5781e433aa6fba2e1cfba2a6049de3227df50772980744e3c4e

SHA512
e76fb4c1445254de68147b39071c3f858e402ee0a03b8439b13f166704225bfd2721ff90b408eb4e9582301caa0228b46cfd40869bdee06f28249db0f2196f3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
4f2f44acff5c280ecd26b5e7144aff24

SHA1
d542052f27cf058cd2bd7d74e75deb8a009bb334

SHA256
c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030

SHA512
33d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
42b96b4bd7bfcc93182e9b6cbc5f54c7

SHA1
cac785c17d5220715313e6fb9464d2e4d3c6ddaa

SHA256
b03fb597efacdf2204fc5a2d1d5e010a2f0b1785902752e3a05bbf8a4fe2d4fb

SHA512
a66220039cde7099bd3741bf23d4032ae7d161ec59f053f17c4161cacb8685229864fb83bf6b52c7431cb082944af70f27fe06df0577fcf521f479700fa29ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
5620dd8fd230e57b2d69379326ebb5e9

SHA1
d0804593a4d0dd155c2f2c3becfea6152542a505

SHA256
b0bf8ed4c0c543093448ccbb69ebc7a613117982bd40ca37df7bd55f3e08c6e9

SHA512
0dfe7e800d529b26277e7af8725dbeaf44a42c53b7738723221fc773681e355d8d4eb5014d339257f0d772a158b51be1f1fb9e239c48bdd1b11d56ad54c9c8a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
c0d92612e1abfb84ec2661561a9b9ef9

SHA1
16c95077f4a051c0e7f370ff2cddce306a305ef8

SHA256
9616b9328fc108fc1493ca0026168fb7744d7e199947eded4dd616c0d1ca9ba4

SHA512
c5a8805762d1f46f1d00dfcf1684977cac6fda11d87137840920d01f40824ef44335e1392b0dc82cf3581c8ba56726e130215f98940c4c460d2bc572eaf562ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lanos v3 rewrite\node-v20.18.0-x64.msi

Filesize
25.4MB

MD5
12339819ddd55be66e98dbc13196cc2a

SHA1
0c45c8f2d268a6f86d495308e41e3fe425cadfc5

SHA256
93d1d30341d7d38b7a8f3ab0fa3be1f9e6436b90338b2bd8b8af4e80d00bd036

SHA512
0644fb94c125ecdaf932104bc065a2b2b0641db1f3e5435d1a8543db88f09171d120180e25af47289b8e0ef1c81b346ff377bd19ecbc2b6f68424026f9f73cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C7A.tmp

Filesize
125KB

MD5
395a651e2e0d8951631d2da7177fa1e9

SHA1
f4ad80ee02fd68ed1d011f8f88a1b3e2853e0cbc

SHA256
d9706a26c4ae7964e5c8c25f838b7ef5346c42761629413ecbd959d440b7a66c

SHA512
95ff5275dfb590392c8a37fa404c628b99ea5f3a9ff1ac29dc7a3e0eeedc8c31a35adfdbbd21f3e037a24eadc25d0fa4c6c7e90569a84c3f96a775c5e66a1bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9CF8.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aky240m1.q0w.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\MSI2825.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
97dd0b128443489c5aff1fd99bcbf5e5

SHA1
10cb825f5297603936bf318036c30cf777a4efe3

SHA256
fbbf21d90a72f7bfcef002bf24bbfd9f6d8956c8c2060b91cea2f0f11046afe3

SHA512
af624c4731b59975b3a6cbe8c6e7bf0675ea2fad0a8ba38745ff012a8467ab63d60f663d5b9a009a38b68633dab1832b33c5948b9dfe660c6d113d570309e5f0

Download Submit
\??\Volume{3f575a23-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{554461ac-edb8-4d61-856b-95543a95f0cc}_OnDiskSnapshotProp

Filesize
6KB

MD5
780f51dbfa0d78cc6f981648fdb0ffc6

SHA1
8d32e6b5bdd6c6ebfad4511d1b87235b258cc77e

SHA256
dad32d7f7bac42a5253b4527094c03b556dfbafda24a21de69a6781b97e1d554

SHA512
98acdfeda7c0990f6aee75f7ad348bfb4f125dbcd9366836587d2144bf5bb4f79f99f88383f4d8d14a7b945701e65d7a78680c37ed129279dbfcd4b0fc5382c5

Download Submit
memory/3080-11-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-20-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-16-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-0-0x00007FFDF2E73000-0x00007FFDF2E75000-memory.dmp

Filesize
8KB

Download
memory/3080-7-0x000001DB90920000-0x000001DB90942000-memory.dmp

Filesize
136KB

Download
memory/3080-15-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-1-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-12-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download
memory/3080-13-0x00007FFDF2E73000-0x00007FFDF2E75000-memory.dmp

Filesize
8KB

Download
memory/3080-14-0x00007FFDF2E70000-0x00007FFDF3932000-memory.dmp

Filesize
10.8MB

Download