hxxps://bit[.]ly/MINERZS2\

Analysis

max time kernel
372s
max time network
378s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bit.ly/MINERZS2\

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	Bootstrapper.exe

Executes dropped EXE 1 IoCs

pid	Process
2404	Bootstrapper.exe

Loads dropped DLL 11 IoCs

pid	Process
4092	MsiExec.exe
4092	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
3356	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
4092	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
348	5496	msiexec.exe
350	5496	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
329	raw.githubusercontent.com
330	raw.githubusercontent.com
337	pastebin.com
338	pastebin.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\tables\shiftjis.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\abort-controller\browser.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\nerf-dart.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\socks\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-stop.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fastest-levenshtein\mod.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpack\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\test_gyp.py	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\range.bnf	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\utils\cmd-list.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\minipass\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_rekor.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\README.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\memoization.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\debug\node_modules\ms\license.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\render-template.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\color-name\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\process\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\disparity-colors\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-collect\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\commands\cache.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\columnify\Makefile	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\man\man1\npm-audit.1	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\lib\cache\errors.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\google\protobuf\timestamp.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\node_modules\minimatch\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-fetch\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmpublish\lib\unpublish.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\strip-absolute-path.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\balanced-match\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-token.html	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\iconv-lite\encodings\sbcs-codec.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\utils.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\unique-slug\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\npm	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\brace-expansion\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\agent-base\dist\src\promisify.js.map	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-hook.md	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\options.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\identity\index.d.ts	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\supports-color\license	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\corepack\shims\pnpm	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\lib\realpath.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\retry\package.json	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\cache\key.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\cacache\lib\entry-index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\ini\lib\ini.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\fs-minipass\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\minipass\LICENSE	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\cacache\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\are-we-there-yet\lib\tracker-base.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\utility.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\semver\functions\rcompare.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\fixer.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-profile\lib\index.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\lib\workspaces\get-workspaces.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\exit-code.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\git\lib\revs.js	msiexec.exe
File created	C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\package.json	msiexec.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF3B5.tmp	msiexec.exe
File created	C:\Windows\Installer\e5ce2e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE68F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE6FD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE74C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI11BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI180A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF385.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1131.tmp	msiexec.exe
File created	C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon	msiexec.exe
File created	C:\Windows\Installer\e5ce2e5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5ce2e5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED69.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wevtutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeEtwSupport = "NodeRuntime"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNode = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\NodeRuntime	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPath	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductIcon = "C:\\Windows\\Installer\\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\\NodeIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\PackageName = "node-v18.16.0-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\DocumentationShortcuts	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\ProductName = "Node.js"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Version = "303038464"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A3A70C74FE2431248AD5F8A59570C782	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2412658365-3084825385-3340777666-1000\{85002A46-ED87-4CE2-B2D2-1E6C5C2DB7A2}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\corepack	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\npm	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\PackageCode = "347C7A52EDBDC9A498427C0BC7ABB536"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5B532AFE1A6C6E24B99C208A5DF6C1CD\SourceList\Media\1 = ";"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 91411.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
2500	msedge.exe
2500	msedge.exe
864	identity_helper.exe
864	identity_helper.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
5800	msedge.exe
1432	msedge.exe
1432	msedge.exe
5440	msedge.exe
5440	msedge.exe
2404	Bootstrapper.exe
2404	Bootstrapper.exe
2404	Bootstrapper.exe
5496	msiexec.exe
5496	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	Bootstrapper.exe
Token: SeShutdownPrivilege	3680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3680	msiexec.exe
Token: SeSecurityPrivilege	5496	msiexec.exe
Token: SeCreateTokenPrivilege	3680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3680	msiexec.exe
Token: SeLockMemoryPrivilege	3680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3680	msiexec.exe
Token: SeMachineAccountPrivilege	3680	msiexec.exe
Token: SeTcbPrivilege	3680	msiexec.exe
Token: SeSecurityPrivilege	3680	msiexec.exe
Token: SeTakeOwnershipPrivilege	3680	msiexec.exe
Token: SeLoadDriverPrivilege	3680	msiexec.exe
Token: SeSystemProfilePrivilege	3680	msiexec.exe
Token: SeSystemtimePrivilege	3680	msiexec.exe
Token: SeProfSingleProcessPrivilege	3680	msiexec.exe
Token: SeIncBasePriorityPrivilege	3680	msiexec.exe
Token: SeCreatePagefilePrivilege	3680	msiexec.exe
Token: SeCreatePermanentPrivilege	3680	msiexec.exe
Token: SeBackupPrivilege	3680	msiexec.exe
Token: SeRestorePrivilege	3680	msiexec.exe
Token: SeShutdownPrivilege	3680	msiexec.exe
Token: SeDebugPrivilege	3680	msiexec.exe
Token: SeAuditPrivilege	3680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3680	msiexec.exe
Token: SeChangeNotifyPrivilege	3680	msiexec.exe
Token: SeRemoteShutdownPrivilege	3680	msiexec.exe
Token: SeUndockPrivilege	3680	msiexec.exe
Token: SeSyncAgentPrivilege	3680	msiexec.exe
Token: SeEnableDelegationPrivilege	3680	msiexec.exe
Token: SeManageVolumePrivilege	3680	msiexec.exe
Token: SeImpersonatePrivilege	3680	msiexec.exe
Token: SeCreateGlobalPrivilege	3680	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeSecurityPrivilege	2008	wevtutil.exe
Token: SeBackupPrivilege	2008	wevtutil.exe
Token: SeSecurityPrivilege	1516	wevtutil.exe
Token: SeBackupPrivilege	1516	wevtutil.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe
Token: SeTakeOwnershipPrivilege	5496	msiexec.exe
Token: SeRestorePrivilege	5496	msiexec.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2724	2500	msedge.exe	84
PID 2500 wrote to memory of 2724	2500	msedge.exe	84
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 2152	2500	msedge.exe	85
PID 2500 wrote to memory of 436	2500	msedge.exe	86
PID 2500 wrote to memory of 436	2500	msedge.exe	86
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87
PID 2500 wrote to memory of 3652	2500	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bit.ly/MINERZS2\
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe318f46f8,0x7ffe318f4708,0x7ffe318f4718
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:6024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6492 /prefetch:8
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,14646338481522344673,17171731969888310195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5440
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- - C:\Windows\System32\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5496
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 81C52C3F2836B9A6D26B0B92822DFDAB
  2⤵
  - Loads dropped DLL
  PID:4092
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 396E7AA360B376A88927F4CCCA0BC720
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 30A40E513599AC46AB76D8888CED3726 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1648
- - C:\Windows\SysWOW64\wevtutil.exe
    "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2008
  - - C:\Windows\System32\wevtutil.exe
      "wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow64
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ce2e8.rbs

Filesize
1.0MB

MD5
b627c2fdad3ccdc90e0dca664c382890

SHA1
2c1d608754d4f628b98fdfaa3a1d62b7e09c2392

SHA256
fcb37b9435f5f8257e343f82ec39c96213e9a8f14d2dcff2d6b86943c62e185a

SHA512
68ae76f2d88f978562a33a17eef155d6677ff50ab7a9e3db5192e8955ca61543b78f0e849a96f4358bdbfb4187501b1012873289a03640667a70898b0d962ad6

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
2a6686d512ee9ba8b75e0bce9a794770

SHA1
465e00320c74d4481a5e7e7242aaeb60d02e2fab

SHA256
5afa5bcab0d66f0dc65ccad359650730ace53dff1d891cd33a9f54aa43d34419

SHA512
ff44d6f3e7be06c98077a00854edb0ca122fc5c98c976f86787c7b003d224f62c1079412e7c5cdb36c2a6df0825dd17ccbffe44eb264fa63e3d1e44654af74b2

Download Submit
C:\Program Files\nodejs\node_etw_provider.man

Filesize
8KB

MD5
d3bc164e23e694c644e0b1ce3e3f9910

SHA1
1849f8b1326111b5d4d93febc2bafb3856e601bb

SHA256
1185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4

SHA512
91ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\arborist\LICENSE.md

Filesize
818B

MD5
2916d8b51a5cc0a350d64389bc07aef6

SHA1
c9d5ac416c1dd7945651bee712dbed4d158d09e1

SHA256
733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04

SHA512
508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\aggregate-error\license

Filesize
1KB

MD5
5ad87d95c13094fa67f25442ff521efd

SHA1
01f1438a98e1b796e05a74131e6bb9d66c9e8542

SHA256
67292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec

SHA512
7187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\LICENSE

Filesize
754B

MD5
d2cf52aa43e18fdc87562d4c1303f46a

SHA1
58fb4a65fffb438630351e7cafd322579817e5e1

SHA256
45e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0

SHA512
54e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmhook\LICENSE.md

Filesize
771B

MD5
e9dc66f98e5f7ff720bf603fff36ebc5

SHA1
f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b

SHA256
b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79

SHA512
8027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmorg\LICENSE

Filesize
730B

MD5
072ac9ab0c4667f8f876becedfe10ee0

SHA1
0227492dcdc7fb8de1d14f9d3421c333230cf8fe

SHA256
2ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013

SHA512
f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json

Filesize
1KB

MD5
d116a360376e31950428ed26eae9ffd4

SHA1
192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b

SHA256
c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5

SHA512
5221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\LICENSE

Filesize
802B

MD5
d7c8fab641cd22d2cd30d2999cc77040

SHA1
d293601583b1454ad5415260e4378217d569538e

SHA256
04400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be

SHA512
278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\minizlib\node_modules\minipass\index.js

Filesize
16KB

MD5
bc0c0eeede037aa152345ab1f9774e92

SHA1
56e0f71900f0ef8294e46757ec14c0c11ed31d4e

SHA256
7a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5

SHA512
5f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\nopt\LICENSE

Filesize
780B

MD5
b020de8f88eacc104c21d6e6cacc636d

SHA1
20b35e641e3a5ea25f012e13d69fab37e3d68d6b

SHA256
3f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706

SHA512
4220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\promise-all-reject-late\LICENSE

Filesize
763B

MD5
7428aa9f83c500c4a434f8848ee23851

SHA1
166b3e1c1b7d7cb7b070108876492529f546219f

SHA256
1fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7

SHA512
c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts

Filesize
4KB

MD5
f0bd53316e08991d94586331f9c11d97

SHA1
f5a7a6dc0da46c3e077764cfb3e928c4a75d383e

SHA256
dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef

SHA512
fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839

Download Submit
C:\Program Files\nodejs\node_modules\npm\node_modules\treeverse\LICENSE

Filesize
771B

MD5
1d7c74bcd1904d125f6aff37749dc069

SHA1
21e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab

SHA256
24b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9

SHA512
b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Node.js\Node.js documentation.url

Filesize
168B

MD5
db7dbbc86e432573e54dedbcc02cb4a1

SHA1
cff9cfb98cff2d86b35dc680b405e8036bbbda47

SHA256
7cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9

SHA512
8f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
60KB

MD5
5b44ad90213d14d7876f2ee369ff86ab

SHA1
da87001cfd3cdc632f44b397206435d5dc7833d2

SHA256
129e1fd86788ac7601394cd11b957e6d237ced4967c2a91c16bb9270f04f2177

SHA512
931529ed3a376d30e4e979a93a887e493df2999659ee78f777075ff1b14497c0e3a5c7c097514a1932aeb37e0e49ceb8a4a36eb2d6a69e625f88f04d69ee46dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
41KB

MD5
60f8cd04587a51e31b51d1570d6f889a

SHA1
88574c41d0ab81721b275252464da5c7927a4835

SHA256
27cb4390e32a97375dd4987ae000406933bceba5199f17893711e782333b81cb

SHA512
84c12448ac55dd819749fef9be9919111a3df4bc51e66d2fa9f7376c11c101ed1349cb36aa119aa873cdd6c0c91027e201fbe23c2c83b89bc900a4d9077bcc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
1.2MB

MD5
2049c79ddc0ba3375dfe1832624bba4c

SHA1
aec0cf9ae1738391d630681d653b08625b276bc3

SHA256
e9cff2115e36f340c8a7cee5f24c5392259cd2c440fc9890b265551e4badf572

SHA512
4fd7488e94e8c9c990439a9200e9317eb7dc50eed35d32d17f13292d4d468949d990afadf4c654e8abadb638aced83cdd868dd6b68d4efe5aeec2670573da0fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
acebffa1712c6b416574172afc6fc27d

SHA1
2ea23892d8f35ac99885df17bc312c629737b0f6

SHA256
b88d37d82e48b49cb8ddecdd620b8814ac50b80871f0c3a1519a7eeefc5db067

SHA512
93a9d3da86f82c47d8abc849d05895b99c00615cd13832fc284357fc13125d6d3b7d05765e6691aebbe487ad471c1ba650118c3dd14743a828e9c1a08c339ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
768B

MD5
b50a2002ea6b49320701e720cdf4fbd9

SHA1
17396aa622b58495ddc174c2a028d9909bd616ad

SHA256
fd8fd5e1ffb6f1813cd1460d9310d3d2a702af673aec4113750224206aefb25d

SHA512
0042084bedd361a566ce4c0dae50b5ac12abda2c88f6a9f579d480e91d8cc21825460694e63072e9b1df419f6d9b041611ee59076faa6cb3dbb91f6957e8e85c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7a2ea7ae8240fbcedec2ab6a77f264c7

SHA1
f5c677ac96367401f0e5df948b0c44b6fe474fd7

SHA256
4b076f21c4f9ae2a604a37fb43c7faca726258c0b49de009cddfec54a3965f70

SHA512
d38246a48d564578f55abc55c413edfde1ac968464179de5b03d1f0873e98d385a18168d17e1cdbca16c96932ad72f3531db1ddde3025eb422ef87917217855d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a7616a287f0c12b7b600cdcb57b77df4

SHA1
716a0c082f15a5798ae5333399b357cfc1b01d88

SHA256
9a358b4f12216cb6331b9fb66c36e26dfe98f8bfe70f8a068632d160cfe5833c

SHA512
c30ac022ec14f3d26203f3208d2a18a77034e8edba26da3a1715147578afaed2663ba6e89dc8bce7647224b8f339c243b454e142fae20872db1736d1f2bcb01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
26e802dce2d034f25b4b3d217e2561a7

SHA1
d4e1076346783d1027d9e001e173c6c78b47e2ab

SHA256
f3c0451583fd0166a3ab9d862c079ebe053da993be8df85c1203bdcec6e0dfea

SHA512
e1c836e8cb3362b2bcc9a7b1e9445edaeed5dd48e28ae82fdb1ab238a89bee7cc8de20262196ad720cd75c3bb32b75a155e67555b23b86a4524aa8290d40e3c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
08c54988512b9aa9f839b41ba4fcc1a1

SHA1
4ce968933bd75b7a37e6f3c302fe23ec31642f8b

SHA256
f5ee04ad41ffd01f5f1bd750e143f6c8f71f0e27cce8a255b1cc89c2f83675ac

SHA512
800fe630a08b648904f21b1c4d98a1c3b8dd6caebd4d0de256e5f1bbda3ab3e906b1a55d26abf5c41f9d1567afe64a57320e94e205c74a45036ffe8d49cc3fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
17cc73943e6aea7cb474e2095c9ca3ba

SHA1
4dd23848e3f937073ff20e9325c964028ed2fde3

SHA256
0ebed25f5646fcfc31349932ff048c06639088ef867e4a2d10af0979f2335330

SHA512
d27218741e24d92499f68f7b780a1e9a3a146c8de91f7f798d7a4ecd6706d75749d35ef118008c8460f79346d9fd7b5e6411531bf875b8f0d4429defe69a0c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
cbe06926b689daec61bbc6d2fc1e38b2

SHA1
edb7bd1b74b9fc74da4a0877a8c2d740dbed3f41

SHA256
b83772c78fa5081c4b97355dee157aee6abd4c74a9100c2b4c2572759f932970

SHA512
42cfbc0940a78c594922082613feb1ae60c22761b9cd01b5adec5b5fe2d843c4ffbed42e9cfaa6fde7c1bc2ce72b784149932f6d8a6972dd6b989421f7012273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4fe78501cf1c306be6ded0a0facb2f4e

SHA1
860fad7b4f1cc0cb2f5acb5a129ac7c52ebec9c7

SHA256
91bcf1ef534b4dcfc35d52341ab0db970f8031ef150ea601a2106d3f07250d0f

SHA512
fc555ad9c8552f411314dcabed1d03f8d7627125a021bba9f4808275adfee5d207c584d40bb6d716a034a9f2427e96e8d8457645ff76971823ae738e58e29060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ddae47f283a98678c5da24cf7520b693

SHA1
2d75b0fd3a3e85ceeb1ae520acc402a56fb18894

SHA256
944e1638aeb6799c3598b7ce723ffd82cd6ccabffcbce2655e47123ebb4fcc63

SHA512
315c69dda086737f02bc1e07992ac2ff40c6f79ffcf8dc4b5ab81289d45ad17cfc0fdfab9e1f55aa8e081239c08508d38e680a4e7693955bdcbc250d2291d766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
d357e311e50c04fae89f744889b2559f

SHA1
2b9a13c0e613c154e2ae9bf5b0d448a32ee741c7

SHA256
6b3ef1bcfb4b30ce2225d2bec81bbd8bf24e33028f9fcf91560954bb8651fbba

SHA512
b9f1e2602f381ccd203a71bb2ea30dfb818b06eeec3bc9a311fd8d23553d342f50792c18fd0001d7b6e6f015d05853bb2a2ecf10fe3410c96d7e16fb2759e759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ae88240f77536a720e1e46b910f5c240

SHA1
be2b98f097ee0145ccbf031c8b86360240cf3f5f

SHA256
be508740fd0cd32f1744ece00da54591bf67c53fd050e8833a3b0b513e55cead

SHA512
a1a5682f893f12a86b866257bda27ca7b13a52ce65bbeb1f7ee905cb226d78789407122ec75164a7ec3a55bb1ae4b0bea8128ff3db8e766cc5269d5699670a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7413026ff37550517b84e7c6ee48e44f

SHA1
f590a0a310f7a8ccc1c152810c2a4098b1688953

SHA256
d2272a95ab105380b67fe36759a06e0e242d5ab9d4ba3a92924ff4bea6543704

SHA512
c37b5519397c3e81a3ce937900009dcb412d731a495660782dc473a67fa72fa89c1df1793ba12f79a9f9ae853c17fa2a408d311fa3437588f023ff830d86fad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
32a689a8446d2ff0f5e8c165154a37e9

SHA1
f65145d4ca5f40b1a014662d4c94027454fae02e

SHA256
c8243476e90ca44096f8667769cacfd581fe8e7537dd5044e626dd9b531b5781

SHA512
b519d0e9e196063fd65c9186e84cefb4e43622503231125c68b77fc8e4ebf4a6ccb4862ec2bf1c88a7f477fcdad8b7d15f18182d86e79e37e3410b9494f2a346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ddef9ba3e3e52dd8b821a89f9570bc94

SHA1
c387da96f83007590fce4ca19fc046fb30a93ddc

SHA256
0f8c9fd9be911e4bf13b4fae9b933be259a3f626c7a6027d665b8d685d3d8e5b

SHA512
345c60f731e4bcdacfbcc22e065e01b1ac8543ef0522675028381d3512fed526be504a55beebb67716e3a5327a03ef3a4b467b5b5b8342f3b13994e72164090f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
31a389e38cc30b99d776043aaf9045a2

SHA1
2454d780dbef492e34f1ff28ac68a96e604ce566

SHA256
ee52c61bd59e4714f2138f38c409f1fedbafd19339f13328adad277011cea27a

SHA512
d78accd03c2a2da0a5e0c97d079cccb485452ac7b0baa128206fd5521bb275d3e1b3dfe709e083e50c120586c766d2fc2d83a7458aefdb57eff1457d86c6d54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f3cee934dc50ef86381380e377447066

SHA1
fcac8ba25eeda5c79fe5aceeb8e31f96c4a84cd4

SHA256
521330a6cb701409ef8bea9caf2fa990ba2ff977ab8634e4e286032c8e674a0f

SHA512
60c626928a80fa0ac1f9cc1fee1f7bfdcb9ec25fa086948f604e8c5bb6223a18b9a339f01997d8f119ea951062cc34dae914fa804a7c876e2950b89668d11f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3abfdb17d9b43e99d4e82660b1ac6b07

SHA1
e41d857b9fd495c537cb816f3b0c78053f999408

SHA256
94769fbd8f901d2a7b817afccf3ba3ec883611b7f6f7196cc36ffecf60ac1668

SHA512
66a4fd3d7af6caf4facea5c58620f3073c261902b3164565991900573c8444da06f6daf260c0399beb502c2005675b5f3ad5b93f4a28d741603a90b3a897d5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1faa900cd3bda56584f335a1ac4f545e

SHA1
65dec953513c7066d807057094a511239ca136ea

SHA256
3bb711f50375983003b0f11ca33ff56310e4a44108c9851d556c72a9024f70b8

SHA512
152a27148498f548fd9f2f14239a694a9c6fc5f8e40e2f0d3034390dcb8b2e57a72dc0c06dbebee522c3d18896b5d7cef0c1ba1b2d5b97a2771766e46bebcd1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
69cb3b8f46d609ead3643b0f4d194b22

SHA1
c6b69e2ed368e0d18708b739d69dac207121d9c9

SHA256
22febb7343bf94545a2a8db78f54be1187004cbdd25e2761bf5df2e381d03a8d

SHA512
9eac2de26130aadb3fdcd4bf6c376b8bd78d917eb8128360096a065867f1941df9c4d09628a956b8f2161aaeff1fd122a00607bfca4e0c2e152fcc78a3015e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1233010adb4c3e31ce805e91c8958d1c

SHA1
02f913c9ddf6dd402a7636d4f0d804cedb4b4ac1

SHA256
cea6f99ac622965be045d3420f594b0fc4d00608042839ed6cff6878a9fc9479

SHA512
21d148fb706088bae8921de22b69120d0fd5f0e5ad45f52b40cd6da1b5744d09f3e6b3f331d1c41bab41d80742a087512e526d0aa244a71c97aea3f99de95239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a20a9.TMP

Filesize
1KB

MD5
9884645b7944821140c226848fa82788

SHA1
099f6c1cb60a6e7b3d318b35e8bc160de26be2e4

SHA256
fa3261a776bd6cbf60e634542dcd66d57fad583b88bd981ece25b288b9b10e71

SHA512
eea07ca772401f93d8394dd2004d94f0ab0a3c81d2095d3102bb8f086e2d71561bab6e539b038c67eb179bd54bc88e3d4c3d1f1478cf787c89ef8d06e21b0051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0b1d15b600bd47a72571e2f3409c9e2d

SHA1
7a90ee51f5c0363ac49eb56577b18259ae128566

SHA256
6df45445babe7b38bb5cf42b7b19f8523baae085f542119dcd7396aae37bc4f3

SHA512
5cbab195ad0278fd1f3f4ebe498c8a3ff65ed821348b87e7c817469e026ed428686d0c2f539847a279c8c48cb48293ad4948f523bef286e8e71bf4e3e7f141bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
46b5e2fd1baab9afeda7a993f6c1eebb

SHA1
9e756a7722d757c45e1db9ca130d9836bd6ef54f

SHA256
343c28c8ef02d218a639b56bd355cf279755bf831c458576b75d6b1261180ce1

SHA512
f76680a69ed76468aff414fb55317e82696e6975ace126f8e0b9b89c17c524aad1d859d102c1f744bb1bb563cf2059d9d502d56a00be9b9cd67d50d61167e4e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

Filesize
30.1MB

MD5
0e4e9aa41d24221b29b19ba96c1a64d0

SHA1
231ade3d5a586c0eb4441c8dbfe9007dc26b2872

SHA256
5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d

SHA512
e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 91411.crdownload

Filesize
796KB

MD5
76639ab92661f5c384302899934051ab

SHA1
9b33828f8ad3a686ff02b1a4569b8ae38128caed

SHA256
6bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178

SHA512
928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee

Download Submit
C:\Windows\Installer\MSIE68F.tmp

Filesize
122KB

MD5
9fe9b0ecaea0324ad99036a91db03ebb

SHA1
144068c64ec06fc08eadfcca0a014a44b95bb908

SHA256
e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9

SHA512
906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

Download Submit
C:\Windows\Installer\MSIE74C.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIED69.tmp

Filesize
297KB

MD5
7a86ce1a899262dd3c1df656bff3fb2c

SHA1
33dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541

SHA256
b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c

SHA512
421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec

Download Submit
memory/2404-970-0x0000021434CE0000-0x0000021434D02000-memory.dmp

Filesize
136KB

Download
memory/2404-941-0x000002141A5C0000-0x000002141A68E000-memory.dmp

Filesize
824KB

Download
memory/2404-3361-0x0000021434E60000-0x0000021434E6A000-memory.dmp

Filesize
40KB

Download
memory/2404-3365-0x0000021434E90000-0x0000021434EA2000-memory.dmp

Filesize
72KB

Download