803de9083266eadfe4fdd6761b97224a98877262b0c978a8cf0ac4c5e0760aa0

Analysis

max time kernel
157s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 15:18

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Solara/Monaco/fileaccess/node_modules/body-parser/lib/types/raw.js
Size

1KB
MD5

acb38e4fe575afaf8d1a257e47c6e362
SHA1

ea7411ff5a71df8d426322d07103e5894630e29b
SHA256

4e9cc80a7ee8bd667c68c264b4c374b28e731246ddb6ec22c3968daf837e30a2
SHA512

157427ad25390339b045b9bb81753709498b69b2cc8b9c918c19d52d1cb4f6bbe5b6b07885d0a7f66ef359b7080dc9a42216f71911b08ade04c1a112192bff50

Score

9^/10

discovery evasion execution themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Solara.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Solara.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Solara.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 3 IoCs

pid	Process
1704	Bootstrapper.exe
2712	Bootstrapper.exe
2584	Solara.exe

Loads dropped DLL 25 IoCs

pid	Process
2712	MsiExec.exe
2712	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
2116	MsiExec.exe
4232	MsiExec.exe
4232	MsiExec.exe
4232	MsiExec.exe
2712	MsiExec.exe
3888	MsiExec.exe
3888	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1948	MsiExec.exe
1032	MsiExec.exe
3888	MsiExec.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral10/memory/2584-3393-0x0000000180000000-0x0000000180A7D000-memory.dmp	themida
behavioral10/memory/2584-3398-0x0000000180000000-0x0000000180A7D000-memory.dmp	themida

Blocklisted process makes network request 2 IoCs

flow	pid	Process
165	3648	msiexec.exe
167	3648	msiexec.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Solara.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
144	raw.githubusercontent.com
145	raw.githubusercontent.com
150	pastebin.com
175	raw.githubusercontent.com
176	raw.githubusercontent.com
188	pastebin.com
189	pastebin.com
146	raw.githubusercontent.com
151	pastebin.com
194	pastebin.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2584	Solara.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\Makefile	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\bin\npx	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\gt.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\types.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\npm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\dist\event-target-shim.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\clone.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\npm-shrinkwrap-json.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-registry-fetch\lib\check-response.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\archy\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmfund\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\updater.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\rebuild.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\readable-stream\lib\internal\streams\state.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\dump_dependency_json.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-uninstall.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\example\dns.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\ping.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string-width\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\lib\cp\polyfill.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\signature.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\easy_xml_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-explain.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-install-checks\package.json	msiexec.exe
File created	C:\Program Files\nodejs\install_tools.bat	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\sbcs-codec.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\deprecate.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\api\field_behavior.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\android.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\add-rm-pkg-deps.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-uninstall.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\clone\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\dist\event-target-shim.mjs.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\map-workspaces\package.json	msiexec.exe
File created	C:\Program Files\nodejs\corepack	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\developers.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\validate-npm-package-license\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\init-package-json\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\npm.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-restart.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\error.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-flush\node_modules\minipass\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ansi-styles\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promzard\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\from.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\oidc.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\policy.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\@npmcli\fs\lib\common\owner-sync.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\detail.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\modify-in-emit.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-prefix.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\min-satisfying.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tuf\trustroot.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\tools\README	msiexec.exe

Drops file in Windows directory 31 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e58a45d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6AC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABBF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBB1.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1EB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC59.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI807E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8010.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a459.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB18C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE044.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA68C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6BD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DBF.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a459.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F4A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI809E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8DFE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8E8D.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8FB9.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "200"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
1704	Bootstrapper.exe
1704	Bootstrapper.exe
1704	Bootstrapper.exe
3648	msiexec.exe
3648	msiexec.exe
2712	Bootstrapper.exe
2712	Bootstrapper.exe
2712	Bootstrapper.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
1740	chrome.exe
3648	msiexec.exe
3648	msiexec.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe
2584	Solara.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe
Token: SeShutdownPrivilege	2988	chrome.exe
Token: SeCreatePagefilePrivilege	2988	chrome.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe
2988	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3116	2988	chrome.exe	83
PID 2988 wrote to memory of 3116	2988	chrome.exe	83
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 1716	2988	chrome.exe	84
PID 2988 wrote to memory of 4488	2988	chrome.exe	85
PID 2988 wrote to memory of 4488	2988	chrome.exe	85
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86
PID 2988 wrote to memory of 4892	2988	chrome.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Solara\Monaco\fileaccess\node_modules\body-parser\lib\types\raw.js
1⤵
PID:4180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffda94ccc40,0x7ffda94ccc4c,0x7ffda94ccc58
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1900,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2316,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3212,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4592,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3876 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4808,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4700,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4548,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4580,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4628 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5308,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4540,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5284,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5176,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5572,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5712,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4788,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5144,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5812 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3228,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4632 /prefetch:8
  2⤵
  PID:4232
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1704
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2712
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704
- - C:\ProgramData\Solara\Solara.exe
    "C:\ProgramData\Solara\Solara.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5508,i,17671480290634982756,18146401874913523231,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3572

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3648
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 41ECAABD2F217B957577B001DB438B30
  2⤵
  - Loads dropped DLL
  PID:2712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 04C55332ABC702FEE24F72558AC42C19
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3A51C57EF9BF07E01E1817690CC932E7 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4232
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      PID:2412
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B980C81A6969B710769776AB1C673FBC
  2⤵
  - Loads dropped DLL
  PID:3888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B9805601DEAD23C2FD73F3749068F0A8
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 41D488C002280678963BCB2FD6543E13 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1032

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58a45c.rbs

Filesize
1.0MB

MD5
8b02b9c85d04cac4c7f8f001b8478bc0

SHA1
cf42a663db8ca92f18e50b5276e31ec481828e50

SHA256
be518bc2ddb4de9061b05dd4f852c1e789be36cfd64d3537c8fedf4ee3c66a4d

SHA512
14edff31539819c970bad7df64a0537147eac52019df6a4a0096614486e07f4db2fa1323a2279bfdf8376ec1ab21d2cef08486f6abb2dc0fb4420d707a583d0e

Download Submit
C:\Config.Msi\e58a460.rbs

Filesize
215KB

MD5
3af1afa30f7693d604a2da8bb5bb2412

SHA1
782dc5f9a70310d4cc883c68c08b04c1b6e39368

SHA256
e6df1afff642bec9ddf80a9b8c9ccbc88498efef01d08b6d6bf7035b8dc7b1ce

SHA512
c7840626d1a430a1ab99bcff529fc03796cb3f8ca3096e4c1160dd2df328d3cf7c54f9ee378f3c10b457b13eef1208eeff0cc53f7798445bfca01be07b59d544

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002b

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\81053942b6675ecf_0

Filesize
252B

MD5
0762ee2d7d4455b49539d3bf1f8f43e4

SHA1
c9cf71bee99b76be1df61d0aa14a88fdca344c36

SHA256
ab536be19e9609986fb98a3f1773662f69c6600fd627fcb19489e03ee730f889

SHA512
c41cea8b9b97337530442c0f18ebb156e4e1dca0739757d0b99e8531f2d02b6d566f008cec8c27e623963f502b51726daa7ce8a2e653f61e2ddd31dafc2a656d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\828f95392b6430fc_0

Filesize
263B

MD5
6acc8c3271a2e3498161e1ebad4e926b

SHA1
83cc6ab5cf7afd3c9f4d70b105dff8db021c91aa

SHA256
c512093718ddd810f4a63f805fcb92e0a880d77a2331b54392b00744cb4eecc6

SHA512
8daa4be0d59b2f59b5e9a0ab89ef91c172067c94fc3133fb60591a51b637e79129b2740e1333b5770c7bb4bdd969b490d5db7ee342171dacdca435d917ee725f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e3fd8eb3e8a0c5375cbe2da95e929985

SHA1
68152013c2b3c42b979b686c36ab3ee5c26ad1f9

SHA256
04b60c984d2b21d10b42b60e5dd9b3254686ec10093ca712f0f6e028be61289e

SHA512
e243706855753804c762f091bb8dad56c220bd614ad86bb522dd8d606473c2058fe00724577ddd1e25e7473031c1bc5acf359a0831e48c5cb76f4ddf6ff2c74c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
6755a9b877cd04a60da62d22ef554e5b

SHA1
5cd1f179e560826d0aa1e4a340ffe948b1ba606c

SHA256
34c68c3ba19aa3b57757e45543778a24c804eb6737d628004920495ef2ea59ad

SHA512
1771f702cfb328cb3e95c9030c785905a9ca3a354a4e9f4f380254f68021ffd963387f518470aed2ea717ebdb33bf5d17d920f42cf99b2af6827d3117db4e99f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
daa6cdbbb0f4fb7a926f77d09883698b

SHA1
dcd69f93a32cd848d4f2adc85dcef06560b46cce

SHA256
c1917037dc248c6b989f40f39a99041a106f92134458a2048e21de8c872fa835

SHA512
a479332336a14951b383b90efc6a56e696397539a0f47ec9e1f8e9a1cfd5a37108e99eddfe29b230b33bd6f6cea35247a1e344163f261f68a57c7139b4bef819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
624433af199332752428093589352799

SHA1
b1f036ec2c81030225e310fb6534aa5c710ab083

SHA256
82a6e12791db095dcae28ffa336c4b5381a5e7c13d17cba1c02e4f69c25f3e34

SHA512
b9e5fc9b9c25504eaf9b84c4c83c049c77273dba06f94b908ce51ec7235966832fc0382554d552550c40823968a03d571ce21bea5cf8148016bd9c0f34781d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8dcbc4ff33b2dffc50177392baecd178

SHA1
b4943c1a539e28a2879465e4c4ccfc75c2365b88

SHA256
0151e84c693669bcc5582477871e0526003c3a3ef1bd8e528c7066e81005427f

SHA512
83cdff7ccee8b54bded5fb20b3a68a6d7abd2d6a5e163cbbc835b8ebefa05c618e0b2798a77d7eca2a2983a4e1358d6400ff515781011ff646ee988928068c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
515587dd23d84ab3bab9f8fdea4b3658

SHA1
9ca1d900258b7768592fd145742e9e9345839ec3

SHA256
abc06c4bf543f08c146567a2e4ce2f83a694695c9c41a5371e9e89217ca14505

SHA512
1ac98b160afb6d1bfb5cb028ed1ea03bf2c4be86940b8a13d7712d17f78527f49d82e36039c50df760fcd3ccde5f1533375e66a002852fe92cad2e47c3e710fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
234af5634f7a8b195404738e6afc9098

SHA1
7543f5f20bc0f6a07f0254cd401939c208cceb17

SHA256
2dc8a64204c4a48cf450ef37165fd0e54a895f359c4ad3e1383974153bee01d2

SHA512
8a6be087b7042248eb78ff4269b9e5ea8bfd57ade56c937ec06d7aa349ce6c8f142d3eb919421ae6dc1731e5a117dcaa0d98f0a027d7130301627c0788ecad3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3bc3dcd697b8c7ff05101e81cfedc5e3

SHA1
934097ff7c36a0a307efe442f921a5cb8cb30cc3

SHA256
41f8e2e948090e37f6973ec224e874fe849228fb09b19eb787a40b9edbe10e99

SHA512
b96859dec013a9d2521770ed0ca7b134caf5d7f7d4340cbc5179568229e26c113c7a3949d7d8d19cc67b85eb3dbfce9146938df792e1b24421cedfadc213cc9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a4695e082bb199a9bcb9ccb356ea9c8a

SHA1
df47a169dcf67fd40c68b4508f7cd79288f5e6aa

SHA256
5756bc5b2a18cd8c5f2bf32ec0c2679e54d88aa9708139e56f29ec9c1e8ae085

SHA512
89b5ea21e42edc5b5d0439b13413010af7e1156e591692450305fcbfe67b910f2c292016d3c18c8d24997f97ec9a2af9d202c213f8b5aec15636f0919c7f892d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17fdb8700ccfa122cf8eb8011b38b090

SHA1
27b020aa081abd1b5d0be74657569f41ba1ecbd4

SHA256
d96f805b2c246afcab454200df1ebb0af013336ecea5ce27853ebd7cd795c0a8

SHA512
63ece371a81d4b3f33067d157e04bed9bb64137d00e1e1126fdde1b2b519fecbe4084abe11c8e5a35c593d25eb62e0b97d23b7b6a31a4f4a049574c22d464f1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
caba454e5865b11daa46a363c0aff977

SHA1
ffdf8e2e764583ba83752ae9371773d83fa2ab46

SHA256
23abc0afe7825eaa4013e765fac92ecf0876af46ce9fb859dfba86a5d246a2b5

SHA512
78109fe87c28c90c951ea874cab10efa5f8e5009846523452dedcdc31ad0326336543bf09d57d3e91f13389552bb490c2a20f475650b6527295531c4ad490e16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8284fc6fac8a69914881254687959eb8

SHA1
676dc7df49f8b5c579b86b9e190631ac0c28261b

SHA256
743f044e1b1a267d6a1aa978b3a23c03b5425eeab95910d8e8fac5cb19a4ae43

SHA512
37be7ae79702859e8fbb17119010c746a0fa8eeb98eb8e5382a4e57af8ac1d35cf69d21759abddcfeac771a456573a711d101903dd7a39fd0f558515efecd3e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2c8ccee19c99f7fd3f0c0d1714fb803d

SHA1
10c76e9d118d8f11099bf76b9634f9400c944b3f

SHA256
e73a69961f219a47e7e489475c54eb06852f12670008ffed970e305c42075fd9

SHA512
865e6f7696723850db47138410f2e1da3ec7be2c5b0b948a42af473c0c6a01d3c7b73c700afe1b191357eaae90d6f04635df0630de91cc35e07df02b0a54cdfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22509612a3f48e999914b53460982359

SHA1
2de7cf85ded3e73f8c5ec08320314a3e4fab1587

SHA256
02470a40b256e1552368ce810da64c90acf71ea00adbf54a1741707dce1495fa

SHA512
5b71f029c3c10e29fc43feb101b91405b8aa0b61c6607f0f44a69a048af1ed66ae3b7b6972a21e004030f4557fb0b9271aebe2e3c3d0cb1f04c0f65ea9bbba46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0f985cd3cb909b25edef90ef8d0cc6a

SHA1
1ec2c13ff7d4579134fc4ed0bf67ba67b4122a86

SHA256
31d9759b36e34ce6332ae84d5c1d2ec9c79d5a85f2586ca45b90ec896546a444

SHA512
ba7a13451d4d927eac88cfeeb33f847bcd4892ff50e90c26291346594231accdf2a7a3433ac1fcbb9f31617fb89a093f281941c5ac7877bc527a40e4d6844581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fc6f237496a3cf000e13108d627729eb

SHA1
8a4e4210d5c40bd6e32a6f631a50c406fed2741b

SHA256
f42732c26f84ca9ea0da14fcdcad2b8df8fee2f30c56a264984471b016ad14dc

SHA512
7c662ee209b60d9478cd1909548b8d6d591d67aa95978c2a05e322f6c7aecc8707b63c92d08847c9353d44b8310fc38d4fd4802069a0eb0de309fe3e613f1afd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86e9c915c37d866bf842ba1146f840dc

SHA1
1eeba421c4324f455c0c7e17a2e7fd36bbcaccf2

SHA256
2ea3747dfad238f26b8cd18f14bda621e8c73da784b9c5e37afc80564f03f33a

SHA512
a5984fc6d952c757c2a51a9bc3303ab5d39d84766bfa30e584e9ee5c037e2a857e7178493e18a0b92d8132757e92526115f2f26efb4b345c627b30c53e34dc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cc6a70a67babf9561662c5645dfbb86e

SHA1
3f4b33906b1eef055be07efe91e60e6572aeab74

SHA256
5bb022acb9ffa5da0f7ff3309e196ac8566b106e459f0649c04bbc3419b65553

SHA512
6c05b5dd90e161291ed1944313349726bc9ba8bd52dea2c00876251dad193e0fa8e21af67c8173288eb9b8a35d67d8370de969d77f4811221af2893242705c0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5b673397a519263f2af205ba278b2594

SHA1
61c08377281ea49cb5014e9afbc6db115bf46fb8

SHA256
f15104f3f343dcc87db014e2635c7d2db3b61443b1ae070eddb8484a106841dc

SHA512
6fb1f0a1587bd7e06f27f6bd4cbe60e5413f02a7822bc1002d12e823ccd430bfdbaea9f7d49a0a6944996ec1efdfe99b7170f67b20f7bfde608a17634b850f60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
da85ec78155325beb2b080d1d808c86f

SHA1
4f37d713f716a9cc8b9918e4cfa51fd3e3def0bd

SHA256
caf109c1959363529525f19232d8fe416b8def28589fbf9f3140193235b2cb92

SHA512
c7d89a7d70f1f5e20557d7bae3fc0355de98ce53a83191d319ea3f73b65613c19a2b41d1bf60f4e8a25611a07523f866c3da9f896ab666cef81b359c2e87ebf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
5373d7bda654d7656454973bf70f778f

SHA1
4d66fa90bc3b38e3b75ec43a49cdcbc1f125060d

SHA256
6c0584533bc902ce071d8a00f6f7646246b397805122660dae149362b8f5f41f

SHA512
bdf9f4c772e4eb0ae5b6e214f0e109be3135d9d1932c5dd9c941f18cae816982c433141c753633b12be238785288a21e79300592526608775ff7d5a66014fea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
3791d505786f3c4fe7d21152a9a59a2a

SHA1
bcec1f14b28302bf42715f3cd82756e66dc47a48

SHA256
cd8eaf94f221ad5318143e3daa838257fb8b097e9a7e4c4506895a225325c09a

SHA512
0183e2e425b188014c3041b88267874fd54c16b2a24d20702b434bb825fc93e41c93c3edd381566ef17e796ca159e6352c91ce935959a3063e81335ac80be4cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bootstrapper.exe.log

Filesize
1KB

MD5
b25a3702edfb89963f12d5de2478fb53

SHA1
b3d276a21196fcbe9c97eb49fd5f36672bec88a3

SHA256
516c9cca46273dcf55bc9e5e21e47b875daca484f1e3ab25f92e5f3c5f4f20ad

SHA512
05cb91c1480fdbfa8278864e318319a21a6313c0a595fab63a91a633c5e4b4559802decb7aaaa882374e6e946f041100522e814a65a2f0e1e0b7fec6c083738e

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270278.crdownload

Filesize
795KB

MD5
365971e549352a15e150b60294ec2e57

SHA1
2932242b427e81b1b4ac8c11fb17793eae0939f7

SHA256
faad2bc8e61b75e595a80ff2b6d150ff8b27187a8ba426cc1e5e38e193ab6d42

SHA512
f7ba1353e880213a6bdf5bd1dfdfd42a0acf4066a540a502e8df8fec8eac7fb80b75aa52e68eca98be3f7701da48eb90758e5b94d72013d3dff05e0aaf27e938

Download Submit
C:\Windows\Installer\MSIA68C.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIA6BD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIB18C.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/1704-458-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1704-3293-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-2891-0x0000000005B90000-0x0000000005BA2000-memory.dmp

Filesize
72KB

Download
memory/1704-2880-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/1704-2831-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-1965-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1704-459-0x00000000001A0000-0x000000000026E000-memory.dmp

Filesize
824KB

Download
memory/1704-460-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-461-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/1704-462-0x0000000005630000-0x0000000005984000-memory.dmp

Filesize
3.3MB

Download
memory/2584-3373-0x000001B3BE6C0000-0x000001B3BE6CE000-memory.dmp

Filesize
56KB

Download
memory/2584-3372-0x000001B3BE900000-0x000001B3BE922000-memory.dmp

Filesize
136KB

Download
memory/2584-3374-0x000001B3BF590000-0x000001B3BF60E000-memory.dmp

Filesize
504KB

Download
memory/2584-3371-0x000001B3BEA80000-0x000001B3BEB32000-memory.dmp

Filesize
712KB

Download
memory/2584-3370-0x000001B3BE9C0000-0x000001B3BEA7A000-memory.dmp

Filesize
744KB

Download
memory/2584-3393-0x0000000180000000-0x0000000180A7D000-memory.dmp

Filesize
10.5MB

Download
memory/2584-3395-0x000001B3BECD0000-0x000001B3BECD8000-memory.dmp

Filesize
32KB

Download
memory/2584-3396-0x000001B3BF780000-0x000001B3BF7B8000-memory.dmp

Filesize
224KB

Download
memory/2584-3397-0x000001B3BF750000-0x000001B3BF75E000-memory.dmp

Filesize
56KB

Download
memory/2584-3398-0x0000000180000000-0x0000000180A7D000-memory.dmp

Filesize
10.5MB

Download
memory/2584-3369-0x000001B3BED50000-0x000001B3BF28C000-memory.dmp

Filesize
5.2MB

Download
memory/2584-3368-0x000001B3A41F0000-0x000001B3A420C000-memory.dmp

Filesize
112KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads