6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178

Resubmissions

11/08/2024, 21:48

240811-1nvq9azdrj 7

11/08/2024, 21:37

240811-1gtwdazbml 7

Analysis

max time kernel
140s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bootstrapper.exe
Size

796KB
MD5

76639ab92661f5c384302899934051ab
SHA1

9b33828f8ad3a686ff02b1a4569b8ae38128caed
SHA256

6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178
SHA512

928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee
SSDEEP

12288:THeLH6iTPSE54sgweI9oaQJj3r+piq+77xOZ+eMm:THeLHdTSEeyoaQJj3Spiq+77xd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Loads dropped DLL 11 IoCs

pid	Process
2180	MsiExec.exe
2180	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
3092	MsiExec.exe
3092	MsiExec.exe
3092	MsiExec.exe
2180	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
40	1416	msiexec.exe
42	1416	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	pastebin.com
27	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ignore-walk\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\check-listener-leaks.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\env-paths\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\init-package-json\lib\default-input.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-filename\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\logging.7	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\lib\main.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\cache-dir.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\path-is-absolute\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\glob\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\memoization.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\content\rm.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tuf\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\serialized.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-run-script.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\walk-up-path\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\configuring-npm\npmrc.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\.github\workflows\release-please.yml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\consistent-resolve.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\events\tests\listener-count.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-run-script.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\qrcode-terminal\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\read\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\index.es6.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\typings\common\util.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\init-package-json\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-view.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\hosted-git-info\lib\hosts.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\http-cache-semantics\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\arborist\reify.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\process\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\_stream_writable.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pyproject.toml	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\doubledot.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-diff.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\lib\find-python.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\constructors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\set-envs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-core-module\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\package-json.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\string_decoder\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\using-npm\package-spec.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\api\field_behavior.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\concat-map\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\find.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\developers.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\buffer\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\MSVSProject.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass-fetch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\buffer\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\configuring-npm\npm-shrinkwrap-json.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\reify-finish.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\ideal.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-org.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\package.json	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e579dda.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFCE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579dd6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA84B.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e579dd6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA2C8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA684.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICABB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC24.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA307.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA318.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA81B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADCB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA0F.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133678859358675233"	chrome.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3268	Bootstrapper.exe
3268	Bootstrapper.exe
1416	msiexec.exe
1416	msiexec.exe
3984	chrome.exe
3984	chrome.exe
2312	msedge.exe
2312	msedge.exe
1536	msedge.exe
1536	msedge.exe
4772	identity_helper.exe
4772	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	Bootstrapper.exe
Token: SeShutdownPrivilege	2932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2932	msiexec.exe
Token: SeSecurityPrivilege	1416	msiexec.exe
Token: SeCreateTokenPrivilege	2932	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2932	msiexec.exe
Token: SeLockMemoryPrivilege	2932	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2932	msiexec.exe
Token: SeMachineAccountPrivilege	2932	msiexec.exe
Token: SeTcbPrivilege	2932	msiexec.exe
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeLoadDriverPrivilege	2932	msiexec.exe
Token: SeSystemProfilePrivilege	2932	msiexec.exe
Token: SeSystemtimePrivilege	2932	msiexec.exe
Token: SeProfSingleProcessPrivilege	2932	msiexec.exe
Token: SeIncBasePriorityPrivilege	2932	msiexec.exe
Token: SeCreatePagefilePrivilege	2932	msiexec.exe
Token: SeCreatePermanentPrivilege	2932	msiexec.exe
Token: SeBackupPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeShutdownPrivilege	2932	msiexec.exe
Token: SeDebugPrivilege	2932	msiexec.exe
Token: SeAuditPrivilege	2932	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2932	msiexec.exe
Token: SeChangeNotifyPrivilege	2932	msiexec.exe
Token: SeRemoteShutdownPrivilege	2932	msiexec.exe
Token: SeUndockPrivilege	2932	msiexec.exe
Token: SeSyncAgentPrivilege	2932	msiexec.exe
Token: SeEnableDelegationPrivilege	2932	msiexec.exe
Token: SeManageVolumePrivilege	2932	msiexec.exe
Token: SeImpersonatePrivilege	2932	msiexec.exe
Token: SeCreateGlobalPrivilege	2932	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeSecurityPrivilege	3868	wevtutil.exe
Token: SeBackupPrivilege	3868	wevtutil.exe
Token: SeSecurityPrivilege	2248	wevtutil.exe
Token: SeBackupPrivilege	2248	wevtutil.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
3984	chrome.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe
1536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 2932	3268	Bootstrapper.exe	94
PID 3268 wrote to memory of 2932	3268	Bootstrapper.exe	94
PID 1416 wrote to memory of 2180	1416	msiexec.exe	97
PID 1416 wrote to memory of 2180	1416	msiexec.exe	97
PID 1416 wrote to memory of 4976	1416	msiexec.exe	98
PID 1416 wrote to memory of 4976	1416	msiexec.exe	98
PID 1416 wrote to memory of 4976	1416	msiexec.exe	98
PID 1416 wrote to memory of 3092	1416	msiexec.exe	101
PID 1416 wrote to memory of 3092	1416	msiexec.exe	101
PID 1416 wrote to memory of 3092	1416	msiexec.exe	101
PID 3092 wrote to memory of 3868	3092	MsiExec.exe	102
PID 3092 wrote to memory of 3868	3092	MsiExec.exe	102
PID 3092 wrote to memory of 3868	3092	MsiExec.exe	102
PID 3868 wrote to memory of 2248	3868	wevtutil.exe	104
PID 3868 wrote to memory of 2248	3868	wevtutil.exe	104
PID 3984 wrote to memory of 2572	3984	chrome.exe	112
PID 3984 wrote to memory of 2572	3984	chrome.exe	112
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 456	3984	chrome.exe	113
PID 3984 wrote to memory of 1804	3984	chrome.exe	114
PID 3984 wrote to memory of 1804	3984	chrome.exe	114
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115
PID 3984 wrote to memory of 1984	3984	chrome.exe	115

C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2932

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E4705CEA62914CC98C2437BF36DFF179
  2⤵
  - Loads dropped DLL
  PID:2180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D80DBB57A43AD5DDCE589282B78C1B10
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6ECF176A9F4ADB4537A5B180658BA8E5 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdf739cc40,0x7ffdf739cc4c,0x7ffdf739cc58
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2116,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3408,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3888 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5092,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3444,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3344,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3544,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3252,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5324,i,16193431532864575644,18377733247998197445,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdf72546f8,0x7ffdf7254708,0x7ffdf7254718
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6510304370266885286,4916180881804372212,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579dd9.rbs

Filesize
1.0MB

MD5
c17410a464603dc6bf8dfa83c8e4849c

SHA1
486aeeca61b56a19dd377cbe77deb37713f216f1

SHA256
ab84fffef2fa85d74d0d0dfb61e950b190439f60ac4dfa5f87f0f4a503b5462d

SHA512
492685d2f8b58ce2e5c878cab6dbe5f63144d57d35b188022c1d7dc051cf0318037999a1a0eb3c82182c813871d1599979ad67509969282086831fd2295669d6

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js website.url

Filesize
133B

MD5
35b86e177ab52108bd9fed7425a9e34a

SHA1
76a1f47a10e3ab829f676838147875d75022c70c

SHA256
afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319

SHA512
3c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6a8a74ad-1d47-495a-9d9f-eff25e391132.tmp

Filesize
15KB

MD5
234a5deae7f73da7b6a03b8d8b0b4db8

SHA1
85153f6c61105851c07624f6858121acbb8fde16

SHA256
e5624880776810c5dc9871b25c1a49da78d06045766b2241feda07746fa837c0

SHA512
e92007dc0a917559b00e1e7ff3cedc37264176151c9f8f959f5710877f51bf00732918f17f356cd46035fda5b8e5e176bedffb89879175f8a8318ecf3d91cc9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
520c4118d7af5de9acb71d452b328ab9

SHA1
143c7711a7f8a745cf8dfda03c1d11f980061de8

SHA256
de61a407a5302821fd748d8b3955c625b6c672941c9f1318975f1e25e8fa1516

SHA512
3786a509e77022c9d5b69ee2c99eb14a804dc987944d21a5e748eaee8ee5e74f652f7faff557a1921392899169d65aa63eaed1ddf96fd82dd8dcd5d108da4e10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
32KB

MD5
be8d3235af81a452ce2c12f6fd041137

SHA1
78d1419de5447ee740c75aed08eb1b2443097fdb

SHA256
a97c727c2e4273d5db399fdd0cd3ffa299d4354fae08a63d70856b0263971d39

SHA512
51c99b9aeccb49252791505589c6a5d6cde5c9e9f2eb43e4c4f8df27534ccf646c62ef043c979802c71e44d0f305a59dbd8b7f1c3b015fc34880d9b2deb26c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
f9bd5f8f4c8e118400f4aa3df39bbd4d

SHA1
756563a176227e34db34931e029ebdf2672f6ce5

SHA256
c5358e43e20be6105797b0416a083e5326548b08933bedcc2c197641be0e515d

SHA512
3107d1f4c935be30df5ba964037045738747bc4c5b7ab7293586caad566a456e520d7ccae84e35d4d3a7338f2bf8aba621147a17547ad0332fb275d9a2a81000

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
0710fe0fa1066ac0ab43f828c2592c57

SHA1
bf6d0db0b98a4f8e30d713870d6e898cf21ae149

SHA256
5aa8689923b1cfb18ff0d978358a0e2fe111bcf53300b4eda152745ca2078274

SHA512
544ce811f417740d6fe35416ee1ed24d7bd8232e143349624bf006da219d03ab1938e8f22fa5b76d1f2f73c0e73b8b393f141074b969ef11d031fa1c3844d09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8bdcd19bc0bcad5736d07c7960daa45c

SHA1
137cdd49919ef5a9c3376fd5c1d146b120cb932e

SHA256
22bede420be397ba23a854bd7ddc7a34c6b341395492adcd6042b8cc1e794bc2

SHA512
d90b1b056508a4b6ad5b6b0bfa5f17da11533796d5b3b9ac9b39b8ce9208fa09f7215e043281942f0e0a796796f8a82260fd74b02a179339228ebc4585d621ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
af031c7817259e383cc833550e610177

SHA1
f34838c6babe11de6b55e811fcd8e5fcee718360

SHA256
ec36f8ac65dfa72638df3879cd258a2e8333f1abd9264de2da49b78d8446a289

SHA512
9a6e30ca23663a8a1b5c1ac7a94505d02ed923768f1b5cb39b5b428d308cf824f688573061891bbc51d2535fe8ae1be718bf181c8f3baecb1d88390a992871ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
f3bd5ca413e02de490edbc4ea2124379

SHA1
7c96dce63e2c4292a01a0ae4a377024f0f860f6b

SHA256
a233cace8bc059ed2c89be3035849ca41a5f45a30dec5159f356bd5569491a83

SHA512
918ba96fe849831d55e95eb7d687ac3afd4cf724072d421823b66b28e82c8abc5a09c79ff41dbfcd677a884a73687e4b1426003d7cda5ac0253c43294e3177f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6954ce0b41cfc011258dab060167dea2

SHA1
844594fa24370a69928d39acde36e7a59178d929

SHA256
1eaf432ae9005e51b700871d7b2edd6a3b500bdae2a92e1e74bcbc12cad29406

SHA512
7ff4b29eaf3277fa159b34ed48e39df45fa8dea11e662a57cf4c0efa862cee369f5acd22a5b9e5bb437b815da5cb2426a122ea5d61ba594a4cfbf5e3c78ef3d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c5ac6793b34d32bda131e4467b658de

SHA1
02d16d015128fddd9115d377407c41f824c0b9bd

SHA256
53c1189c118d1b2187de07d28fa8ff00aac5e60ac36c1d4fd25b17bbb8853514

SHA512
fbab25039c793c7c71957e3f023c7436d68d37b5adc7117321fcc1bbf5fea197486b3511d010f0b5bb2f5c5f751633fc7f05d3eb8f55358167ad9182272ee24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
256838c374a166869c10f3fcea78aa7d

SHA1
e2eab8e503172d77ee0db6a3b718b32ad7082485

SHA256
f280282fc00ee5d5f58a8c1fd14a559ea0b683ef778dff6486e66ee2aac5afc5

SHA512
f7f6d16a6fb6558a376569ad2841d99bfc9454dd22571bb88afa75e147e8fa262cc4c4bf23113cfced28dae51c74e32161e7f9960fe7a8206fafbd377af9550e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ecc71ac423040e09843bbc997bd3ffad

SHA1
310e4743c8c548090cf7719abc39e18994dab84b

SHA256
5674affafa6a00882cc5267cadcaeecffef68ad108d9ba78b3ee7f9d81174f12

SHA512
819bef527d47d4c93d02d8398ff9e92a0d6351528b322c77a6b19708ef7b6598bf4357317bf3eaa8e425df324d46c7c73711bc59fd917021ee1b5a743187ef98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
eb10623a438c1b1171d560f8430ed14c

SHA1
1f62b38bb51be1bc342ac4e8588273168118332f

SHA256
90ca4688f00087a3bf40e11cd5f77c72f5ea1ee4a8dafe59f0f44574a3b78fae

SHA512
d2bb6e45640b0d779fd66dee106a590583ece68ad0af09bf8797f6bea391a81c596427e3ab90fb555f58ca660c1d30e16cf4c3307a9b8ac678f6cd4d53f6c742

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
cff0d9164b7302595b7c3a2c40491d26

SHA1
ae19347b9991862202359b9bf17ea90e8841d0ee

SHA256
fde36f035880ad9c9f69d368c22769f737144559dcb0a19a8bccc9b9836e94ec

SHA512
c5cea726bf7a0db12e218f63ffa9a500fec76f9d606341356d91b8e653b03e7273aa3029364199748211a145ca3921f312b78cd475b4f0b44888b6d0717068f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
4c0d27b171bc684b3edfcc645215a6c0

SHA1
ccdd568f43bd948047757bb7d07650a855dbccb1

SHA256
d3dbaf98f6e64e6ca17141a9cb17dfee9eea3e969febba0d6cbac3c3a89d4dd5

SHA512
29e1868c531a81c562b55dd8b0617dedb4222bc0f32aeb0cc8f7c320ad222222e3fa450b85ac2c9655a806c639f3d53b864c8878d7985fc3fbf0ca915e116eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
caf228aff907762aa1a38cb83b8e4663

SHA1
e7365764c65c73fafde3a35271262d54f95be36c

SHA256
fba06c18a2d6177e8dabccb8c9fd95d764400310ba88b6fae7f9c6ad054c3123

SHA512
5406536f2f67b6137c847fb053e9bbf4eaa5f9df879509aadaff1cb77c4051b36b22b3a87e28e038c3c677f313affdfc87fe7b7c7e8673ad516043b8b8b9bda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
324B

MD5
3906af7e09d977a6fec877ba9abd05e4

SHA1
872b53e3a7d76bf0cb73adbd5293b91ac8116a5e

SHA256
fdf0d80afb14370be0b626bf7ea655d2f0e9212565f4eaaf9044c16aa61eb914

SHA512
d583929a73e8f4fb0c08580ee722004250238b3e589b0beaca418cf88abfec4148e96c5462414ad840c4c6923d811486a289c1cdfa42d91ce2ba1950b69001a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8bd6f13d4bf3993c6be26a6bceab53cc

SHA1
bc731287cd861dfaa8ef66054b5b623eb0082abe

SHA256
c9df0addd1310922d7c0677429489b068ce42a9b5f3e508554d46b8e1a031738

SHA512
c1db652fc1009a698535a1c33eb8843b7a4b14f270dc07e53dc5d5ff999cd3da3af15f0deafc5c78cff77b6a44eae71bbcb97a986b00c1516d7895cf9c58aecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
df23dfef7cc3288f633434a924e8880c

SHA1
1e548a6c08a34f1ce8dd5bdc12c87117cec88a81

SHA256
7dc638890e031430e2c8b77e2f47c2b952830c29ea2ec172520f43bfea3d137a

SHA512
2839f59af4c2494047c36003c2558b46cb03da5d2feb0d77e5873fcd4360fcb9b63e0b8222a1668e9bae01c0d0f4c9cab686a257572aa5230c2100047b4e3bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a644d5b5b26f4155c9253ad4f0e274cc

SHA1
9a018f827bb1d38407aea01c6a8b6198b79c4f7b

SHA256
f22efb86429fa818f316361a4aedcfec604353550ec8a6060eb06ab066b9d3ae

SHA512
8d6738c115e2bba2100849974e686058c34606584843420673b26b67db6100f18e33b25727c017de376723b13cd3806388759c56650a651a0608cce28611c701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
414b6e769e505799761ed8e4edaa6093

SHA1
883ecff65730fe5e99077f1a44410488a8b9b595

SHA256
c28615073532a2a2576d9899133bbb36ba19b5a41c0e7c98d67da6b4202a865a

SHA512
741843974a64173b079b7daf749fd8af651fee4bc8919c20a1324ac7a27d40d3bfbfe27a4d0265ac5703ce8c86843042c7a84088cce6171b02290539a1bbf907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
957cf2b719ff2fafddf33d382bcbaadf

SHA1
5d77911ef8007b9e82f6a7704151824152910b3c

SHA256
bcb7fe514e13a9cfaee3d871d3bf8c1e92c20f57af26cd752a15a3883f53e032

SHA512
93fc392b0a00d2f4af870dbf5df700dd577da598a68a1835d5dc20cf20b0da4545df9d47cfff5c2aeaba41154b4f7de5b024ce562eac63c2161a4d194d01f4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Windows\Installer\MSIA2C8.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIA318.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIA81B.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/3268-2309-0x00007FFDF7A33000-0x00007FFDF7A35000-memory.dmp

Filesize
8KB

Download
memory/3268-0-0x00007FFDF7A33000-0x00007FFDF7A35000-memory.dmp

Filesize
8KB

Download
memory/3268-2-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-4-0x000001A953640000-0x000001A953662000-memory.dmp

Filesize
136KB

Download
memory/3268-1-0x000001A951980000-0x000001A951A4E000-memory.dmp

Filesize
824KB

Download
memory/3268-2382-0x000001A953840000-0x000001A95384A000-memory.dmp

Filesize
40KB

Download
memory/3268-2383-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download
memory/3268-2385-0x000001A96C080000-0x000001A96C092000-memory.dmp

Filesize
72KB

Download
memory/3268-2789-0x00007FFDF7A30000-0x00007FFDF84F1000-memory.dmp

Filesize
10.8MB

Download