6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Unconfirmed 3504.exe
Size

796KB
MD5

76639ab92661f5c384302899934051ab
SHA1

9b33828f8ad3a686ff02b1a4569b8ae38128caed
SHA256

6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178
SHA512

928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee
SSDEEP

12288:THeLH6iTPSE54sgweI9oaQJj3r+piq+77xOZ+eMm:THeLHdTSEeyoaQJj3Spiq+77xd

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Unconfirmed 3504.exe

Loads dropped DLL 11 IoCs

pid	Process
5224	MsiExec.exe
5224	MsiExec.exe
5304	MsiExec.exe
5304	MsiExec.exe
5304	MsiExec.exe
5304	MsiExec.exe
5304	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe
6128	MsiExec.exe
5224	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
63	3432	msiexec.exe
69	3432	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
37	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\internal\streams\transform.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\has\src\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-team.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\lib\timers.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-fullwidth-code-point\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\defaults\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@colors\colors\lib\extendStringPrototype.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\isexe\mode.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minimatch\dist\mjs\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_rekor.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-publish.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\content\path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\dsse.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-config.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\dist\event-target-shim.umd.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\move-file\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\role.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\config.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\header.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-explore.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\inherits\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmdiff\lib\tarball.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\infer-owner\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\oidc.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\place-dep.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\just-diff\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\selector.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\parse-conflict-json\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\dist\abort-controller.umd.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-edit.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\spin.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\chownr\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\fs\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\text-table\example\table.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\event-target-shim\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\test.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\metavuln-calculator\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\generator\ninja_test.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\format.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\store\map.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\pylib\gyp\input.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\ssri\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\using-npm\dependency-selectors.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-license-ids\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmversion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ssri\LICENSE.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\parse-conflict-json\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\pacote\lib\util\tar-create-options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\glob\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\tracker.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\bin\lib\logging.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\lib\patch\apply.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\npm.cmd	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ssri\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\diff\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\error.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man7\developers.7	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f977.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A8A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f973.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f973.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA22.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B4A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI572C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI579A.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5970.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI116.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B1B.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{4F5ED296-FA6B-41A7-8237-E3E9B32C2749}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2468	Unconfirmed 3504.exe
2468	Unconfirmed 3504.exe
2296	msedge.exe
2296	msedge.exe
3676	msedge.exe
3676	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
3432	msiexec.exe
3432	msiexec.exe
6032	msedge.exe
6032	msedge.exe
4468	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe
6012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	Unconfirmed 3504.exe
Token: SeShutdownPrivilege	1860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1860	msiexec.exe
Token: SeSecurityPrivilege	3432	msiexec.exe
Token: SeCreateTokenPrivilege	1860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1860	msiexec.exe
Token: SeLockMemoryPrivilege	1860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1860	msiexec.exe
Token: SeMachineAccountPrivilege	1860	msiexec.exe
Token: SeTcbPrivilege	1860	msiexec.exe
Token: SeSecurityPrivilege	1860	msiexec.exe
Token: SeTakeOwnershipPrivilege	1860	msiexec.exe
Token: SeLoadDriverPrivilege	1860	msiexec.exe
Token: SeSystemProfilePrivilege	1860	msiexec.exe
Token: SeSystemtimePrivilege	1860	msiexec.exe
Token: SeProfSingleProcessPrivilege	1860	msiexec.exe
Token: SeIncBasePriorityPrivilege	1860	msiexec.exe
Token: SeCreatePagefilePrivilege	1860	msiexec.exe
Token: SeCreatePermanentPrivilege	1860	msiexec.exe
Token: SeBackupPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	1860	msiexec.exe
Token: SeShutdownPrivilege	1860	msiexec.exe
Token: SeDebugPrivilege	1860	msiexec.exe
Token: SeAuditPrivilege	1860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1860	msiexec.exe
Token: SeChangeNotifyPrivilege	1860	msiexec.exe
Token: SeRemoteShutdownPrivilege	1860	msiexec.exe
Token: SeUndockPrivilege	1860	msiexec.exe
Token: SeSyncAgentPrivilege	1860	msiexec.exe
Token: SeEnableDelegationPrivilege	1860	msiexec.exe
Token: SeManageVolumePrivilege	1860	msiexec.exe
Token: SeImpersonatePrivilege	1860	msiexec.exe
Token: SeCreateGlobalPrivilege	1860	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: 33	5856	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5856	AUDIODG.EXE
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeSecurityPrivilege	4676	wevtutil.exe
Token: SeBackupPrivilege	4676	wevtutil.exe
Token: SeSecurityPrivilege	3916	wevtutil.exe
Token: SeBackupPrivilege	3916	wevtutil.exe
Token: SeRestorePrivilege	3432	msiexec.exe
Token: SeTakeOwnershipPrivilege	3432	msiexec.exe
Token: SeRestorePrivilege	3432	msiexec.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3676 wrote to memory of 3808	3676	msedge.exe	103
PID 3676 wrote to memory of 3808	3676	msedge.exe	103
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 5088	3676	msedge.exe	104
PID 3676 wrote to memory of 2296	3676	msedge.exe	105
PID 3676 wrote to memory of 2296	3676	msedge.exe	105
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106
PID 3676 wrote to memory of 3864	3676	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\Unconfirmed 3504.exe
"C:\Users\Admin\AppData\Local\Temp\Unconfirmed 3504.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc30b46f8,0x7ffbc30b4708,0x7ffbc30b4718
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:5360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:5628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9942818590644167782,16511253974237023583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9F27779E5CA2FD12A0ACACA8734B8F69
  2⤵
  - Loads dropped DLL
  PID:5224
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D7EEB2A1C4D7F043BC379A685179ADEB
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5304
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AE5D6E7763A3DEDB1A022CFA6E53E7A1 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6128
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x52c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f976.rbs

Filesize
1.0MB

MD5
3a6108b89bf540443c60e6d832bcecb9

SHA1
09aa9cb20013957739930ef716a2ecea8e083765

SHA256
d8b4cd617ecbaf3eeb47b0fdc808f6fae24d78a22a8c8d455c69d0e4d31f32b3

SHA512
23c1a9dc7662e92f053e99b3c397316b81d78dbf134412687199cc0c4bbf9b5c2533227722a7d8d5d048535b794be1612c83f5eb709c04792da9f7d0e35f3605

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
10KB

MD5
1d51e18a7247f47245b0751f16119498

SHA1
78f5d95dd07c0fcee43c6d4feab12d802d194d95

SHA256
1975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f

SHA512
1eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
38f59a47b777f2fc52088e96ffb2baaf

SHA1
267224482588b41a96d813f6d9e9d924867062db

SHA256
13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

SHA512
4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ab8ce148cb7d44f709fb1c460d03e1b0

SHA1
44d15744015155f3e74580c93317e12d2cc0f859

SHA256
014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

SHA512
f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000f3

Filesize
51KB

MD5
588ee33c26fe83cb97ca65e3c66b2e87

SHA1
842429b803132c3e7827af42fe4dc7a66e736b37

SHA256
bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760

SHA512
6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
db6bf9e5439aeac72857b991da379014

SHA1
08cca990e920e6e73bfcf1c85b34cec9de1f5d19

SHA256
ed8223c4fd8a78dcedef51c8a5cba54e59e028a854235bcb8cdb9f546790b8b6

SHA512
19a3b0a45870633f410ff4f072096c476c2fa86f69bfe269655dcd77a6e4a1b52f1b7959ba81f53e255ea5998e974db4e562e49d874f5de1de2611caeeb1cf1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
da402a4a28362edd0e2dfde0f8323355

SHA1
2ef0ce809c68b39eca22e615068e0c5cf1bc9013

SHA256
1dd8a08e110be50e52ee522781196a175ba0ee32468536092876d59f49036fda

SHA512
b98cdcc7e82bdab10cd937590340b53335cfb7e8f67112513032a5eeb30483bf55b66c4db163330004b186e80580983a00477259e97ee709a1f1a53d16ce242a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
37c06eb1c9779e5d8d3a36722ce461f1

SHA1
3024e68c974830163b0df0b3a910edb0a561e39d

SHA256
a3ef069d5f36ebc6434d5d11194666036424cac07693d89357d0de2ab16db7c2

SHA512
89c97c0e5f4131448c18aaa58aab65ea55dcc4889bbf6fd208df08a09d11f11c32202f06b50ff74771c8032ea4d3e4cb421a9800ec7a60b508b754d17b8d9dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bfac5c2308e16347e712d4da34ff6ab7

SHA1
890ef37c8306f07943fe20a9072c405f850cb1db

SHA256
29112d90c33eaf5e8ae2704005f1f5304d91a48be7658508bec9dae143b9dcba

SHA512
787fc55e8652ab385d43d6854991fccfa61315f7b36e9dc730d3d9d162481b53e33b9f28f8e49b4df2b470f67bdf87070c80c940ae1ce531c8338480b4174b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0da472a1ce53ab043aea077eac157973

SHA1
d5a7cf02315bae37f5344b1e35bb40f1e049ede7

SHA256
a534b42184348f7714043f42c2608dfd1f1fb48209e5363a8f37fe5aefe88d5f

SHA512
5f59e86ae694a9793c71246c72937a7d1df8e413614f9230d287daa7739b3ba1bdecf23343956f225ea1c524030b7edf209af5511b72812d5ba58fbf5710a5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e49e18a2f11371a8e872f86654e7f1b2

SHA1
f29a14105abf8e5e2edd3258df90f673d551cb43

SHA256
68c65821ff1f7417483012936bf2b8927d747f523742ece6039c2e7f38accd82

SHA512
d9be443530b8cf04737b05f03cf06d95fb455e433143b8666026f5e2fab75761141f789c504cacbbd0bd029918020844a82726e78f328c87b4e41185d552e934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
900392d82c8ede39950761d3a6ef4557

SHA1
e087e661fb4d790b5f77970c628721c0a3f3b3d9

SHA256
aad474c61fd9eac405d8a4a525613c1cf195a05440dd21c43af07239d7637c88

SHA512
039352c80538f493ce0a326ed2bff0e5f3cdfcd1a035318cb7724cab18a04dd2b0f2e3589ec65290ef0a6f50f02d4457046663cdc3a4d7626c2f45874c382cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0848b07443d0bdddd980fd5925f07385

SHA1
77dde9ecd8b60414db90dd122091b6d30cb73f51

SHA256
f70f35aa69673271fd01b952bfbd7317cc290357634b3eff7c529a91189655b7

SHA512
88a738d6cd3c3b875edc109fe571fb1c4e6ee59b6f1145f0f60810a4d09c3a2a4e2289bec12f7ff7c9b69d6e1da148513a788cf7503042f0f8ea44f898c2c924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bebff236e5090a3ef0dae8eb93e96f1b

SHA1
a4729b16f7d473772dc8078b47a299463f4c0b9c

SHA256
c1009d34b14e0a67e52528e434a66ac1af842bf54f787cb86d0860132506a53a

SHA512
8c6b1e9b3462197dbdc19424cd55911fae910b0aeb0b10ff95bf6a6b6349e0deedcedd39847fd86241fa00966734934019488afcdb11c455537af43b5a094c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0b4c03143ed7d0cf260684b4349a82e1

SHA1
8ade9f1d41f952eb9bb408413fdcd1dc21f706ce

SHA256
87585591cde324eee5cf1e07e0cb6e6d557b13ee53578298c076e9d4861593fb

SHA512
e11556632ab6e48282c6c1f51e5ee1a23d712f6f716aa4655b470d1a3175642ebe7ddd9e60b03fea588834deaa2ee8138ef57b9a9b66b24775fa4ba3b2c458fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6a658ce1cc5c7ebae262a90706c01ecc

SHA1
c663af3594bd7dabe1ab618d7eb55771c83837b8

SHA256
5ccff6cc5c8035e66fb3af813a98d1380f62e7666b7bb3284d69f7d96f84dd15

SHA512
c3390aacd397c4bc49b8bbbde3d8a84b64065ae4643a78edf76d94e432df96489eee9111b26ad14a9b8b199b1e40de4f011d29da46c4d5cc4b3278b4fea84632

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b2c18516a7243d574f8bd402f909c209

SHA1
6a16e6f0ff062d67b4b43e0068f3abb6a75932ac

SHA256
bc41cec65bd34cb04a91d652cb52527065ecd25913ae9ca19ebc99e313c0dbf5

SHA512
c82de62637e159204e5883ce2a2bd1617cc03de62ec6d44cb9f58ec6f54baf146072e64dd20f9c305d5f0837a669f2dbd5e565472aa8fc686123376855f7110e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
90e08465a43df91d5e6ebc1e22ef26b1

SHA1
3b80cc171c9c9d86f1fe8681328800fa13f5b763

SHA256
be0b36d81b59012c6cfff5d551f5194fe500869cddf3ed0474f85a978bb80614

SHA512
4b7e42c10aeee483b39018462f007222eb044ead0d61d56c96794aa333704a54ea53c4e995fb6126916e14409de93a1a7c5e612311cf912b601b54573103b041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69f942009eb790bd1606aa31c17de3e8

SHA1
1c936b371890c5216cb0a65d2e0ad558d135fe66

SHA256
38604f644b9c7ac5046fdda70aca0eb1823dd0adcdd06f069ff381cb80f8b626

SHA512
5b64e346877279ddbd1aca483aaf807c077be2165786308bba792c156691c95cc621414725dfe18456eac0d7ff06caa1c0caf08f223b60dca29e660a03a85039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4332c8a060143e4081e5c8e116c42505

SHA1
edc25b064bc576d58033793ed95014da0f4c7c99

SHA256
c392ff5bab12c124b31eac9b00fd74e9d8631fcb5ce842722782e04c4db98bce

SHA512
55b9cb2598100a3cb588b3c219a4790fa4f73def83e35df7facf8c274c798c1f35047a2b91ff5b8b3835ce46020620c163fa0ff3e85e033df8ba45ad1b3016e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c0707ce6ec45bf4823a629023a2132b2

SHA1
e73ff4af861fc09347d3eb6ea10388ef19781785

SHA256
280d995d23af3d10d4980c946eb8a1a9bbfa22f066152414de83bb9c547d6484

SHA512
39660297b0bbb96fd4c5f47f0908f71b0e642da08b4629a6662cb81e9a174c276fdc9777d8e2076b9697eb3ca14f892018982ce2832689ccd262399964a4b6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4a50bc769fc8226bd0e50c12e28f8eab

SHA1
51f7f1c11c5886d2142c11a3d8dd246ab9735345

SHA256
d4c3658ecb2db931c32be25ac6683aba2e003861a2fb37c65a3e862f13a2fcd6

SHA512
ba9616c7c44a9454b5982dac0aa8b0f5bd8aef3d43819bc07a294d36c277d4777b4e4fcb905683426d9c887f1bd55e22964f796d81b91643d6accdb8182fb446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7aa60b03f884793ad25c78c02496ed6a

SHA1
9d4e74eb4f585c6d0dccf016f820879f9f74c2ab

SHA256
fdd85ad96f3b7b9340efdc3b76a7d5067970b48f79e3d785e9e7e5ed1e4cc11d

SHA512
35a5acbdbdaf8eed4498cb34b25c8396da1737a092f69251504d3efd7785219e3a3797039d6f02f9e01e0268100470616d4c7ffbd7c6b3e6a57b77d43a814197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5854a3.TMP

Filesize
1KB

MD5
b450b293a75e1e83577960955745d143

SHA1
f03259c7b7a4872f373079edf4cddeac64e850c1

SHA256
a5f6ce9fe67fcc0bb9d5acbba72bdb7a4d18036210a6fe7b39621a4064660b70

SHA512
5e229cd1c81a3f2764eedcdf2807a6169ec2b6a647c11106bc02885528fc2c41209e1361e44d076f2cf036960445e6c0b95855719866c4977be8043526b01a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
505548a83528224e3b1cd5b58fa85bff

SHA1
77a2a296b8956d8326f5d4089781717d0b7bf3f3

SHA256
347d665c61ee77a9c664a72df7f7ec54505288a01527d3ed0022eafe19a82b5a

SHA512
2772888722d6c5550f6e8f5ab9df3112539213fdeb5402b6b01c1bc91ea767116174aa76a7553cf5d3e7f971fb59f95cfb7c49b4985c0174b290d1a5f302d982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e2746e81bbbfd2155613c43623e00ed2

SHA1
43845ff749aa9030bf9108bfa9e1716e9694c338

SHA256
c92870a09a83b6288a283d22385b99a20a3a8c9a244d9e7169f42e4bef75ff48

SHA512
9050e9c5667fffbde14cba1f0e90ee7ac04dad149fe8b53c4578cbe23212a8f23fc3874ebc361a0a56c38ae849375669a9d928ecfd8caf36f2a660299eb94766

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\Installer\MSI116.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI9E2.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
C:\Windows\Installer\MSIA7.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
memory/2468-0-0x00007FFBC6D03000-0x00007FFBC6D05000-memory.dmp

Filesize
8KB

Download
memory/2468-5-0x00007FFBC6D03000-0x00007FFBC6D05000-memory.dmp

Filesize
8KB

Download
memory/2468-4-0x0000020C8D4D0000-0x0000020C8D4F2000-memory.dmp

Filesize
136KB

Download
memory/2468-6-0x00007FFBC6D00000-0x00007FFBC77C1000-memory.dmp

Filesize
10.8MB

Download
memory/2468-3386-0x00007FFBC6D00000-0x00007FFBC77C1000-memory.dmp

Filesize
10.8MB

Download
memory/2468-2-0x00007FFBC6D00000-0x00007FFBC77C1000-memory.dmp

Filesize
10.8MB

Download
memory/2468-2982-0x0000020CA8130000-0x0000020CA8142000-memory.dmp

Filesize
72KB

Download
memory/2468-1-0x0000020C8CFC0000-0x0000020C8D08E000-memory.dmp

Filesize
824KB

Download
memory/2468-2961-0x0000020C8D510000-0x0000020C8D51A000-memory.dmp

Filesize
40KB

Download